Wednesday, June 13, 2018

FortiOS and EAP identity vpn.

In this last final IKEv2 series of vpn, I will demo  a EAP Identity based ipsec-vpn solution  with the FortiGate firewall and a StrongSwan vpn client.

The setup is similar to my earlier IKEv2 blogs,  but we will use a use group and authenticate the  user from the local FortiOS database.


I'm using the macosx and android  strongswan clients in this blog.











You can monitor the  client logs for statistics and for any errors. The logs are very detail and will show the device challenge and assignments.





On the fortigate a  IPSEC-SA will be presented upon a successful establishments.










Once the client has connect in the  WebGUI ipsec monitor you will not find any end-user details which is horrible. Also notice each vpn-tunnel session is prepended with the <vpntunnel_name>_<+Number>. You will need to use the diag vpn ike gateway command to id the actual user.





Here's the  fortigate configurations





 in the android client do NOT select  send  request to CA, this will generate a lot of wasted IKEv2 messages





The vpn client only needs  the server name and identity, here's a a typical Android setup.






Do you not leave the "CA certificate Select Automatically " enable. Uncheck and  defined the root CA-cert that signed the server certificate.

If all goes well you should have a connected vpn status, if not download the loads and start reviewing












NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

No comments:

Post a Comment