I’m looking for a way to connect a Windows client (native RasMan) to a FortiGate, with password or certificate-based authentication.
I managed to get it working with IKEv2, but some update on Windows or Fortinet side broke it. Is it possible/practical at all? What’s the best way?
There are two problems with FortiClient VPN: You can’t automate it (no API or CLI) and you can only have one active VPN connection at a time. Maybe there’s alternative clients which allow multiple connections and automation?
What I tried and doesn’t work anymore:
IPsec/IKEv2 interface with “Dialup User”, Mode config enabled, assign IP from pool, authentication with a valid server certificate, accept any peer ID
config vpn ipsec phase1-interface
edit ipsec-ikev2
set eap enable
set eap-identity send-request
set authusrgrp "ikev2vpn"
set client-auto-negotiate enable
set client-keep-alive enable
end
Policy with source user group “ikev2vpn”
Windows client configuration:
VPN connection with hostname matching the certificate, Type: IKEv2
Been running that sort of setup for years. Started with FortiOS 5.x and a mix of Windows 7 and early Windows 10, now we’re at FortiOS 6.4 and the latest Windows 10 and early Windows 11. Haven’t had any breakage because of updates so far, only clients that have ever stopped working has been because some firmware/BIOS update broke the TPM, which is where we store the client certificate. Only a handful in the last 5+ years though, from a fleet of at any time a few hundred laptops, so it’s been fairly reliable.
I specifically opted for the native client to be able to use the VPNv2 CSP and Always On VPN, which will fire up tunnels on boot or on demand, more reliably and with fewer moving parts than using FortiClient. Yes, FortiClient is simpler to get up and running with manual hand-on setup, but for a large fleet of computers I imagine it would have caused far more maintenance and setup headaches in the long run, with no significant benefits.
Two things that stand out for me. You’re using EAP. No reason that shouldn’t work, and I suppose that will be a requirement if you want to use certificates or passwords. If you double down on certificates only, you can do the authentication directly on the firewall and without EAP/RADIUS with peer and peergrp.
More importantly, if your phase1 proposal is as described (you didn’t include it in the config), the proposal you’re setting on the Windows client isn’t even close to compatible. Personally, I just use a single proposal for both client and server. I control both, so why complicate matters with a bunch of different ones. But either way, just correct your proposals and it will probably work fine. Start with removing all the GCM-stuff from your Windows setup. AES GCM is not the same as AES, or compatible with it.
Just use FortiClient, unlike Windows VPN, it just works. Edit: just noticed you comment about wanting to run multiple vpns simultaneously. Why would you need to connect to more than one vpn? You should each out to Fortinet support about your deployment automation needs if you don’t get an answer here.
Not sure what kind of automation you want from FortiClient, because you can do most things automatically already , since it’s just registry keys all the way down, but what is your current problem with the native Windows client? You just say an update broke it, but what do the debugs say?
I haven’t tried to get it working with IKEv2 but I have it working 100% with L2TP over IPSec and PAP with the Windows native client on both Win10 and Win11. Note that PAP is only option you can use with L2TP over IPSec.
I am pushing split-tunnel routes with DHCP Option 160 from the FortiGate, so I just need to set the VPN connection on Windows to split tunnel enabled, and I can manage routes on the FortiGate side.
I’m also doing MFA with DUO. RADIUS server on FortiGate pointed to Duo Authentication Proxy against AD. After auth with user/pass, a Duo Push is sent automatically.
Why would you need to connect to more than one vpn?
We use Remote Desktop Manager to connect to customer’s networks automatically when needed. Most of them use FortiGates. Often it’s useful to quickly connect to one customer without disconnecting every session (SSH, RDP …) on the other.
Can forticlient be configured to run as a system service so you can have the ipsec connection come up as soon as a device is connected to the internet?
Sorry I’m not sure what exactly the problem was. I tried it a couple weeks ago and gave up at some point, because I wasn’t sure if this is even a good idea or officially supported. I didn’t want to rely on a VPN solution that can break with every update. Maybe I’ll give it another go later.
The automation I need is for Remote Desktop Manager to connect to different customer sites automatically, without preconfiguring the client. So all the server configuration and authentication should come from external too through function calls or CLI. (passing passwords through CLI is bad though)
Good luck. Guess I should share some relevant config:
config vpn ipsec phase1-interface
edit "MyVPN"
set type dynamic
set interface <interface to listen on>
set ike-version 2
set authmethod signature
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 <DNS server IP>
set ipv4-dns-server2 <DNS server IP>
set proposal aes256-sha256
set dpd on-idle
set dhgrp 14
set certificate <certificate>
set peer "MyVPNClients"
set ipv4-start-ip <start of client IP range>
set ipv4-end-ip <end of client IP range>
set dpd-retryinterval 60
next
config vpn ipsec phase2-interface
edit "MyVPN"
set phase1name "MyVPN"
set proposal aes256-sha256
set dhgrp 14
next
config user peer
edit "MyVPNClients"
set ca <certificate of CA issuing to your clients>
set cn-type FQDN
next
For that particular setup on the FortiGate, you’d use these settings on Windows:
So this all feels a bit… against the grain. The solution is therefore is likely to run into the bugs and issues that are inevitable in the world of ‘get that new code to market…quick!’. This is all vendors not just Fortinet. This is going to result in you not being able to support your customers… they will get annoyed and leave. KiSS = keep it simple stupid; don’t create problems for 3am you.
Firstly it sounds like you are potentially doing admin like acivies from your dirty email and Web enabled laptop. This is not the best of ideas.
Moving on, I would look to do site to site VPN instead into a hardened management environment (maybe a separate VDOM on your core firewall). This should run some sort of PAM… FortiPAM if you want to be a FortiFanboy. Seriously, it’s a surprising good product. This keeps connectivity simple for your operators, even at 3am, as well as ensuring you have granular control and visibility of what’s going on during these management sessions.