|
This article describes the case when the CN of the peer's certificate is similar or shares a common value, then FortiGate might match the SSL VPN user with the first peer config that has a slimmer CN. As a result, SSL VPN may hit the wrong user group and traffic might hit the wrong firewall policy.
config user peer
edit "pki01"
set ca "CA_Cert_1"
set subject "C=CZ, L=Prague, O=Fortinet, OU=IT Department, CN=testpki, emailAddress=gescom@tenerife.es"
next
edit "pki02"
set ca "CA_Cert_1"
set subject "C=CZ, L=Prague, O=Fortinet, OU=IT Department, CN=ext-testpki1, emailAddress=gescom@tenerife.es"
next
end
Each peer has been enabled in a different group (and has been enabled on a different firewall policy as well):
config user group
edit "pki.group.1"
set member "pki01"
next
edit "pki.group.2"
set member "pki02"
next
end
When both SSL VPN users are connecting with two different certificates (which have different CN), on FortiGate both users matched the first peer 'pki01' since both peers have 'testpki' in common in CN:
FGT # get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0 pki01,cn=testpki pki.group.1 32(1) 291 28723 10.125.5.132 0/0 0/0 0
1 pki01,cn=ext-testpki1 pki.group.1 32(1) 296 28760 10.125.3.40 0/0 0/0 0
SSL VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 pki01,cn=testpki pki.group.1 10.125.5.132 77 0/0 10.212.134.200
1 pki01,cn=ext-testpki1 pki.group.1 10.125.3.40 40 0/0 10.212.134.201
|
