Strongswan to Forticlient with RSA signature

In this post we will look at a simple lan2lan  VPN/ipsec using strongswan and  a fortigate.  Both devices are using RSA-signatures  for authentication.

So a certificate request was issued. I used getacrt for both gateways. The CN for the FortiGate  is "fgt.socpuppets.com" and the CN for the strongswan  is "strongswan".


Let's do the strongswan side. 1st you will need the certificate and key. Save these as two separate files with the extension pem. You have to copy these files into ./ipsec.d/certs and ./ipsec.d/private directories.


You will also need the root-cacert from getacrt , & copy to  it ./ipsec.d/cacerts

e.g

Now you can build a connection profile in ipsec.conf. In my setup I used the following;

use the %any for the rightid to ascertain the correct string if you have problems or see in your /var/log/daemon.log constraint errors. I will explain more later.








Once you have the ipsec.conf configured, you need to touch up ipsec.secrets. The entry is typically set in the following method & format

: RSA <certificate_name.pem>

if you get "can't find private key" in your logs is either one of the following 1> ipsec.conf has a typo  2> the reference ./ipsec/private/ directory is missing the file 3> the filename is incorrect 4> or the structure of : RSA <filename.pem> is bad



This concludes the strongswan side of the configuration.


On the fortigate it's pretty much straight forward as in route-based vpn thats for a dynamic-peer.

1st we define a user peer for identifying the remote gateway, calling up the CA and CN values

2nd phase1 config

3rd phase2 config

4th route

And finally firewall-policy

Okay, that concludes the configuration. On the FortiGate I had already created a CSR and import the signed certificate from getacrt, your certificate would typically be signed by your privateCA or public-CA that signs your CSR.

e.g  https://getacert.com/

Now let's look at some diagnostic and show. On strongswan you will use primary the following for review and troubleshooting

ipsec status
ipsec listcerts
ipsec statusall
cat /var/log/daemon.log
tcpdump -nnnnvv -i <interface public facing> host y.y,y.y
# y.y.y.y == right gateway ipv4 address

On fortiOS

diag debug flow
diag debug application ike -1
diag sniffer packet <interface public facing> "host x.x.x.x"
# x.x.x.x =  strongswan device ipv4
diag vpn ike gateway
diag vpn tunnel list


So in my strongswan, I run the ipsec up  command to start my ipsec connection attempt, since we have this connection set as "add" in the ipsec.conf

I've laid both a fortios & strongsan ipsec details next to each other , see the matching SPIs ?

For fortiOS phase1-details we use the "diag vpn ike gateway" command

For some more diagnostic tips

> ensure you have a policy with the action accept on the fortigate or you will get no policy found errors in diag debug application ike 

>  you monitor the loaded plugins in strongswan and for any errors during startup or tunnel up commands

> If your running iptables or a local host firewall, ensure you allow for both isakmp and esp.

> If you are getting constraint errors check the remote-identity string or use t he temporary use of %any to isolate the issue and to obtain the correct string. The order and items in the string is critical in your ipsec.conf file. Always check for errors or typos.

examples

 CN=fgt.socpuppets.com is not the same as CN=fgt

'C=US, ST=TX, L=AUSTIN, O=socpuppets, CN=fgt.socpuppets.com' is not the same as 'ST=TX, L=AUSTIN, O=socpuppets, CN=fgt.socpuppets.com'

> if your certificate-date has expired the vpn will not establish 

Almost all problems can be tracked down to incorrect named files or typos in the strongswan configurations from my personal experience & observations.

I've been working with strongswan for almost 13 years , btw. It's simple to deploy and use with linux based firewalls. You can build linux-based firewall and run strongswanfor remote-vpn with little to very little money invested. OPEX cost is very low and versus the performance potential

A design topology and a hub-DC mixed with a commercial FW.

Enjoy

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

IKEv2 RSA-signature using a peer-group

Using RSA certificate in your VPN allows you to be creative in authenticating remote peer. If you have strict enforcement and need the remote peer to change certificate it's best and simple to use the same CN string in the new certificate and have the cert issued by the same rootCA.

Some time this not possible or the remote fw-admin have to change the issuer or the certificate CN. if you use a peer-group vrs a peer, you can easily add to your flexibility when changing the peer  issuer or CN-name

Take note that the diag vpn ike gateway will show you what group was used.

So if the remote-firewall changes issuer, you only need to identify the new rootCA and CN and add that to the peer-group. Now the remote-firewall can change to that new certificate without bothering you.

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

Forticlient and macosx tweaking

When using the forticlient and certificates, you might run into issues where the forticlient will prompt you to access the private-key. You can set the access.control for the application

You can set the access control in your keychain login item. 1st link symbolic the following to a directory in the user path

Here I made a dir fclient and link-symbolic to that directory

Next, you open the keychain and set the properties

You might get one warning but any logins attempts afterward would not challenge you for access to  the private key

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

SSLVPN fortigate with certificates

In this post, I will demonstrate how to use and enable sslvpn with end-user certificates. The remote firewall is running 6.2.3 and we are using the 6.2 vpn client

I'm using firefox to test the web-portal and an android & macosx device running the basic forticlient

In the fortigate you should set a "config user peer" and define the CA that's signing the end-user certificates. This cert along with the rootCA certificate needs to be uploaded into the fortigate via the

System > certificate


In my setup, I have a root and intermediate CA. The "config user peer" is using my intermediate CA for the config.

config user peer

    edit "socpuppets-intermediate"

        set ca "CA_Cert_3"

    next

end

Now you will need to build your sslvpn settings to include an authentication-rule.

config vpn ssl settings

    set reqclientcert enable

    set ssl-min-proto-ver tls1-1

    set servercert "Fortinet_Factory"

    set tunnel-ip-pools "SSLVPN_POOL_1"

    set port 8443

    set source-interface "wan1"

    set source-address "all"

    set source-address6 "all"

    set default-portal "full-access"

    config authentication-rule

        edit 1

            set source-interface "wan1"

            set source-address "all"

            set groups "vpnusers1"

            set portal "full-access"

            set client-cert enable

            set user-peer "socpuppets-intermediate"

        next

    end

end

And the portal cfg with address pool

config firewall address

    edit "SSLVPN_POOL_1"

        set subnet 10.199.199.0 255.255.255.0

    next

end

config vpn ssl web portal

    edit "full-access"

        set tunnel-mode enable

        set ipv6-tunnel-mode enable

        set web-mode enable

        set ip-pools "SSLVPN_POOL_1"

        set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

    next

end

So no when a end-user authenticates and matches that auth-rule, he will need a valid certificate that matches the use-peer

Once you have connected you can validate users via the cli or webUi

if your forticlient can not connect, use firefox and access the webportal , import the certificate that's being used by the forticlient. If you can access the webportal, than the certificate and authentication rule is good.









One last tidbit, when the user certificate has expired the user will be locked out of the vpn. Since the certificate verification is done before the acceptance of the "username/password" you will not see this in the logs but "diag debug application sslvpnd -1" will clearly show this scenario

For traffic that's allowed by the firewall policy you can use 

diag debug flow or run a diag packet sniffer on ssl.root interface to see the traffic flow

This vpn method offers a means to easily control vpn-users for a timed-access-control by signing the certificate for "X"  amount of days. Great for vendors, auditors, or consultant access.

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

FORTIGATE IPV6_PD

In the fortigate it so easy to enable IPV6-DHCP-PD for ISP that advertise dhcp6 and delegation of prefixes.

Here's a simpel config where port1 is your ISP uplink and port2 is one our local-lan for ipv6



config system interface 
edit port1  
    config ipv6
         set ip6-mode dhcp
         set dhcp6-prefix-delegation enable
         set dhcp6-prefix-hint ::/56
         set dhcp6-prefix-hint-vlt 0
         set dhcp6-prefix-hint-plt 0
     next 
 end
end

config system interface
    edit "port2"
        config ipv6
            set ip6-mode delegated
            set ip6-allowaccess ping https ssh
            set dhcp6-prefix-delegation enable
            set ip6-send-adv enable
            set ip6-manage-flag enable
            set ip6-other-flag enable
            set ip6-upstream-interface "wan2"
            set ip6-subnet ::/64
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface "port1"
                    set autonomous-flag enable
                    set onlink-flag enable
                    set subnet ::/64
                next
            end
        end


You can check for local route and ipv6 reachability from the cli,


 get router info6 routing-table
 execute ping  2620:119:35::35
 execute tracert6 2620:119:35::35

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

Route-Based ikev2 vpn juniper SRX to Fortigate RSA-cert

In this post  we will do the opposite of this previous  blog post .

http://socpuppet.blogspot.com/2019/10/fortigate-to-juniper-srx-vpn-route.html

Here we have the Juniper SRX making a connection as "initiator" to a FortiGate as a  "responder-only" and using certificates for authentication method. We are using IKEv2.

Since the fortigate is a responder, all traffic has to be initiated from the SRX side. Like previously,
I'm using getacert for the CSR signing and the same steps will apply here. In real life this would be your private CA or a certificates issued from a public-CA. You will always need to ensure the rootCA is imported into both the firewalls.

• draft csr for both the juniper and fortigate
• have the csr signed by the rootCA
• import the cert and rootCA-cert into the devices
• ensure your record the exact CN strings that are used in the certificates ( I will explain later )

junos

      request security pki generate-key-pair size 2048 type rsa certificate-id srx300

      request security pki generate-certificate-request certificate-id srx300 subject "CN= srx300" domain-name srx300.socpuppets.com 

 send the csr to your  CA for signing and then copy the  resulting certificate into the juniper SRX


Once you have the cert copied to the  juniper, you will do the following

   request security pki local-certificate load filename <filename of your x509 cert>  certificate-id srx300


For the root ca you do the same thing but must use the following;

request security pki ca-certificate load filename < filename root CA > ca-profile getacert

 If CRL is available in the rootCA you need to disable it for  this ca-profile

    set security pki ca-profile getacert revocation-check disable


For the fortigate, just use the WebUI and craft a CSR and then submit that CSR and import it along with the cert into the fortigate.

System > Certificate
   

I broke the junos cfg down to ph1/ph2 and routing. You will also need a security policy for the permitted traffic which I did not show.

Fortigate side is less involved but the same details exist. You will need firewall policy for the permitted traffic.

One last item on the FGT we are using only the "ca cert" to validate the peer in the above example.

What this means, any cert issued by GETACERT would be honor. In reality, you would lock it down to the"cn" in the remote peer and the rootCA that signed that certificate. I will explain later on why.

So to lock it down, you would call the name CA cert and CN  string of the peer. This combination will validate that peer and only if signed by that rootCA and if the certificate date is still validated.

I will speak more about this later and on why the 1st example was used and how it can help with troubleshooting.

Here's some show and diagnostic output of the Security-Associations.

junos

fortios

On trouble-shooting and when your dealing with certificate the rootCA and CN names act like the pre-shared key  along with the certificate , if you may.

So in my case, I can controlled both end-points which make diagnostic real easy. In a real deployment, you might have a different fw-admin for one the remote-firewall.

So if the remote-fw-admin gives you the wrong "CN" or does not know it, if you use just the rootCA and blindly accept the certificate, you can then ascertain the "CN" after the peer has initiated. Then you can add that to your "config user peer" statement once known.

I worked a issues a few months back where we had a FGT1500 trying to authenticate to a openswan and the remote-fwadmin thought he used  cn=XYZ.hisdomain1.com but in reality, he used cn=XYX.hisdomain2.com and they could never be authenticated.

I use the just the cert-CA for validation and "diag vpn ike gateway | grep CN", then I could explore the actual certificates CN field of the remote-firewall.

traceroute

Further diagnostic tips

junos

       request security ike debug-enable remote <destination-gw address>  local <local gw address>

       review the kmd logs after enabling the above

          file show /var/log/kmd*

PLEASE DISABLE THE DEBUG AFTER FINISHING YOUR COLLECTION

         request security ike debug-disable

fortios

   diag debug reset 

   diag debug enable

   diag debug application ike -1

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \