- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Windows native VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows native VPN
Hello,
We have a use case in which we need to use the native Windows VPN client to connect to the Fortigate. I was able to successfully configure the VPN gateway and device tunnel. However, the issue now is that the Windows native client defaults to weak cryptography using DH group 2. If I try to specify anything stronger, it breaks the VPN connection.
I would like to add the following to my profile.xml file. When I add these lines, the VPN immediately disconnects and the only way to reconnect is to remove these lines and regenerate the device tunnel.
<CryptographySuite>
<CipherTransformConstants>AES256</CipherTransformConstants>
<EncryptionMethod>AES256</EncryptionMethod>
<IntegrityCheckMethod>SHA384</IntegrityCheckMethod>
<DHGroup>Group14</DHGroup>
<PfsGroup>PFS2048</PfsGroup>
<AuthenticationTransformConstants>SHA256128</AuthenticationTransformConstants>
For reference, I have these set up, respectively:
Phase 1:
aes256-sha512
aes256-sha384
DH groups 14 & 2
Phase 2:
aes256-sha1
aes256-sha384
aes256-sha256
Labels:
- Labels:
-
FortiGate
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Brian,
if you can change the DH group and other settings that'd be best. FGT will accept much stronger ciphers, however whatever the client offers and the server - one set of ciphers must match on both client and server.
Example on my device:
set proposal aes256gcm-prfsha256
set dhgrp 21
Best regards,
Markus
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, but I have triple checked and confirmed there are matching proposals on both sides. If there was a mismatch, I would have found it by now. The VPN appears to disconnect if I specify any settings at all.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe I found the solution though I cannot pinpoint exactly what I did. After trying various combinations of settings for hours, I was able to get it to connect using DH group 14 and AES256 encryption. It seemed to come online after I enabled Group 14 on PFS. Ironically it now seems that PFS is the only thing not working correctly as I see this entry in the Fortigate debug log: PFS is disabled.
As said above, I have enabled DH group 14 on PFS for phase 2. However the native Windows client only has these options available.
PFS1
PFS2
PFS2048
ECP256
ECP384
PFSMM
PFS24
Does anyone know which DH groups these correspond to? I would have thought PFS2048 is DH group 14 but it is not working correctly.
Thanks again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Brian,
glad it got better at least. For reference I collected this over time in my IT pile:
| Diffie-hellman groups | Modulus |
| Diffie-Hellman Group 1 | 768-bit MODP group |
| Diffie-Hellman Group 2 | 1024-bit MODP group |
| Diffie-Hellman Group 5 | 1536-bit MODP group |
| Diffie-Hellman Group 14 | 2048-bit MODP group |
| Diffie-Hellman Group 15 | 3072-bit MODP group |
| Diffie-Hellman Group 16 | 4096-bit MODP Group |
| Diffie-Hellman Group 17 | 6144-bit MODP Group |
| Diffie-Hellman Group 18 | 8192-bit MODP Group |
| Diffie-Hellman Group 19 | 256-bit elliptic curve group |
| Diffie-Hellman Group 20 | 384-bit elliptic curve group |
| Diffie-Hellman Group 24 | 2048-bit, 256 bit subgroup |
FortiGate debug will help you to translate what the client is offering so you can guess better what you want to set.
Debug on the FortiGate console is as follows:
diag debug console timestamp enable
diag debug app ike -1
diag debug enable
Then connect again.
Best regards,
Markus
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The ike debug will tell you if it has a problem with the proposals, so please post that output.
Example on my lab:
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: responder selectors 0:192.168.40.8:0->0:0.0.0.0/0.0.0.0:0
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: my proposal:
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: proposal id = 1:
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: protocol id = IPSEC_ESP:
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: PFS DH group = 14
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: type = AUTH_ALG, val=SHA1
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: trans_id = ESP_3DES
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: type = AUTH_ALG, val=SHA1
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: incoming proposal:
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: proposal id = 1:
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: protocol id = IPSEC_ESP:
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: PFS DH group = 14
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:forti.lab-VPN:422:forti.lab-VPN:234003: type = AUTH_ALG, val=SHA1
Best regards,
Markus
Related Posts
Labels
-
FortiGate
6,599 -
FortiClient
1,315 -
5.2
801 -
5.4
639 -
FortiManager
570 -
FortiAnalyzer
417 -
6.0
416 -
5.6
362 -
FortiSwitch
338 -
FortiAP
337 -
FortiClient EMS
269 -
6.2
251 -
FortiMail
248 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
63 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
High Availability
21 -
FortiConverter
21 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.