Thursday, October 8, 2015

The FortiClient and cisco VPN ( ipsec )

Forticlient is a client  software that supports a host of function 2 of which are  vpn access ( ipsec &  ssl ) .

It's developed by Fortinet,  but you can use it with a cisco ASA or Router as a dialup vpn client.

You can even use it with pfSense for example, or just about a few other dialup ipsec-vpn-devices if you care to edit the xml section under your ipsec connection details and tweak the configurations.

The key for using the client is to modify the xml as required to fit your vpn dialup concentrator. For  access these XML tags should be scrutinize and double check. You might need to ask your firewall/vpn administrator for guidance )

  • <dhgroup>
  • <localid> ( if your using groups )
  • <proposals> ( crypto ciphers are crucial and need to match )

here's snippet of a vpn ipsec connection profile for a cisco device

And here's our  client accessed to our vpn;

Some key-points;

  • the forticlient is very versatile as a ipsec client
  • it can be used with fortigate and non-Fortigates but requires some tweaking
  • XML editing is a must ( make backup before imposing changes )
  • validate all profile settings ( Diffie-Hellman, proposals, etc....)
  • populate the <localid> if your using vpn groups in your dialup

Error diagnostics from the client are cryptic in nature , but you can get good feedback from the diagnostics and via downloading any logs for ipsec.

Here's a few warnings based on my experience

( mis-match pre-share key)

( mis-match in either ike or ipsec dhgrp  or ciphers proposal )

The FortiClient does not support ikev2

If the PSK does not match, you  will never make it to user authentication ( eXended Authentication     aka xauth )

I've never had any luck with defining < FQDN mypeerid> on pfsense and using  the name@domain format use the keytagID

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
        /  \


  1. Hey great doc, but where are the xml config files?

  2. When you export the configuration the output is present in a file that you named and in a xml format. This is on the full client ( not the ipsec/ssl only client )

    So just export the configuration to your own directory with or without a password. It greats to make backup and encrypted. I 've been using the same passphrase on my backups for a few year now ;)

  3. Well, using a Cisco ASA 9.2.4, IKE Proposals are not accepted.
    Langing on proper tunnel-group (localid)
    ASA Claims all SA proposal are found unacceptable.

    Will have to work on this.
    Any one has a snippet of their configuration with an ASA by any chance?

  4. Wow this is not a good blog. Where are the configuration details on the cisco side? Where do i configure the group?

  5. I didn't realize I was cisco support TAC. You have numerous cisco provide configurations or HOWTOs.

  6. I might be missing something. I am connecting to a Cisco router. The FortiClient failes to connect with a fairly generic error. In looking at the debug on the router it seems to seems to pass the phase 1 negotiation. Then fails at what I think it phase 2. See below for an extract from the log.

    467845: *Apr 9 16:54:10.913 AEST: ISAKMP/author: Author request for group successfully sent to AAA
    467846: *Apr 9 16:54:10.913 AEST: ISAKMP:(2409):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
    467847: *Apr 9 16:54:10.913 AEST: ISAKMP:(2409):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

    467848: *Apr 9 16:54:10.917 AEST: AAA/AUTHOR/IKMP/LOCAL: group does not exist

    I note that the top line "Author request for group" should then include the group name or "localid" from the Forticlient. It seems it is not being passed on during phase 2. Does anyone have any advice?

  7. If I use Main Mode the SA Proposals work however it lands on the DefaultRAGroup instead of the localid I specified in the XML. However if I use aggressive mode none of the SA's are found acceptable (but it correctly lands on the right group)

  8. This comment has been removed by the author.

  9. Jonathan, what are you connecting to? ASA or Router? Have you tried adding for a test to the cisco side more suitable ciphers combinations?



    Also I wanted to add, you are going to have to debug your ike request to see what's being sent. I'm guessing different forticlient versions have difference in what they are sending and if they are honoring the proposal tag-lists

    YMMV but you have to hack around. If the cisco device uses a group name than that will require a localid to be presented ( just having the shared PSKs is not enough )

    For the difference in what your finding with main/aggr mode maybe this link and the graphical representation will explain a few items ( look at the 6 vrs 3 steps and the last tab for SA-establishment )

  10. 5/17/2018 4:17:20 PM Debug VPN 0483b37e 18f01155 00000000 00000000 01100400 00000000 00000210 040000b4 00000001 00000001 000000a8 01010004 03000028 01010000 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020001 80040002 03000028 02010000 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020001 80040005 03000028 03010000 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020002 80040002 00000028 04010000 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020002 80040005 0a000084 9e77ff53 5eaeffe6 fae1a1bd 0ab14ab5 626fa056 d085a4a8 50366f97 03ee5df9 f6dc78d4 20846790 39d62aca b5affe80 2135377c 5620f032 588f0d33 51b68112 a6f2c6bb 3739bdd6 4866d74f 3c897a8d d21a1bf2 606c467f fc9bff53 851d6218 6716f736 4d7f3622 0eab515d bf8ee10a 15ef64f5 6092d48c 683a1c2f ecb536d2 05000014 8d208777 5c31a70c 29a1df21 ec01001a 0d000010 02000000 50726f73 65677572 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427
    5/17/2018 4:17:20 PM Debug VPN resend phase1 packet 0483b37e18f01155:0000000000000000
    5/17/2018 4:17:20 PM Debug VPN CHKPH1THERE: no established ph1 handler found
    5/17/2018 4:17:21 PM Debug VPN (repeated 2 times in last 2 sec) CHKPH1THERE: no established ph1 handler found
    5/17/2018 4:17:23 PM Debug VPN phase1 negotiation failed due to time up. 0483b37e18f01155:0000000000000000
    5/17/2018 4:17:23 PM Warning VPN id=96561 msg=" locport=500 remip=WWW.XXX.YYY.ZZZ remport=500 outif=0 vpntunnel=Group_Name status=negotiate_error No response from the peer, phase1 retransmit reaches maximum count..." vpntunnel=Group_Name vpntype=ipsec
    5/17/2018 4:17:23 PM Debug VPN an undead schedule has been deleted.
    5/17/2018 4:17:26 PM Debug Scheduler handle_processtermination() called
    5/17/2018 4:17:26 PM Debug Scheduler child process terminates normally
    5/17/2018 4:17:28 PM Debug VPN FortiSslvpn: 3812: fortissl_getstatus(36549) called

    1. Contact at my email on the blog and I can look over the cfg for ipsec