IPsec VPN and SSL VPN

IPsec VPN and SSL VPN

FortiClient supports both IPsec and SSL VPN connections to your network for remote access. Administrators can provision client VPN connections to FortiGate in profiles from EMS, and you can configure new connections in FortiClient console.

Add new connections

You can add new SSL VPN connections and IPsec VPN connections.

Connection Name Enter a name for the connection.
Description Enter a description for the connection. (optional)

Create SSL VPN connections

To create SSL VPN connections:

  1. On the Remote Access tab, click the Configure VPN link, or use the drop-down menu in the FortiClient console.
  2. Select SSL-VPN, then configure the following settings:

 

Add new connections

Remote Gateway Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway.
Customize port Select to change the port. The default port is 443.
Authentication Select to prompt on login, or save login. The option to disable is available when Client Certificate is enabled.
Username If you selected to save login, enter the username in the dialog box.
Client Certificate Select to enable client certificates, then select the certificate from the dropdown list.
Do not Warn Invalid Server

Certificate

Select if you do not want to warned if the server presents an invalid certificate.
Add Select the add icon to add a new connection.
Delete Select a connection and then select the delete icon to delete a connection.
  1. Click Apply to save the VPN connection, and then click Close to return to the Remote Access screen.

Create IPsec VPN connections

To create IPsec VPN connections:

  1. On the Remote Access tab, click the Configure VPN link, or use the drop-down menu in the FortiClient console.
  2. Select IPsec VPN, then configure the following settings:
Connection Name   Enter a name for the connection.
Description   Enter a description for the connection. (optional)

Add new connections

Remote Gateway Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway.
Authentication Method Select either X.509 Certificate or Pre-shared Key in the dropdown menu.
Authentication (XAuth) Select to prompt on login, save login, or disable.
Username If you selected save login, enter the username in the dialog box.
Advanced Settings Configure VPN settings, Phase 1, and Phase 2 settings.
VPN Settings  
Mode Select one of the following:

Main: In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.

Aggressive: In Aggressive mode, the phase 1 parameters are exchanged in a single message with authentication information that is not encrypted.

Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier (local ID).

Options Select one of the following:

Mode Config: IKE Mode Config can configure host IP address, Domain, DNS and WINS addresses.

Manually Set: Manual key configuration. If one of the VPN devices is manually keyed, the other VPN device must also be manually keyed with the identical authentication and encryption keys. Enter the DNS server IP, assign IP address, and subnet values. Select the check box to enable split tunneling.

DHCP overIPsec: DHCP over IPsec can assign an IP address, Domain, DNS and WINS addresses. Select the check box to enable split tunneling.

Phase 1 Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.

IKE Proposal Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists.

Add new connections

  DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, 5 and 14. At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations.
  Key Life Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.
  Local ID Enter the Local ID (optional). This Local ID value must match the peer ID value given for the remote VPN peer’s Peer Options.
  Dead Peer

Detection

Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.
  NAT Traversal Select the check box if a NAT device exists between the client and the local FortiGate unit. The client and the local FortiGate unit must have the same NAT traversal setting (both selected or both cleared) to connect reliably.
Phase 2   Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.
  IKE Proposal Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists.
  Key Life The Key Life setting sets a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when either the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service.
  Enable Replay Detection Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them.
  Enable Perfect

Forward Secrecy

(PFS)

Select the check box to enable Perfect forward secrecy (PFS). PFS forces a new Diffie-Hellman exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.
  DH Group Select one Diffie-Hellman (DH) group (1, 2, 5 or 14). This must match the DH Group that the remote peer or dialup client uses.
Add   Select the add icon to add a new connection.
Delete   Select a connection and then select the delete icon to delete a connection.

Advanced features (Microsoft Windows)

  1. Click Apply to save the VPN connection, and then click Close to return to the Remote Access screen.

Advanced features (Microsoft Windows)

When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in EMS to ensure the FortiClient profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference.

Activate VPN before Windows Log on

When using VPN before Windows log on, the user is offered a list of pre-configured VPN connections to select from on the Windows log on screen. This requires that the Windows log on screen is not bypassed. As such, if VPN before Windows log on is enabled, it is required to also check the check box Users must entera username and password to use this computer in the UserAccounts dialog box.

To make this change, proceed as follows:

In FortiClient:

  1. Create the VPN tunnels of interest or connect to FortiClient EMS, which provides the VPN list of interest
  2. Enable VPN before log on to the FortiClient Settings page, see VPN options on page 102.

On the Microsoft Windows system,

  1. Start an elevated command line prompt.
  2. Enter control passwords2 and press Enter. Alternatively, you can enter netplwiz.
  3. Check the check box for Users must entera username and password to use this computer.
  4. Click OK to save the setting.

Connect VPNs before logging on (AD environments)

The VPN <options> tag holds global information controlling VPN states. The VPN will connect first, then log on to AD/Domain.

<forticlient_configuration>

<vpn>

<options>

<show_vpn_before_logon>1</show_vpn_before_logon>

<use_windows_credentials>1</use_windows_credentials> </options>

</vpn>

</forticlient_configuration>

Create redundant IPsec VPNs

To use VPN resiliency/redundancy, you will configure a list of EMS IP/FQDN servers, instead of just one:

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options> …

Advanced features (Microsoft Windows)

</options>

<connections>

<connection>

<name>psk_90_1</name>

<type>manual</type>

<ike_settings>

<prompt_certificate>0</prompt_certificate>

<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …

</ike_settings>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.

RedundantSortMethod = 1

This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate which responds the fastest.

RedundantSortMethod = 0

By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate starting with the first in the list.

Create priority-based SSL VPN connections

SSL VPN supports priority based configurations for redundancy.

<forticlient_configuration>

<vpn>

<sslvpn>

<options>

<enabled>1</enabled> …

</options>

<connections>

<connection>

<name>ssl_90_1</name>

<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.

For SSL VPN, all FortiGate must use the same TCP port.

Advanced features (Mac OS X)

Advanced features (Mac OS X)

When deploying a custom FortiClient XML configuration, use the advanced FortiClient profile options in EMS to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference.

Create redundant IPsec VPNs

To use VPN resiliency/redundancy, you will configure a list of FortiGate/EMS IP/FQDN servers, instead of just one:

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options> …

</options>

<connections>

<connection>

<name>psk_90_1</name>

<type>manual</type>

<ike_settings>

<prompt_certificate>0</prompt_certificate>

<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …

</ike_settings>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.

RedundantSortMethod = 1

This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate/EMS which responds the fastest.

RedundantSortMethod = 0

By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate/EMS starting with the first in the list.

Create priority-based SSL VPN connections

SSL VPN supports priority based configurations for redundancy.

<forticlient_configuration>

<vpn>

<sslvpn>

 

tunnel & script

<options>

<enabled>1</enabled> …

</options>

<connections>

<connection>

<name>ssl_90_1</name>

<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …

</connection>

</connections>

</sslvpn>

</vpn>

</forticlient_configuration>

This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.

For SSL VPN, all FortiGate/EMS must use the same TCP port.

VPN tunnel & script

This feature supports auto running a user-defined script after the configured VPN tunnel is connected or disconnected. The scripts are batch scripts in Windows and shell scripts in Mac OS X. They are defined as part of a VPN tunnel configuration on EMS’s XML format FortiClient profile. The profile will be pushed down to FortiClient from EMS. When FortiClient’s VPN tunnel is connected or disconnected, the respective script defined under that tunnel will be executed.

Windows

Map a network drive after tunnel connection

The script will map a network drive and copy some files after the tunnel is connected.

<on_connect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[ net use x: \\192.168.10.3\ftpshare /user:Ted Mosby md c:\test copy x:\PDF\*.* c:\test ]]>

</script>

</script>

</script>

</on_connect>

Delete a network drive after tunnel is disconnected

The script will delete the network drive after the tunnel is disconnected.

<on_disconnect>

<script>

<os>windows</os> <script>

90

VPN tunnel & script

<script>

<![CDATA[ net use x: /DELETE ]]>

</script>

</script>

</script>

</on_disconnect>

OS X

Map a network drive after tunnel connection

The script will map a network drive and copy some files after the tunnel is connected.

<on_connect>

<script>

<os>mac</os>

<script>

/bin/mkdir /Volumes/installers

/sbin/ping -c 4 192.168.1.147 > /Users/admin/Desktop/dropbox/p.txt

/sbin/mount -t smbfs //kimberly:RigUpTown@ssldemo.fortinet.com/installers

/Volumes/installers/ > /Users/admin/Desktop/dropbox/m.txt

/bin/mkdir /Users/admin/Desktop/dropbox/dir

/bin/cp /Volumes/installers/*.log /Users/admin/Desktop/dropbox/dir/. </script>

</script>

</on_connect>

Delete a network drive after tunnel is disconnected

The script will delete the network drive after the tunnel is disconnected.

<on_disconnect>

<script>

<os>mac</os>

<script>

/sbin/umount /Volumes/installers

/bin/rm -fr /Users/admin/Desktop/dropbox/*

</script>

</script>

</on_disconnect>

This entry was posted in FortiClient and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

2 thoughts on “IPsec VPN and SSL VPN

  1. Steve

    Is it possible to have both IPSec and SSL VPN’s with redundancy? i.e if the IPSec connection will not establish automatically connect to the SSL VPN?

    Reply
    1. Mike Post author

      Steve, you absolutely can. They operate on different ports. The only thing you have to be sure of is that your policies for each are proper. Otherwise, have at it. A lot of times you will see IPSec blocked by firewalls whereas SSL works fine due to the protocol used.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.