Friday, June 8, 2018

NCP vpnclient Ikev2 with fortiOS v6.0

In this blog I will demo the NCP entry vpnclient and a typical IKEv2  connection using  "SIGNATURE RSA" aka certificates. This  design was done under fortiOS v6.0

The NCP client provides numerous log details on vpnclient  errors codes,  and have host of configuration items for  IKE/IPSEC settings. It  a great client and I've been  studying and  demo'ing it for  a little over a year now. It a client that cane be a great  replacement for the MACOSX native client if you do NOT meed LT2P-ipsec.

In this example, the MacOS vpnclient has a imported pfx/pkcs12 formatted cert. It crucial to add the  user_cert and rootCA certificates into the certfile-bundle when building the pfx that you will load and later call up.

e.g ( how to build a cert-bundle  from  unix shell )

    cat user.crt > myvpncert.pem
    cat rootCA.crt >> myvpncert.pem

The certificates that signs the user_vpn_certificate needs to be present or you will get errors and fail auth and validations.

I have a few open  dialogs with the support team on NCPclient and they claims it supports all known ipsec IKEv2 RFCs,  but I have not been successful in getting the client to  CFREQUEST ipv6

Moving on, here's a FortiOS  configuration set for  a peer and with no EAP ( no user Auth, no username/password )

In this case we are using peergroup and anybody  issues a certificate from socpuppetCA would be authenticated and  if they have a subject field that has ken.felix

On the NCP client we have a few items to configure

FortiOS  policy to allow vpn client turn around NAT to get back out. I'm allowing  services defined below. In a real deploy you  might use  TLS inspection with URL/AV inspections.

Now we launch the client and  wait for a  Success  Connection

The 1st time you  use the certificate you will be prompt for the cert PIN. The pin is the  pfx passphrase. Why they call it a PIN ?...............I have no clue.

FortiOS diagnostic cmds for tunnel validations.

I hope this helps for those wanting to use basic IKEv2 without EAP authentication. Next up will be the IKEv2 cert a StrongSwan client  on Android

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment