FortiGate IPsec VPN for FortiClient (IKEv2 and EAP)

IPsec VPN with FortiClient

Introduction

In the previous post, I explained how to configure an IPsec VPN for FortiClient using the IPsec wizard, which is based on IKEv1. Although IKEv1 is much more widely used than IKEv2, IKEv2 is becoming increasingly popular among network administrators. IKEv2 features simpler operation and configuration, as well as asymmetric authentication.

In this post, I will describe how to configure an IPsec VPN for FortiClient that uses IKEv2 for negotiation and EAP for user authentication. To apply the configuration on FortiGate, I will use the CLI.

Firmware and Configuration Details

  • FortiOS 6.2.3.
  • FortiClient VPN for Windows 6.4.0.
  • VDOMs: disabled.

FortiGate Configuration

Firewall address objects

config firewall address
    edit "LAN"
        set subnet 192.168.1.0 255.255.255.0
    next
    edit "DMZ"
        set subnet 172.16.1.0 255.255.255.0
    next
end
config firewall addrgrp
    edit "INTERNAL"
        set member "DMZ" "LAN"
    next
end
  • Address objects LAN and DMZ for 192.168.1.0/24 and 172.16.1.0/24 subnets.
  •  Address group INTERNAL containing LAN and DMZ objects.

Phase 1

config vpn ipsec phase1-interface
    edit "FCT_IKEv2"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha1 aes256-sha256
        set comments "FortiClient IPsec VPN IKEv2 and EAP user auth"
        set dhgrp 5
        set eap enable
        set eap-identity send-request
        set ipv4-start-ip 192.168.255.1
        set ipv4-end-ip 192.168.255.31
        set dns-mode auto
        set ipv4-split-include "INTERNAL"
        set psksecret checkthefirewall
    next
end
  • Create a phase 1 VPN named FCT_IKEv2.
  • ike-version is set to 2.
  • type is set to dynamic as remote peer address is unknown (dialup client).
  • IKE mode config ( mode-cfg) is enabled to assign network parameters to remote peer through IKE.
  • EAP is enabled for authenticating the remote user's credentials. In addition, eap-identity is set to send-request so FortiGate requests remote peer credentials through EAP.
  • ipv4-split-tunneling is set to INTERNAL, which contains LAN and DMZ subnets.
  •  A pre-shared key has been set. The remote peer must use the same pre-shared key for phase 1 to come up.

Phase 2

config vpn ipsec phase2-interface
    edit "FCT_IKEv2-p2"
        set phase1name "FCT_IKEv2"
        set proposal aes128-sha1 aes256-sha1
        set dhgrp 5
    next
end
  • A phase 2 named FCT_IKEv2-p2 is created and bound to phase 1 FCT_IKEv2, which was created in the previous step.

VPN user credentials

config user local
    edit "bob"
        set type password
        set passwd checkthefirewall
    next
end
config user group
    edit "VPN"
        set member "bob"
    next
end
  • User bob, and user group VPN with bob as member.

Firewall policies

config firewall policy
    edit 0
        set name "From_FCT-IPsec_to_LAN"
        set srcintf "FCT_IKEv2"
        set dstintf "port5"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "VPN"
    next
    edit 0
        set name "From_FCT-IPsec_to_DMZ"
        set srcintf "FCT_IKEv2"
        set dstintf "port7"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "VPN"
    next
end
  • Two incoming firewall policies are created: one to allow from the VPN to LAN (port5), and another from the VPN to DMZ (port7).

FortiClient Configuration

Since FortiClient 6.2 VPN does not support IKEv2, I will use FortiClient 6.4 VPN version for Windows this time, which is available for download at support.fortinet.com (a valid support contract is needed).

  • To configure a new VPN, right-click on the FortiClient system tray icon, and click Open FortiClient Console.
  • When creating a new IPsec VPN, set the Remote Gateway to port1 address and enter the same pre-shared key configured on FortiGate.
  • Expand the VPN Settings section and select Version 2 for IKE.

FortiClient - New IPsec VPN

Verification

Remote user

  • Initiate the VPN connection on the remote user from FortiClient and use bob's credentials. The VPN is connected.

FortiClient IPsec VPN - Connected

  • When checking the routing table on the remote user, I can see the two routes installed by FortiClient (split tunneling).
C:\Users\User>route print
--- cut ---
       172.16.1.0    255.255.255.0    192.168.255.2    192.168.255.1      1
      192.168.1.0    255.255.255.0    192.168.255.2    192.168.255.1      1
--- cut ---
  • I ping LAN (192.168.1.254) and DMZ (172.168.1.254) interfaces. Pings are successful.
C:\Users\User>ping 192.168.1.254 -n 2

Pinging 192.168.1.254 with 32 bytes of data:
Reply from 192.168.1.254: bytes=32 time=1ms TTL=255
Reply from 192.168.1.254: bytes=32 time=2ms TTL=255

Ping statistics for 192.168.1.254:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms

C:\Users\User>ping 172.16.1.254 -n 2

Pinging 172.16.1.254 with 32 bytes of data:
Reply from 172.16.1.254: bytes=32 time=1ms TTL=255
Reply from 172.16.1.254: bytes=32 time=1ms TTL=255

Ping statistics for 172.16.1.254:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

FortiGate GUI

  • Go to Monitor > IPsec Monitor, and enable the Proxy ID Destination and XAUTH User columns. The tunnel FCT_IKEv2_0 for bob is up. Also, bob was assigned with address 192.168.255.1.
FortiGate IPsec Monitor - Tunnel is up
  • On the GUI, go to Monitor > Routing Monitor . A static route has been added for bob 192.168.255.1.
FortiGate Routing Monitor - IPsec route

FortiGate CLI

  • Phase 1. IKE version is 2 and phase 1 is up (established).
FGT-HQ # diagnose vpn ike gateway list

vd: root/0
name: FCT_IKEv2_0
version: 2
interface: port1 3
addr: 10.1.1.10:500 -> 10.10.10.10:500
created: 30s ago
eap-user: bob
groups:
  VPN 2
assigned IPv4 address: 192.168.255.1/255.255.255.255
PPK: no
IKE SA: created 1/1  established 1/1  time 80/80/80 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 2 83beee2ed6ea54cd/15608e12e211864c
  direction: responder
  status: established 30-30s ago = 80ms
  proposal: aes128-sha1
  child: no
  SK_ei: 59464471a5487b26-fa2f91a8449060ba
  SK_er: 10ceb13dd8a12969-c1dd953beb26f7cf
  SK_ai: 007a09bc41ed867c-acae2eed3e6b1485-eac9dfe5
  SK_ar: 28a73e048641b402-8c705e80e80d6dca-526b1a9d
  PPK: no
  message-id sent/recv: 1/6
  lifetime/rekey: 86400/86099
  DPD sent/recv: 00000001/00000001

  • Phase 2. Security associations (SAs) were negotiated. Tunnel is up.
FGT-HQ # diagnose vpn tunnel list name FCT_IKEv2_0
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=FCT_IKEv2_0 ver=2 serial=3 10.1.1.10:0->10.10.10.10:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/640 options[0280]=rgwy-chg frag-rfc  run_state=1 accept_traffic=1

 parent=FCT_IKEv2 index=0
proxyid_num=1 child_num=0 refcnt=6 ilast=0 olast=20 ad=/0
stat: rxp=30 txp=0 rxb=3536 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=FCT_IKEv2-p2 proto=0 sa=1 ref=2 serial=1 add-route
  src: 0:0.0.0.0-255.255.255.255:0
  dst: 0:192.168.255.1-192.168.255.1:0
  SA:  ref=3 options=2a6 type=00 soft=0 mtu=1438 expire=43150/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=0000001e itn=0 qat=0
  life: type=01 bytes=0/0 timeout=43191/43200
  dec: spi=be2dd4bc esp=aes key=16 f4d821e74d6270ebb74595aae0da9767
       ah=sha1 key=20 8ba1ae50dcd91efa4c5b156aa5655b406e9afe0c
  enc: spi=1708c0f6 esp=aes key=16 09d3cdea63d29bc10bf411108ea227de
       ah=sha1 key=20 c8b3a47ae560495e78c14e3310a6f3d98a84654b
  dec:pkts/bytes=30/1595, enc:pkts/bytes=0/0

  • Routing table. A static route for bob (192.168.255.1) has been added.
FGT-HQ # get router info routing-table all

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [10/0] via 10.1.1.1, port1
C       10.1.1.0/24 is directly connected, port1
C       172.16.1.0/24 is directly connected, port7
C       192.168.1.0/24 is directly connected, port5
S       192.168.255.1/32 [15/0] via 10.10.10.10, FCT_IKEv2

  • When sniffing the pings sent by the remote user. ICMP requests and replies are seen.
FGT-HQ # diagnose sniffer packet any "(host 192.168.1.254 or host 172.16.1.254) and icmp" 4 0 l 
interfaces=[any]
filters=[(host 192.168.1.254 or host 172.16.1.254) and icmp]
2020-05-17 16:50:09.447906 FCT_IKEv2 in 192.168.255.1 -> 192.168.1.254: icmp: echo request
2020-05-17 16:50:09.447944 FCT_IKEv2 out 192.168.1.254 -> 192.168.255.1: icmp: echo reply
2020-05-17 16:50:10.471148 FCT_IKEv2 in 192.168.255.1 -> 192.168.1.254: icmp: echo request
2020-05-17 16:50:10.471228 FCT_IKEv2 out 192.168.1.254 -> 192.168.255.1: icmp: echo reply
2020-05-17 16:50:15.530067 FCT_IKEv2 in 192.168.255.1 -> 172.16.1.254: icmp: echo request
2020-05-17 16:50:15.530101 FCT_IKEv2 out 172.16.1.254 -> 192.168.255.1: icmp: echo reply
2020-05-17 16:50:16.553212 FCT_IKEv2 in 192.168.255.1 -> 172.16.1.254: icmp: echo request
2020-05-17 16:50:16.553262 FCT_IKEv2 out 172.16.1.254 -> 192.168.255.1: icmp: echo reply

Lab Files

Feel free to download the configuration files used in this lab, as well as the output for some debugs taken during testing.

File Description Date
ipsec-fct-ikev2-FGT-HQ-623.conf FortiGate HQ Configuration File 05/17/2020
ipsec-fct-ikev2-ike-debug.txt IKE debug 05/17/2020
ipsec-fct-ikev2-ike-sniffer.pcap IKE pcap 05/17/2020

Bottom Line

This post shows how you can configure an IPsec VPN for FortiClient that uses IKEv2 and EAP. On FortiGate, the tunnel status was checked on both CLI and GUI. 


Paul Marin

Paul Marin
A Network Security Engineer based in Canada.

2 comments

  • Hi Paul,

    I did literaly everything you did and almost everything seems to work.
    The only thing that isn’t working is the access the the internal ressources. The FGT is prompting the user a “authentication side” and I don’t know why. I can type in the same credentials at the authentication side (after the successful vpn dialup) and the firewall rules are matching. If i don’t authenicate against the authentication side, non of the firewall policys with user groups aren’t matching.
    Do you have any ideas?
    Thanks in advance.
    Kind regards,
    Dominik

    Dominik Herzog
  • Paul,
    You rock! Worked like a charm. Needed 4 FGTs to set with IKEv2 VPN due to PCI compliance. You saved me few hours of trying and failing. Thank you.

    David

Leave a comment

Please note, comments must be approved before they are published