In this blog I will demo the NCP entry vpnclient and a typical IKEv2 connection using "
SIGNATURE RSA" aka certificates. This design was done under fortiOS v6.0
The NCP client provides numerous log details on vpnclient errors codes, and have host of configuration items for IKE/IPSEC settings. It a great client and I've been studying and demo'ing it for a little over a year now. It a client that cane be a great replacement for the MACOSX native client if you do NOT meed LT2P-ipsec.
In this example, the MacOS vpnclient has a imported pfx/pkcs12 formatted cert. It crucial to add the user_cert and rootCA certificates into the certfile-bundle when building the pfx that you will load and later call up.
e.g ( how to build a cert-bundle from unix shell )
cat user.crt > myvpncert.pem
cat rootCA.crt >> myvpncert.pem
The certificates that signs the user_vpn_certificate needs to be present or you will get errors and fail auth and validations.
I have a few open dialogs with the support team on NCPclient and they claims it supports all known ipsec IKEv2 RFCs, but I have not been successful in getting the client to CFREQUEST ipv6
Moving on, here's a FortiOS configuration set for a peer and with no EAP ( no user Auth, no username/password )
In this case we are using peergroup and anybody issues a certificate from socpuppetCA would be authenticated and if they have a subject field that has ken.felix
On the NCP client we have a few items to configure
FortiOS policy to allow vpn client turn around NAT to get back out. I'm allowing services defined below. In a real deploy you might use TLS inspection with URL/AV inspections.
Now we launch the client and wait for a Success Connection
The 1st time you use the certificate you will be prompt
for the cert PIN. The pin is the pfx passphrase. Why they call it a PIN
?...............I have no clue.
FortiOS diagnostic cmds for tunnel validations.
I hope this helps for those wanting to use basic IKEv2 without EAP authentication. Next up will be the IKEv2 cert a StrongSwan client on Android
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \