Wednesday, September 25, 2019

Fortigate IPSEC site2site with RSA signatures

In this post, I will demonstrate how we can do  site2site vpns using x509 certificates.  In the ease of demo'ing this environment,  I did the following.

I set up a vdom-link between 2 vdoms( custA and root )

We use get a CAcert for our signing at  Getacert . The rootCA was installed into the firewall also

100k foot view




Okay,  so the 1st time that typically happens is the mechanism is used for generation of the CSR from the fortigate. In real life, your  CA would be a public or private PKI.

https://www.getacert.com


On each FGT, you would craft a CSR. I like to keep the subject line small and with only a CN value.


This makes it very easy to diagnose the solution.  So in this example, we are using. CN=root and CN=custA

e.g ( a very basic  CSR )



Now, when you have the  CSR signed, you can import it back into the FGT and you can verify the subject line.

e.g


openssl x509 -in fgt-2019-09-23-031604.cer -noout -subject 




Okay brilliant, a simple subject line. Now we will define the peer match statements that would check the rootCA and the CN string type


#vdom=custA

config user peer
  edit "root"
        set ca "CA_Cert_2"
        set cn "root"
    next
  end

#vdom=root

config user peer
  edit "root"
        set ca "CA_Cert_2"
        set cn "custA"
    next
  end


Okay let's apply the configurations for phase1 and phase2


( 1st fw )

 (root) # show vpn ipsec phase1-interface vpn1
config vpn ipsec phase1-interface
    edit "vpn1"
        set interface "vlink10"
        set authmethod signature
        set mode aggressive
        set proposal aes128-sha256
        set dhgrp 5
        set remote-gw 10.19.199.2
        set certificate "root"
        set peer "custA"
    next
end

 (root) # show vpn ipsec phase2-interface vpn1-2
config vpn ipsec phase2-interface
    edit "vpn1-2"
        set phase1name "vpn1"
        set auto-negotiate enable
    next
end

( 2nd fw is a reverse of the 1st ) The other firewall have the following details;


config vpn ipsec phase1-interface
    edit "vpn2"
        set interface "vlink11"
        set authmethod signature
        set mode aggressive
        set proposal aes128-sha256
        set dhgrp 5
        set remote-gw 10.19.199.1
        set certificate "custA"
        set peer "root"
    next
end

 (custA) # 
 (custA) # show  vpn  ipsec  phase2-interface
config vpn ipsec phase2-interface
    edit "vpn2-2"
        set phase1name "vpn2"
        set auto-negotiate enable
    next
end


In the fortiOS cfg you have to call up the local certificate and the peer string for validating the peer. The root CA and end-point needs to be imported into the  fortigate.






Diagnostics  cmds "diag vpn ike gateway" and "diag vpn tunnel list"




notice the  peer-id is the certificate CN name.




So always double-check the proposal and CN values in your config if you have issues setting up ipsec site2site  with rsa signatures.






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)