FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mbernatek
Staff
Staff
Article Id 195470
Description
This article explains how to configure IKEv2 IPsec VPN with Windows Phone 8.1 and Windows 8.1 using user credentials.

Solution
Windows Phone 8.1 supports IPsec VPN in 2 modes:
•    IKEv2 IPsec VPN
•    L2TP/IPsec VPN
IKEv2 IPsec VPN is the preferred way of configuration on FortiGate devices.

For user authentication the Extensible Authentication Protocol also known as “EAP” is used. Two methods are supported:
•    Username and password [PEAP-MSCHAPv2]
•    Certificate [EAP-TLS]
This guide explains the 'username and password' option.

When using EAP with Windows Phone the certificate authentication during IKEv2 exchange must be used.

In this case the Certificate Authority root certificate used to sign FortiGate certificate for VPN must be imported to Windows Phone. It may not be needed if well know public Certificate Authority is used.

Network diagram

WP8.1 users === (port1)[FGVM-5.2](port2)  === LAN

Prerequisites
- Imported root CA certificate on FortiGate
- Imported certificate on FortiGate and signed by CA
- Imported root CA certificate on Windows Phone

FortiGate configuration

1) Create local user and group
config user local
    edit local\\user1
        set type password
        set passwd pass1
    next
end
config user group
    edit GRP-ipsec
        set member local\\user1
    next
end

2) Configure IPsec phase 1
config vpn ipsec phase1-interface
    edit "ipsec-clients"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set authmethod signature
        set mode-cfg enable
        set ipv4-dns-server1 8.8.8.8
        set ipv4-dns-server2 8.8.4.4
        set proposal aes256-sha1 aes256-sha256 aes128-sha1 aes128-sha256
        set dhgrp 15 14 2
        set eap enable
        set eap-identity send-request
        set authusrgrp "GRP-ipsec"
        set certificate "FG-certificate"
        set ipv4-start-ip 172.16.10.10
        set ipv4-end-ip 172.16.10.100
        set ipv4-netmask 255.255.255.0
    next
end

3) Configure IPsec phase 2
config vpn ipsec phase2-interface
    edit "ipsec-clients-p2"
        set phase1name "ipsec-clients"
        set proposal aes256-sha1 aes256-sha256 aes128-sha1 aes128-sha256
        set dhgrp 15 14 2
        set keylifeseconds 1800
    next
end

The main IPsec configuration is now complete. To get IPsec working the firewall policy must exist.

4) Configure address objects
config firewall address
    edit LAN
        set associated-interface "port2"
        set subnet 10.10.0.0 255.255.252.0
    next
    edit LAN-IPsec-Clients
        set associated-interface "ipsec-clients"
        set subnet 172.16.10.0 255.255.255.0
    next
end

5) Configure firewall policy
config firewall policy
    edit 0
        set srcintf "ipsec-clients"
        set dstintf "port2"
        set srcaddr "LAN-IPsec-Clients"
        set dstaddr "LAN"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Windows Phone configuration

1.    Go to “Settings > VPN” and select + to add new profile
2.    Enter server name or IP address
3.    Select type “IKEv2”
4.    Select username+password in “Connect using”
5.    Set “User name” to local\user1
6.    Set password to pass1
7.    Configure rest of settings

For more information about Windows Phone VPN configuration refer to the document 'Try it out: Windows Phone 8.1 VPN' on the Microsoft site.

Notes:

1. Windows Phone VPN support is designed for Enterprise usage. It expects credentials in the form “domain\username” to work properly. It is why the user in this guide is set to “local\user1” as local authentication is used.

If only “user1” is used as credential on the Windows Phone it will send the username as “Windows Phone\user1” and then this user has to be on FortiGate to match.

For Enterprise deployment configure user group with one of the remote authentication options (RADIUS, LDAP).

2. Configuration for desktop Windows 8.1 is the same. It is different in that Windows 8.1 does not add any domain to the username if not in Domain.


Refer also to the document 'FortiOS Certificate Management' which is available in the Fortinet Document Library.

Contributors