Hello,
We have a use case in which we need to use the native Windows VPN client to connect to the Fortigate. I was able to successfully configure the VPN gateway and device tunnel. However, the issue now is that the Windows native client defaults to weak cryptography using DH group 2. If I try to specify anything stronger, it breaks the VPN connection.
I would like to add the following to my profile.xml file. When I add these lines, the VPN immediately disconnects and the only way to reconnect is to remove these lines and regenerate the device tunnel.
<CryptographySuite>
<CipherTransformConstants>AES256</CipherTransformConstants>
<EncryptionMethod>AES256</EncryptionMethod>
<IntegrityCheckMethod>SHA384</IntegrityCheckMethod>
<DHGroup>Group14</DHGroup>
<PfsGroup>PFS2048</PfsGroup>
<AuthenticationTransformConstants>SHA256128</AuthenticationTransformConstants>
For reference, I have these set up, respectively:
Phase 1:
aes256-sha512
aes256-sha384
DH groups 14 & 2
Phase 2:
aes256-sha1
aes256-sha384
aes256-sha256
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey Brian,
if you can change the DH group and other settings that'd be best. FGT will accept much stronger ciphers, however whatever the client offers and the server - one set of ciphers must match on both client and server.
Example on my device:
set proposal aes256gcm-prfsha256
set dhgrp 21
Best regards,
Markus
Thank you, but I have triple checked and confirmed there are matching proposals on both sides. If there was a mismatch, I would have found it by now. The VPN appears to disconnect if I specify any settings at all.
I believe I found the solution though I cannot pinpoint exactly what I did. After trying various combinations of settings for hours, I was able to get it to connect using DH group 14 and AES256 encryption. It seemed to come online after I enabled Group 14 on PFS. Ironically it now seems that PFS is the only thing not working correctly as I see this entry in the Fortigate debug log: PFS is disabled.
As said above, I have enabled DH group 14 on PFS for phase 2. However the native Windows client only has these options available.
PFS1
PFS2
PFS2048
ECP256
ECP384
PFSMM
PFS24
Does anyone know which DH groups these correspond to? I would have thought PFS2048 is DH group 14 but it is not working correctly.
Thanks again.
Hi Brian,
glad it got better at least. For reference I collected this over time in my IT pile:
Diffie-hellman groups | Modulus |
Diffie-Hellman Group 1 | 768-bit MODP group |
Diffie-Hellman Group 2 | 1024-bit MODP group |
Diffie-Hellman Group 5 | 1536-bit MODP group |
Diffie-Hellman Group 14 | 2048-bit MODP group |
Diffie-Hellman Group 15 | 3072-bit MODP group |
Diffie-Hellman Group 16 | 4096-bit MODP Group |
Diffie-Hellman Group 17 | 6144-bit MODP Group |
Diffie-Hellman Group 18 | 8192-bit MODP Group |
Diffie-Hellman Group 19 | 256-bit elliptic curve group |
Diffie-Hellman Group 20 | 384-bit elliptic curve group |
Diffie-Hellman Group 24 | 2048-bit, 256 bit subgroup |
FortiGate debug will help you to translate what the client is offering so you can guess better what you want to set.
Debug on the FortiGate console is as follows:
diag debug console timestamp enable
diag debug app ike -1
diag debug enable
Then connect again.
Best regards,
Markus
The ike debug will tell you if it has a problem with the proposals, so please post that output.
Example on my lab:
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: responder selectors 0:192.168.40.8:0->0:0.0.0.0/0.0.0.0:0
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: my proposal:
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: proposal id = 1:
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: protocol id = IPSEC_ESP:
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: PFS DH group = 14
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: type = AUTH_ALG, val=SHA1
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: trans_id = ESP_3DES
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: type = AUTH_ALG, val=SHA1
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: incoming proposal:
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: proposal id = 1:
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: protocol id = IPSEC_ESP:
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: PFS DH group = 14
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: type = AUTH_ALG, val=SHA1
Best regards,
Markus
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.