How FortiGate units process tunnel requests for peer authentication

How FortiGate units process tunnel requests for peer authentication

When a client-side FortiGate unit attempts to start a WAN optimization tunnel with a peer server-side FortiGate unit, the tunnel request includes the following information:

  • the client-side local host ID
  • the name of an authentication group, if included in the rule that initiates the tunnel
  • if an authentication group is used, the authentication method it specifies: pre-shared key or certificate
  • the type of tunnel (secure or not).

For information about configuring the local host ID, peers and authentication groups, see Configuring peers on page 2861 and Configuring authentication groups on page 2862.

The authentication group is optional unless the tunnel is a secure tunnel. For more information, see Secure tunneling on page 2864.

If the tunnel request includes an authentication group, the authentication will be based on the settings of this group as follows:

  • The server-side FortiGate unit searches its own configuration for the name of the authentication group in the tunnel request. If no match is found, the authentication fails.
  • If a match is found, the server-side FortiGate unit compares the authentication method in the client and server authentication groups. If the methods do not match, the authentication fails.
  • If the authentication methods match, the server-side FortiGate unit tests the peer acceptance settings in its copy of the authentication group.
  • If the setting is Accept Any Peer, the authentication is successful.
  • If the setting is Specify Peer, the server-side FortiGate unit compares the client-side local host ID in the tunnel request with the peer name in the server-side authentication group. If the names match, authentication is successful. If a match is not found, authentication fails.
  • If the setting is Accept Defined Peers, the server-side FortiGate unit compares the client-side local host ID in the tunnel request with the server-side peer list. If a match is found, authentication is successful. If a match is not found, authentication fails.

If the tunnel request does not include an authentication group, authentication will be based on the client-side local host ID in the tunnel request. The server-side FortiGate unit searches its peer list to match the client-side local host ID in the tunnel request. If a match is found, authentication is successful. If a match is not found, authentication fails.

If the server-side FortiGate unit successfully authenticates the tunnel request, the server-side FortiGate unit sends back a tunnel setup response message. This message includes the server-side local host ID and the authentication group that matches the one in the tunnel request.

The client-side FortiGate unit then performs the same authentication procedure as the server-side FortiGate unit did. If both sides succeed, tunnel setup continues.

 

Configuring peers

When you configure peers, you first need to add the local host ID that identifies the FortiGate unit for WAN optimization and then add the peer host ID and IP address of each FortiGate unit with which a FortiGate unit can create WAN optimization tunnels.

 

To configure WAN optimization peers – web-based manager:

1. Go to WAN Opt. & Cache > Peers.

2. For Local Host ID, enter the local host ID of this FortiGate unit and select Apply. If you add this FortiGate unit as a peer to another FortiGate unit, use this ID as its peer host ID.

The local or host ID can contain up to 25 characters and can include spaces.

3. Select Create New to add a new peer.

4. For Peer Host ID, enter the peer host ID of the peer FortiGate unit. This is the local host ID added to the peer FortiGate unit.

5. For IP Address, add the IP address of the peer FortiGate unit. This is the source IP address of tunnel requests sent by the peer, usually the IP address of the FortiGate interface connected to the WAN.

6. Select OK.

 

To configure WAN optimization peers – CLI:

In this example, the local host ID is named HQ_Peer and has an IP address of 172.20.120.100. Three peers are added, but you can add any number of peers that are on the WAN.

1. Enter the following command to set the local host ID to HQ_Peer.

config wanopt settings set host-id HQ_peer

end

2. Enter the following commands to add three peers.

config wanopt peer edit Wan_opt_peer_1

set ip 172.20.120.100 next

edit Wan_opt_peer_2

set ip 172.30.120.100 next

edit Wan_opt_peer_3

set ip 172.40.120.100 end

 

Configuring authentication groups

You need to add authentication groups to support authentication and secure tunneling between WAN optimization peers.

To perform authentication, WAN optimization peers use a certificate or a pre-shared key added to an authentication group so they can identify each other before forming a WAN optimization tunnel. Both peers must have an authentication group with the same name and settings. You add the authentication group to a peer-to- peer or active rule on the client-side FortiGate unit. When the server-side FortiGate unit receives a tunnel start request from the client-side FortiGate unit that includes an authentication group, the server-side FortiGate unit finds an authentication group in its configuration with the same name. If both authentication groups have the same certificate or pre-shared key, the peers can authenticate and set up the tunnel.

Authentication groups are also required for secure tunneling.

To add authentication groups, go to WAN Opt. & Cache > Authentication Groups.

 

To add an authentication group – web-based manager:

Use the following steps to add any kind of authentication group. It is assumed that if you are using a local certificate to authenticate, it is already added to the FortiGate unit

1. Go to WAN Opt. & Cache > Authentication Groups.

2. Select Create New.

3. Add a Name for the authentication group.

You will select this name when you add the authentication group to a WAN optimization rule.

4. Select the Authentication Method.

Select Certificate if you want to use a certificate to authenticate and encrypt WAN optimization tunnels. You must select a local certificate that has been added to this FortiGate unit. (To add a local certificate, go to Syste> Certificates.) Other FortiGate units that participate in WAN optimization tunnels with this FortiGate unit must have an authentication group with the same name and certificate.

Select Preshared key if you want to use a pre-shared key or password to authenticate and encrypt WAN optimization tunnels. You must add the Password (or pre-shared key) used by the authentication group. Other FortiGate units that participate in WAN optimization tunnels with this FortiGate unit must have an authentication group with the same name and password. The password must contain at least 6 printable characters and should be known only by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters.

5. Configure Peer Acceptance for the authentication group.

Select Accept Any Peer if you do not know the peer host IDs or IP addresses of the peers that will use this authentication group. This setting is most often used for WAN optimization with the FortiClient application or with FortiGate units that do not have static IP addresses, for example units that use DHCP.

Select Accept Defined Peers if you want to authenticate with peers added to the peer list only.

Select Specify Peer and select one of the peers added to the peer list to authenticate with the selected peer only.

6. Select OK.

7. Add the authentication group to a WAN optimization rule to apply the authentication settings in the authentication group to the rule.

 

To add an authentication group that uses a certificate- CLI:

Enter the following command to add an authentication group that uses a certificate and can authenticate all peers added to the FortiGate unit configuration.

In this example, the authentication group is named auth_grp_1 and uses a certificate named Example_ Cert.

config wanopt auth-group edit auth_grp_1

set auth-method cert set cert Example_Cert set peer-accept defined

end

 

To add an authentication group that uses a pre-shared key – CLI:

Enter the following command to add an authentication group that uses a pre-shared key and can authenticate only the peer added to the authentication group.

In this example, the authentication group is named auth_peer, the peer that the group can authenticate is named Server_net, and the authentication group uses 123456 as the pre-shared key. In practice you should use a more secure pre-shared key.

config wanopt auth-group edit auth_peer

set auth-method psk set psk 123456

set peer-accept one set peer Server_net

end

 

To add an authentication group that accepts WAN optimization connections from any peer – web-based manager

Add an authentication group that accepts any peer for situations where you do not have the Peer Host IDs or IP Addresses of the peers that you want to perform WAN optimization with. This setting is most often used for WAN optimization with the FortiClient application or with FortiGate units that do not have static IP addresses, for example units that use DHCP. An authentication group that accepts any peer is less secure than an authentication group that accepts defined peers or a single peer.

The example below sets the authentication method to Preshared key. You must add the same password to all FortiGate units using this authentication group.

1. Go to WAN Opt. & Cache > Authentication Groups.

2. Select Create New to add a new authentication group.

3. Configure the authentication group:

Name                                           Specify any name.

Authentication Method            Pre-shared key

Password                                   Enter a pre-shared key.

Peer Acceptance                       Accept Any Peer

 

To add an authentication group that accepts WAN optimization connections from any peer – CLI:

In this example, the authentication group is named auth_grp_1. It uses a certificate named WAN_Cert and accepts any peer.

config wanopt auth-group edit auth_grp_1

set auth-method cert set cert WAN_Cert

set peer-accept any end

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.