FortiGate IPsec VPN for FortiClient (IKEv2 and EAP)
In the previous post, I explained how to configure an IPsec VPN for FortiClient using the IPsec wizard, which is based on IKEv1. Although IKEv1 is much more widely used than IKEv2, IKEv2 is becoming increasingly popular among network administrators. IKEv2 features simpler operation and configuration, as well as asymmetric authentication.
In this post, I will describe how to configure an IPsec VPN for FortiClient that uses IKEv2 for negotiation and EAP for user authentication. To apply the configuration on FortiGate, I will use the CLI.
Firmware and Configuration Details
- FortiOS 6.2.3.
- FortiClient VPN for Windows 6.4.0.
- VDOMs: disabled.
Firewall address objects
config firewall address edit "LAN" set subnet 192.168.1.0 255.255.255.0 next edit "DMZ" set subnet 172.16.1.0 255.255.255.0 next end config firewall addrgrp edit "INTERNAL" set member "DMZ" "LAN" next end
- Address objects LAN and DMZ for 192.168.1.0/24 and 172.16.1.0/24 subnets.
- Address group INTERNAL containing LAN and DMZ objects.
config vpn ipsec phase1-interface edit "FCT_IKEv2" set type dynamic set interface "port1" set ike-version 2 set peertype any set net-device disable set mode-cfg enable set proposal aes128-sha1 aes256-sha256 set comments "FortiClient IPsec VPN IKEv2 and EAP user auth" set dhgrp 5 set eap enable set eap-identity send-request set ipv4-start-ip 192.168.255.1 set ipv4-end-ip 192.168.255.31 set dns-mode auto set ipv4-split-include "INTERNAL" set psksecret checkthefirewall next end
- Create a phase 1 VPN named FCT_IKEv2.
- ike-version is set to 2.
- type is set to dynamic as remote peer address is unknown (dialup client).
- IKE mode config ( mode-cfg) is enabled to assign network parameters to remote peer through IKE.
- EAP is enabled for authenticating the remote user's credentials. In addition, eap-identity is set to send-request so FortiGate requests remote peer credentials through EAP.
ipv4-split-tunneling is set to INTERNAL, which contains LAN and DMZ subnets.
- A pre-shared key has been set. The remote peer must use the same pre-shared key for phase 1 to come up.
config vpn ipsec phase2-interface edit "FCT_IKEv2-p2" set phase1name "FCT_IKEv2" set proposal aes128-sha1 aes256-sha1 set dhgrp 5 next end
- A phase 2 named FCT_IKEv2-p2 is created and bound to phase 1 FCT_IKEv2, which was created in the previous step.
VPN user credentials
config user local edit "bob" set type password set passwd checkthefirewall next end config user group edit "VPN" set member "bob" next end
- User bob, and user group VPN with bob as member.
config firewall policy edit 0 set name "From_FCT-IPsec_to_LAN" set srcintf "FCT_IKEv2" set dstintf "port5" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set groups "VPN" next edit 0 set name "From_FCT-IPsec_to_DMZ" set srcintf "FCT_IKEv2" set dstintf "port7" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set groups "VPN" next end
- Two incoming firewall policies are created: one to allow from the VPN to LAN (port5), and another from the VPN to DMZ (port7).
Since FortiClient 6.2 VPN does not support IKEv2, I will use FortiClient 6.4 VPN version for Windows this time, which is available for download at support.fortinet.com (a valid support contract is needed).
- To configure a new VPN, right-click on the FortiClient system tray icon, and click Open FortiClient Console.
- When creating a new IPsec VPN, set the Remote Gateway to port1 address and enter the same pre-shared key configured on FortiGate.
- Expand the VPN Settings section and select Version 2 for IKE.
- Initiate the VPN connection on the remote user from FortiClient and use bob's credentials. The VPN is connected.
- When checking the routing table on the remote user, I can see the two routes installed by FortiClient (split tunneling).
C:\Users\User>route print --- cut --- 172.16.1.0 255.255.255.0 192.168.255.2 192.168.255.1 1 192.168.1.0 255.255.255.0 192.168.255.2 192.168.255.1 1 --- cut ---
- I ping LAN (192.168.1.254) and DMZ (22.214.171.124) interfaces. Pings are successful.
C:\Users\User>ping 192.168.1.254 -n 2 Pinging 192.168.1.254 with 32 bytes of data: Reply from 192.168.1.254: bytes=32 time=1ms TTL=255 Reply from 192.168.1.254: bytes=32 time=2ms TTL=255 Ping statistics for 192.168.1.254: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 2ms, Average = 1ms C:\Users\User>ping 172.16.1.254 -n 2 Pinging 172.16.1.254 with 32 bytes of data: Reply from 172.16.1.254: bytes=32 time=1ms TTL=255 Reply from 172.16.1.254: bytes=32 time=1ms TTL=255 Ping statistics for 172.16.1.254: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms
- Go to Monitor > IPsec Monitor, and enable the Proxy ID Destination and XAUTH User columns. The tunnel FCT_IKEv2_0 for bob is up. Also, bob was assigned with address 192.168.255.1.
- On the GUI, go to Monitor > Routing Monitor . A static route has been added for bob 192.168.255.1.
- Phase 1. IKE version is 2 and phase 1 is up (established).
FGT-HQ # diagnose vpn ike gateway list vd: root/0 name: FCT_IKEv2_0 version: 2 interface: port1 3 addr: 10.1.1.10:500 -> 10.10.10.10:500 created: 30s ago eap-user: bob groups: VPN 2 assigned IPv4 address: 192.168.255.1/255.255.255.255 PPK: no IKE SA: created 1/1 established 1/1 time 80/80/80 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 2 83beee2ed6ea54cd/15608e12e211864c direction: responder status: established 30-30s ago = 80ms proposal: aes128-sha1 child: no SK_ei: 59464471a5487b26-fa2f91a8449060ba SK_er: 10ceb13dd8a12969-c1dd953beb26f7cf SK_ai: 007a09bc41ed867c-acae2eed3e6b1485-eac9dfe5 SK_ar: 28a73e048641b402-8c705e80e80d6dca-526b1a9d PPK: no message-id sent/recv: 1/6 lifetime/rekey: 86400/86099 DPD sent/recv: 00000001/00000001
- Phase 2. Security associations (SAs) were negotiated. Tunnel is up.
FGT-HQ # diagnose vpn tunnel list name FCT_IKEv2_0 list ipsec tunnel by names in vd 0 ------------------------------------------------------ name=FCT_IKEv2_0 ver=2 serial=3 10.1.1.10:0->10.10.10.10:0 dst_mtu=1500 bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/640 options=rgwy-chg frag-rfc run_state=1 accept_traffic=1 parent=FCT_IKEv2 index=0 proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=20 ad=/0 stat: rxp=30 txp=0 rxb=3536 txb=0 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=FCT_IKEv2-p2 proto=0 sa=1 ref=2 serial=1 add-route src: 0:0.0.0.0-255.255.255.255:0 dst: 0:192.168.255.1-192.168.255.1:0 SA: ref=3 options=2a6 type=00 soft=0 mtu=1438 expire=43150/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=0000001e itn=0 qat=0 life: type=01 bytes=0/0 timeout=43191/43200 dec: spi=be2dd4bc esp=aes key=16 f4d821e74d6270ebb74595aae0da9767 ah=sha1 key=20 8ba1ae50dcd91efa4c5b156aa5655b406e9afe0c enc: spi=1708c0f6 esp=aes key=16 09d3cdea63d29bc10bf411108ea227de ah=sha1 key=20 c8b3a47ae560495e78c14e3310a6f3d98a84654b dec:pkts/bytes=30/1595, enc:pkts/bytes=0/0
- Routing table. A static route for bob (192.168.255.1) has been added.
FGT-HQ # get router info routing-table all Routing table for VRF=0 Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via 10.1.1.1, port1 C 10.1.1.0/24 is directly connected, port1 C 172.16.1.0/24 is directly connected, port7 C 192.168.1.0/24 is directly connected, port5 S 192.168.255.1/32 [15/0] via 10.10.10.10, FCT_IKEv2
- When sniffing the pings sent by the remote user. ICMP requests and replies are seen.
FGT-HQ # diagnose sniffer packet any "(host 192.168.1.254 or host 172.16.1.254) and icmp" 4 0 l interfaces=[any] filters=[(host 192.168.1.254 or host 172.16.1.254) and icmp] 2020-05-17 16:50:09.447906 FCT_IKEv2 in 192.168.255.1 -> 192.168.1.254: icmp: echo request 2020-05-17 16:50:09.447944 FCT_IKEv2 out 192.168.1.254 -> 192.168.255.1: icmp: echo reply 2020-05-17 16:50:10.471148 FCT_IKEv2 in 192.168.255.1 -> 192.168.1.254: icmp: echo request 2020-05-17 16:50:10.471228 FCT_IKEv2 out 192.168.1.254 -> 192.168.255.1: icmp: echo reply 2020-05-17 16:50:15.530067 FCT_IKEv2 in 192.168.255.1 -> 172.16.1.254: icmp: echo request 2020-05-17 16:50:15.530101 FCT_IKEv2 out 172.16.1.254 -> 192.168.255.1: icmp: echo reply 2020-05-17 16:50:16.553212 FCT_IKEv2 in 192.168.255.1 -> 172.16.1.254: icmp: echo request 2020-05-17 16:50:16.553262 FCT_IKEv2 out 172.16.1.254 -> 192.168.255.1: icmp: echo reply
Feel free to download the configuration files used in this lab, as well as the output for some debugs taken during testing.
|ipsec-fct-ikev2-FGT-HQ-623.conf||FortiGate HQ Configuration File||05/17/2020|
This post shows how you can configure an IPsec VPN for FortiClient that uses IKEv2 and EAP. On FortiGate, the tunnel status was checked on both CLI and GUI.
A Network Security Engineer based in Canada.