Drawback abstract
I am making an attempt to setup a distant entry IPsec IKEv2 VPN between a FortiGate firewall (FortiOS v7.2.8) and a local Home windows VPN consumer with certificates based mostly authentication.
I’ve went trough a number of tutorials however cannot get the tunnel up and going. Additionally Fortinet buyer assist would not present help if the configuration has by no means labored earlier than.
Here is a easy community diagram of what I’m making an attempt to realize :
Steps undertaken
These are the primary steps of configuration I’ve adopted up to now. I give extra particulars later.
-
Generate the server and person certificates and signal them utilizing the certification authority
-
Configure the IPsec VPN tunnel
-
Configure the native Home windows VPN consumer
-
Add a firewall coverage on the firewall to permit visitors
However when making an attempt to attach from the Home windows consumer, I get the next error message :
Cannot hook up with TEST
IKE authentication credentials are unacceptable
Right here you’ll be able to see the logs that seem on the FortiGate proper after a connection is tried (I changed the lengthy strings of hexadecimal characters with dots) :
FortiGate # diagnose debug utility ike -1
Debug messages shall be on for 23 minutes.
FortiGate # diagnose debug utility fnbamd -1
Debug messages shall be on for 23 minutes.
FortiGate # diagnose debug allow
FortiGate # ike 0: comes :500->:500,ifindex=23,vrf=0....
ike 0: IKEv2 alternate=SA_INIT id=ac35988f5bf4df3b/0000000000000000 len=544
ike 0: in AC35988........A5100000002
ike 0:ac35988f5bf4df3b/0000000000000000:6933: responder acquired SA_INIT msg
ike 0:ac35988f5bf4df3b/0000000000000000:6933: acquired notify kind FRAGMENTATION_SUPPORTED
ike 0:ac35988f5bf4df3b/0000000000000000:6933: acquired notify kind NAT_DETECTION_SOURCE_IP
ike 0:ac35988f5bf4df3b/0000000000000000:6933: acquired notify kind NAT_DETECTION_DESTINATION_IP
ike 0:ac35988f5bf4df3b/0000000000000000:6933: VID MS NT5 ISAKMPOAKLEY 1E2B516905991C7D7C96FCBFB587E46100000009
ike 0:ac35988f5bf4df3b/0000000000000000:6933: VID unknown (16): FB1DE3CDF341B7EA16B7E5BE0855F120
ike 0:ac35988f5bf4df3b/0000000000000000:6933: VID unknown (16): 26244D38EDDB61B3172A36E3D0CFB819
ike 0:ac35988f5bf4df3b/0000000000000000:6933: VID unknown (20): 01528BBBC00696121849AB9A1C5B2A5100000002
ike 0:ac35988f5bf4df3b/0000000000000000:6933: incoming proposal:
ike 0:ac35988f5bf4df3b/0000000000000000:6933: proposal id = 1:
ike 0:ac35988f5bf4df3b/0000000000000000:6933: protocol = IKEv2:
ike 0:ac35988f5bf4df3b/0000000000000000:6933: encapsulation = IKEv2/none
ike 0:ac35988f5bf4df3b/0000000000000000:6933: kind=ENCR, val=AES_CBC (key_len = 256)
ike 0:ac35988f5bf4df3b/0000000000000000:6933: kind=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:ac35988f5bf4df3b/0000000000000000:6933: kind=PRF, val=PRF_HMAC_SHA2_256
ike 0:ac35988f5bf4df3b/0000000000000000:6933: kind=DH_GROUP, val=MODP2048.
ike 0:ac35988f5bf4df3b/0000000000000000:6933: matched proposal id 1
ike 0:ac35988f5bf4df3b/0000000000000000:6933: proposal id = 1:
ike 0:ac35988f5bf4df3b/0000000000000000:6933: protocol = IKEv2:
ike 0:ac35988f5bf4df3b/0000000000000000:6933: encapsulation = IKEv2/none
ike 0:ac35988f5bf4df3b/0000000000000000:6933: kind=ENCR, val=AES_CBC (key_len = 256)
ike 0:ac35988f5bf4df3b/0000000000000000:6933: kind=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:ac35988f5bf4df3b/0000000000000000:6933: kind=PRF, val=PRF_HMAC_SHA2_256
ike 0:ac35988f5bf4df3b/0000000000000000:6933: kind=DH_GROUP, val=MODP2048.
ike 0:ac35988f5bf4df3b/0000000000000000:6933: lifetime=86400
ike 0:ac35988f5bf4df3b/0000000000000000:6933: SA proposal chosen, matched gateway Distant person VPN
ike 0:Distant person VPN: created connection: 0xa221e60 23 ->:500.
ike 0:Distant person VPN:6933: processing notify kind NAT_DETECTION_SOURCE_IP
ike 0:Distant person VPN:6933: processing NAT-D payload
ike 0:Distant person VPN:6933: NAT detected: PEER
ike 0:Distant person VPN:6933: course of NAT-D
ike 0:Distant person VPN:6933: processing notify kind NAT_DETECTION_DESTINATION_IP
ike 0:Distant person VPN:6933: processing NAT-D payload
ike 0:Distant person VPN:6933: NAT detected: PEER
ike 0:Distant person VPN:6933: course of NAT-D
ike 0:Distant person VPN:6933: processing notify kind FRAGMENTATION_SUPPORTED
ike 0:Distant person VPN:6933: responder making ready SA_INIT msg
ike 0:Distant person VPN:6933: create NAT-D hash native /500 distant /500
ike 0:Distant person VPN:6933: out AC35988F........000402E
ike 0:Distant person VPN:6933: despatched IKE msg (SA_INIT_RESPONSE): :500->:500, len=424, vrf=0, id=ac35988f5bf4df3b/e7ee0420726427f8
ike 0:Distant person VPN:6933: IKE SA ac35988f5bf4df3b/e7ee0420726427f8 SK_ei 32:606CFF2771758125FEAF9BE6D834251F6D124BF98E518A839FDA44BB4BE3D5BE
ike 0:Distant person VPN:6933: IKE SA ac35988f5bf4df3b/e7ee0420726427f8 SK_er 32:FE7A05A6F0CA2C63F07BCB4D30D56414FDE27992C064A63BE353131B97875A7D
ike 0:Distant person VPN:6933: IKE SA ac35988f5bf4df3b/e7ee0420726427f8 SK_ai 32:CD9FA84229595E357B8D1FDDF3C28F55564689EB3D089CD8485F248D345CD900
ike 0:Distant person VPN:6933: IKE SA ac35988f5bf4df3b/e7ee0420726427f8 SK_ar 32:DA67F9E25C7D75F19A8D49D5D59A1145FC82812AF7AA15932D246C4858876EB1
ike 0: comes :4500->:4500,ifindex=23,vrf=0....
ike 0: IKEv2 alternate=AUTH id=ac35988f5bf4df3b/e7ee0420726427f8:00000001 len=580
ike 0: in AC35988F........FAEAA4D86C576
D
ike 0:Distant person VPN:6933: encrypted fragment 1 of three queued
ike 0: comes :4500->:4500,ifindex=23,vrf=0....
ike 0: IKEv2 alternate=AUTH id=ac35988f5bf4df3b/e7ee0420726427f8:00000001 len=580
ike 0: in AC35988F5........B71873EA
4
ike 0:Distant person VPN:6933: encrypted fragment 2 of three queued
ike 0: comes :4500->:4500,ifindex=23,vrf=0....
ike 0: IKEv2 alternate=AUTH id=ac35988f5bf4df3b/e7ee0420726427f8:00000001 len=420
ike 0: in AC35988F........FCB6C6
ike 0:Distant person VPN:6933: encrypted fragment 3 of three queued
ike 0:Distant person VPN:6933: dec AC35988F5B........600743D5
ike 0:Distant person VPN:6933: dec AC35988F5B........8D6C659
ike 0:Distant person VPN:6933: dec AC35988F........FFFFF
ike 0:Distant person VPN:6933: reassembled fragmented message
ike 0:Distant person VPN:6933: responder acquired AUTH msg
ike 0:Distant person VPN:6933: processing notify kind MOBIKE_SUPPORTED
ike 0:Distant person VPN:6933: peer identifier IPV4_ADDR 192.168.3.68
ike 0:Distant person VPN:6933: re-validate gw ID
ike 0:Distant person VPN:6933: gw validation OK
ike 0:Distant person VPN:6933: acquired peer certreq '0EAC826040562797E52513FC2AE10A539559E4A4'
ike 0:Distant person VPN:6933: acquired peer certreq 'DDBCBD869C3F07ED40E31B08EFCEC4D188CD3B15'
ike 0:Distant person VPN:6933: acquired peer certreq '4A5C7522AA46BFA4089D39974EBDB4A360F7A01D'
ike 0:Distant person VPN:6933: acquired peer certreq '194587AE303611237B915DE583B741F760F273F3'
ike 0:Distant person VPN:6933: acquired peer certreq '5CB869FE8DEFC1ED6627EEB2120F721BB80A0E04'
ike 0:Distant person VPN:6933: acquired peer certreq '6A47A267C92E2F19688B9B86616695EDC12C1300'
ike 0:Distant person VPN:6933: acquired peer certreq '01F0334C1AA1D9EE5B7BA9DE43BC027D570933FB'
ike 0:Distant person VPN:6933: acquired peer certreq '8BD402B9E47A806F00D33ACBEEB32ECD0D11766A'
ike 0:Distant person VPN:6933: acquired peer certreq '83317E62854253D6D7783190EC919056E991B9E3'
ike 0:Distant person VPN:6933: acquired peer certreq '1602DA8D06CB43EE9A8A91A02D88D72BAA72AD07'
ike 0:Distant person VPN:6933: acquired peer certreq 'CE9614AE0589A62D380FE473F7F26754DC79424D'
ike 0:Distant person VPN:6933: acquired peer certreq '88A95AEFC084FC1374416BB16332C2CF9259BB3B'
ike 0:Distant person VPN:6933: acquired peer certreq 'F927B61B0A37F3C31AFA17EC2D461716129D0C0E'
ike 0:Distant person VPN:6933: acquired peer certreq '344F302D25693191EAF7735CABF5868D378240EC'
ike 0:Distant person VPN:6933: acquired peer certreq '3EDF290CC1F5CC732CEB3D24E17E52DABD27E2F0'
ike 0:Distant person VPN:6933: acquired peer certreq 'F2052F9F9FD5A5933C9C6D7192CC457A16D3B7B6'
ike 0:Distant person VPN:6933: acquired peer certreq 'A46D7AEFA0D823E59DF92AADCEF78C0B679E288F'
ike 0:Distant person VPN:6933: acquired peer certreq '7C32D485FD890A66B597CE86F4D526A92107E83E'
ike 0:Distant person VPN:6933: acquired peer certreq '68330E61358521592983A3C8D2D2E1406E7AB3C1'
ike 0:Distant person VPN:6933: acquired peer certreq '641DF8D50E2331C229B250CB32F56DF55C8E00FA'
ike 0:Distant person VPN:6933: acquired peer certreq 'BF9EA8468328C1DBA829EE35CB8BA85F52F085D1'
ike 0:Distant person VPN:6933: acquired peer certreq 'DAED6474149C143CABDD99A9BD5B284D8B3CC9D8'
ike 0:Distant person VPN:6933: acquired peer certreq '87E3BF322427C1405D2736C381E01D1A71D4A039'
ike 0:Distant person VPN:6933: acquired peer certreq '5E8C531822601D5671D66AA0CC64A0600743D5A8'
ike 0:Distant person VPN:6933: acquired peer certreq '8626CB1BC554B39FBD6BED637FB989A980F1F48A'
ike 0:Distant person VPN:6933: acquired peer certreq 'ED0DC8D62CD31329D882FE2DC3FCC510D34DBB14'
ike 0:Distant person VPN:6933: acquired peer certreq 'A8E3029670A68B57EBECEFCC294E91749AD49238'
ike 0:Distant person VPN:6933: acquired peer certreq 'F79319EFDFC1F520FBAC85552CF2D28F5AB9CA0B'
ike 0:Distant person VPN:6933: acquired peer certreq '30A4E64FDE768AFCED5A9084283046792C291570'
ike 0:Distant person VPN:6933: acquired peer certreq 'EFE7122486FBA28408E284B17A991D0E550572F9'
ike 0:Distant person VPN:6933: acquired peer certreq 'C43028C5D3E3080C10448B2C77BA24539760BBF9'
ike 0:Distant person VPN:6933: acquired peer certreq 'F816513CFD1B449F2E6B28A197221FB81F514E3C'
ike 0:Distant person VPN:6933: acquired peer certreq '9B10827A95032AB26B73C82F18C92ECAE568C208'
ike 0:Distant person VPN:6933: acquired peer certreq '69C427DB5969681847E252170AE0E57FAB9DEF0F'
ike 0:Distant person VPN:6933: acquired peer certreq '87DBD45FB0928D4E1DF81567E7F2ABAFD62B6775'
ike 0:Distant person VPN:6933: acquired peer certreq 'C53021E4C84BD1A9E9DEE840BA6A169F77928F91'
ike 0:Distant person VPN:6933: acquired peer certreq '6E584E3375BD57F6D5421B1601C2D8C0F53A9F6E'
ike 0:Distant person VPN:6933: acquired peer certreq '4A810CDEF0C0900F1906423135A2A28DD344FD08'
ike 0:Distant person VPN:6933: acquired peer certreq 'D52E13C1ABE349DAE8B49594EF7C3843606466BD'
ike 0:Distant person VPN:6933: acquired peer certreq 'AB30D3AF4BD8F16B5869EE456929DA84B8739488'
ike 0:Distant person VPN:6933: acquired peer certreq '687421E97DCF229A80282DDF9720B6749B1668BC'
ike 0:Distant person VPN:6933: acquired peer certreq 'A59DBF9015D9F1F5A8D8C01D14E6F1D8C4FE5717'
ike 0:Distant person VPN:6933: acquired peer certreq '07DAA7378C513B15AD74036A652E2E29206E21B7'
ike 0:Distant person VPN:6933: acquired peer certreq 'E27F7BD877D5DF9E0A3F9EB4CB0E2EA9EFDB6977'
ike 0:Distant person VPN:6933: acquired peer certreq '7ADD9381569EE04137127BACAA16F0635BC37F3D'
ike 0:Distant person VPN:6933: acquired peer certreq '5FF3246C8F9124AF9B5F3EB0346AF42D5CA85DCC'
ike 0:Distant person VPN:6933: acquired peer certreq '70C72F89D8E3B1A6E5DECC3DFF5F2AA122052877'
ike 0:Distant person VPN:6933: acquired peer certreq 'B181081A19A4C0941FFAE89528C124C99B34ACC7'
ike 0:Distant person VPN:6933: acquired peer certreq '210F2C89F7C4CD5D1B825E38D6C6593BA69375AE'
ike 0:Distant person VPN:6933: acquired peer certreq 'BBC23E290BB328771DAD3EA24DBDF423BD06B03D'
ike 0:Distant person VPN:6933: acquired peer certreq 'C89513680197280A2C55C3FCD390F53A053BC9FB'
ike 0:Distant person VPN:6933: acquired peer certreq 'EEE59F1E2AA544C3CB2543A69A5BD46A25BCBB8E'
ike 0:Distant person VPN:6933: acquired peer certreq '4C75D4858062AAA9449C66151E6C5813053A9C72'
ike 0:Distant person VPN:6933: acquired peer certreq '174AB82B5FFB05677527AD495A4A5DC422CCEA4E'
ike 0:Distant person VPN:6933: acquired peer certreq '4F9C7D21799CAD0ED8B90C579F1A0299E790F387'
ike 0:Distant person VPN:6933: responder making ready EAP id request
ike 0:Distant person VPN:6933: native cert, topic="|Q̬", issuer="!
"
ike 0:Distant person VPN:6933: splitting payload len=1712 into 2 fragments
ike 0:Distant person VPN:6933: enc 2500004F0900000030........6D336020102
ike 0:Distant person VPN:6933: enc 71CA6E2D7E38DA........605040302010C
ike 0:Distant person VPN:6933: distant port change 500 -> 4500
ike 0:Distant person VPN:6933: out AC35988F5BF4DF3BE7EE04207........BE40
ike 0:Distant person VPN:6933: despatched IKE msg (AUTH_RESPONSE): :4500->:4500, len=1124, vrf=0, id=ac35988f5bf4df3b/e7ee0420726427f8:00000001
ike 0:Distant person VPN:6933: out AC35988F5BF4DF3BE........91A580CF74
08BC80D6F
ike 0:Distant person VPN:6933: despatched IKE msg (AUTH_RESPONSE): :4500->:4500, len=740, vrf=0, id=ac35988f5bf4df3b/e7ee0420726427f8:00000001
ike shrank heap by 159744 bytes
FortiGate #
Particulars
Certificates
I adopted the steps in this technical word from Fortinet KB exhibiting the way to generate and import certificates. I imported each the server and the CA certificates into the FortiGate.
I’ve additionally put in the consumer certificates on my machine.
Initially, I’ve additionally adopted the steps in this information to supply authentication utilizing certificates for a selected person (tgerber) however I ended up deciding on the settle for Any peer ID choice for the authentication part within the VPN configuration because it wasn’t working anyway.
IPsec VPN Tunnel Configuration
Here is the configuration of the VPN tunnel on the FortiGate.
FortiGate # present vpn ipsec phase1-interface Distant person VPN
config vpn ipsec phase1-interface
edit "Distant person VPN"
set kind dynamic
set interface "x1"
set ike-version 2
set authmethod signature
set peertype any
set net-device disable
set mode-cfg allow
set proposal aes256-sha256
set dpd on-idle
set dhgrp 14
set eap allow
set eap-identity send-request
set authusrgrp "VPN_Users_LAB"
set certificates "server"
set ipv4-start-ip 192.168.100.10
set ipv4-end-ip 192.168.100.250
set ipv4-split-include "local_network"
set dpd-retryinterval 60
subsequent
finish
FortiGate # present vpn ipsec phase2-interface Distant person VPN
config vpn ipsec phase2-interface
edit "Distant person VPN"
set phase1name "Distant person VPN"
set proposal aes256-sha256
set dhgrp 14
subsequent
finish
FortiGate #
Please word that I’ve additionally run the next instructions (as advised in this submit) whereas making an attempt to repair the issue alone.
config vpn ipsec phase1-interface
edit Distant person VPN
set eap allow
set eap-identity send-request
set authusrgrp VPN_Users_LAB
subsequent
finish
Native Home windows VPN Shopper Configuration
Here is the VPN configuration :
| Discipline | Worth |
|---|---|
| Connection identify | TEST |
| Server identify or tackle | FortiGate’s public IP |
| VPN kind | IKEv2 |
| Kind of sign-in data | Microsoft: EAP-AKA (I’ve additionally examined Certificates however with out success) |
| Username (elective) | empty |
| Password (elective) | empty |
Nevertheless, I observed that Home windows makes use of out of date encryption strategies by default and to vary them it’s a must to run instructions on the command line. So after looking out a bit on the web I ended up discovering this command which I executed on the Home windows consumer. This submit helped me loads.
Set-VpnConnectionIPsecConfiguration -ConnectionName "TEST" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -PfsGroup ECP384 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup ECP384
Firewall coverage
Here is the one firewall coverage I’ve associated to the VPN.
FortiGate # present firewall coverage 14
config firewall coverage
edit 14
set identify "Permit VPN Customers"
set uuid cc2c3754-4e4b-51ef-9e03-62773733f4b5
set srcintf "Distant person VPN"
set dstintf "port6"
set motion settle for
set srcaddr "all"
set dstaddr "local_network"
set schedule "all the time"
set service "ALL"
set logtraffic all
subsequent
finish
FortiGate #
I do not actually know what’s stopping the VPN tunnel to work and what could be inflicting the problem. Thanks for assist.