| Description |
This article describes how to configure FortiGate to accept connection when using Windows native VPN with a machine certificate, the guide does not cover how to generate a machine certificate and it would be necessary to refer to Microsoft documentation. |
||||||||
| Scope | FortiGate. | ||||||||
| Solution |
Generate and sign a CSR and import the signed certificate to the FortiGate:
certreq -submit -attrib 'CertificateTemplate:WebServer' C:\CSR\vpn.lab.local.csr The Certification Authority List window opens. 2. Select the CA and select OK. 3. Save the signed certificate with a .cer file extension to a location that is accessible from the FortiGate.
Then import local root CA certificate into Fortiate: Technical Tip: How to export root CA from Certificate Authority Server and import to FortiGate
Once certificates have been imported, it is necessary to enable PKI peer setting in Fortigate so that machine certificates can be verified against root CA.
config user peer edit <name> set ca "CA_Cert_1” <----- Refer to the above KB article. end
Proceed with VPN configuration in the FortiGate CLI:
VPN Phase 1 setting:
config vpn ipsec phase1-interface edit <name> set type dynamic set interface "port10" <----- Replace with the WAN interface of the choice. set ike-version 2 set authmethod signature set net-device disable set mode-cfg enable set ipv4-dns-server1 xx.xx.xx.xx <----- Point to AD server DNS. set proposal aes128-sha256 aes256-sha256 aes128-sha1 set localid "vpn.syd.fortilabapac.lab" <----- Set according to FQDN of the VPN. set dpd on-idle set dhgrp 14 5 2 set certificate "vpn.syd.fortilabapac.lab" <----- Replace with certificate generated by CSR. set peer "NativeDialup_peer" <----- Replace with user peer name configure previously. set ipv4-start-ip 10.100.1.1 set ipv4-end-ip 10.100.1.150 set ipv4-split-include "LAN" set dpd-retryinterval 60 next end
VPN Phase 2 setting:
config vpn ipsec phase2-interface edit <name> set phase1name <phase1 name> set proposal aes128-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set pfs disable set keepalive enable next end
Client VPN configuration (Windows 10):
Select Start, then select Settings -> Network & Internet -> VPN, and select Add a VPN connection to start configuration.
Follow the below configuration, and ensure to use FQDN in the Server name or address or there will be an error during connection.
After saving the setting, select the Change adapter option to change the connection to use the machine certificate.
Right-click on VPN connection, and select Properties -> Security. Select Use machine certificate and press OK.
Go back to Settings -> Network & Internet -> VPN to test the VPN connection.
Troubleshooting: In case there is an issue with the connection, run the below debug command to check.
diagnose debug application ike -1 diagnose debug enable
Below sample output on the certificate verification:
ike 0:dialup_cert:10: Validating X.509 certificate ike 0:dialup_cert:10: peer cert, subject='Computers', issuer='syd-FORTILABAPAC-AD-CA-2' ike 0:dialup_cert:10: peer ID verified ike 0:dialup_cert:10: building fnbam peer candidate list ike 0:dialup_cert:10: FNBAM_GROUP_NAME candidate 'NativeDialup_peer' ike 0:dialup_cert:10: certificate validation pending ike 0:dialup_cert:10: fnbam reply 'NativeDialup_peer' ike 0:dialup_cert:10: fnbam matched peer 'NativeDialup_peer' ike 0:dialup_cert:10: certificate validation complete ike 0:dialup_cert:10: certificate validation succeeded ike 0:dialup_cert:10: signature verification succeeded ike 0:dialup_cert:10: auth verify done ike 0:dialup_cert:10: responder AUTH continuation ike 0:dialup_cert:10: authentication succeeded |
