Thursday, October 8, 2015

The FortiClient and cisco VPN ( ipsec )

Forticlient is a client  software that supports a host of function 2 of which are  vpn access ( ipsec &  ssl ) .

It's developed by Fortinet,  but you can use it with a cisco ASA or Router as a dialup vpn client.

You can even use it with pfSense for example, or just about a few other dialup ipsec-vpn-devices if you care to edit the xml section under your ipsec connection details and tweak the configurations.

The key for using the client is to modify the xml as required to fit your vpn dialup concentrator. For  access these XML tags should be scrutinize and double check. You might need to ask your firewall/vpn administrator for guidance )

  • <dhgroup>
  • <localid> ( if your using groups )
  • <proposals> ( crypto ciphers are crucial and need to match )

here's snippet of a vpn ipsec connection profile for a cisco device




And here's our  client accessed to our vpn;




Some key-points;

  • the forticlient is very versatile as a ipsec client
  • it can be used with fortigate and non-Fortigates but requires some tweaking
  • XML editing is a must ( make backup before imposing changes )
  • validate all profile settings ( Diffie-Hellman, proposals, etc....)
  • populate the <localid> if your using vpn groups in your dialup



Error diagnostics from the client are cryptic in nature , but you can get good feedback from the diagnostics and via downloading any logs for ipsec.




Here's a few warnings based on my experience

( mis-match pre-share key)


( mis-match in either ike or ipsec dhgrp  or ciphers proposal )




The FortiClient does not support ikev2


If the PSK does not match, you  will never make it to user authentication ( eXended Authentication     aka xauth )


I've never had any luck with defining < FQDN mypeerid> on pfsense and using  the name@domain format use the keytagID





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

9 comments:

  1. Hey great doc, but where are the xml config files?

    ReplyDelete
  2. When you export the configuration the output is present in a file that you named and in a xml format. This is on the full client ( not the ipsec/ssl only client )

    So just export the configuration to your own directory with or without a password. It greats to make backup and encrypted. I 've been using the same passphrase on my backups for a few year now ;)

    ReplyDelete
  3. Well, using a Cisco ASA 9.2.4, IKE Proposals are not accepted.
    Langing on proper tunnel-group (localid)
    ASA Claims all SA proposal are found unacceptable.

    Will have to work on this.
    Any one has a snippet of their configuration with an ASA by any chance?

    ReplyDelete
  4. Wow this is not a good blog. Where are the configuration details on the cisco side? Where do i configure the group?

    ReplyDelete
  5. I didn't realize I was cisco support TAC. You have numerous cisco provide configurations or HOWTOs.

    ReplyDelete
  6. I might be missing something. I am connecting to a Cisco router. The FortiClient failes to connect with a fairly generic error. In looking at the debug on the router it seems to seems to pass the phase 1 negotiation. Then fails at what I think it phase 2. See below for an extract from the log.

    467845: *Apr 9 16:54:10.913 AEST: ISAKMP/author: Author request for group successfully sent to AAA
    467846: *Apr 9 16:54:10.913 AEST: ISAKMP:(2409):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
    467847: *Apr 9 16:54:10.913 AEST: ISAKMP:(2409):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

    467848: *Apr 9 16:54:10.917 AEST: AAA/AUTHOR/IKMP/LOCAL: group does not exist

    I note that the top line "Author request for group" should then include the group name or "localid" from the Forticlient. It seems it is not being passed on during phase 2. Does anyone have any advice?

    ReplyDelete
  7. If I use Main Mode the SA Proposals work however it lands on the DefaultRAGroup instead of the localid I specified in the XML. However if I use aggressive mode none of the SA's are found acceptable (but it correctly lands on the right group)

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. Jonathan, what are you connecting to? ASA or Router? Have you tried adding for a test to the cisco side more suitable ciphers combinations?

    e.g

    AES128-sha1
    AES128-md5

    Also I wanted to add, you are going to have to debug your ike request to see what's being sent. I'm guessing different forticlient versions have difference in what they are sending and if they are honoring the proposal tag-lists

    YMMV but you have to hack around. If the cisco device uses a group name than that will require a localid to be presented ( just having the shared PSKs is not enough )

    For the difference in what your finding with main/aggr mode maybe this link and the graphical representation will explain a few items ( look at the 6 vrs 3 steps and the last tab for SA-establishment )

    https://supportforums.cisco.com/document/31741/main-mode-vs-aggressive-mode

    ReplyDelete