Fortinet black logo

Handbook

Authenticating remote peers and clients

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:530590
Download PDF

Authenticating remote peers and clients

Certificates or pre-shared keys restrict who can access the VPN tunnel, but they do not identify or authenticate the remote peers or dialup clients. You have the following options for authentication:

Methods of authenticating remote VPN peers

Certificates or Pre-shared key

Local ID

User account pre-shared keys

Reference

Certificates

See Enabling VPN access for specific certificate holders .

Either

X

See Enabling VPN access by peer identifier.

Pre-shared key

X

See Enabling VPN access with user accounts and pre-shared keys.

Pre-shared key

X

X

See Enabling VPN access with user accounts and pre-shared keys.

Repeated authentication in Internet Key Exchange (IKEv2) protocol

This feature provides the option to control whether a device requires its peer to re-authenticate or whether re-key is sufficient. It does not influence the re-authentication or re-key behavior of the device itself, which is controlled by the peer (with the default being to re-key).

This solution is in response to RFC 4478. This solution is intended to limit the time that security associations (SAs) can be used by a third party who has gained control of the IPsec peer.

CLI syntax:

config vpn ipsec phase1-interface

edit p1

set reauth [enable | disable]

next

end

disable: Disable IKE SA re-authentication.

enable: Enable IKE SA re-authentication.

Enabling VPN access for specific certificate holders

When a VPN peer or dialup client is configured to authenticate using digital certificates, it sends the Distinguished Name (DN) of its certificate to the FortiGate unit. This DN can be used to allow VPN access for the certificate holder. That is, a FortiGate unit can be configured to deny connections to all remote peers and dialup clients except the one having the specified DN.

Before you begin

The following procedures assume that you already have an existing Phase 1 configuration (see Digital certificates). Follow the procedures below to add certificate-based authentication parameters to the existing configuration.

Before you begin, you must obtain the certificate DN of the remote peer or dialup client. If you are using the FortiClient application as a dialup client, refer to FortiClient online help for information about how to view the certificate DN. To view the certificate DN of a FortiGate unit, see Viewing server certificate information and obtaining the local DN .

Use the config user peer CLI command to load the DN value into the FortiGate configuration. For example, if a remote VPN peer uses server certificates issued by your own organization, you would enter information similar to the following:

config user peer

edit DN_FG1000

set cn 192.168.2.160

set cn-type ipv4

end

The value that you specify to identify the entry (for example, DN_FG1000) is displayed in the Accept this peer certificate only list in the IPsec Phase 1 configuration when you return to the GUI.

If the remote VPN peer has a CA-issued certificate to support a higher level of credibility, you would enter information similar to the following in the CLI:

config user peer

edit CA_FG1000

set ca CA_Cert_1

set subject FG1000_at_site1

end

The value that you specify to identify the entry (for example, CA_FG1000) is displayed in the Accept this peer certificate only list in the IPsec Phase 1 configuration when you return to the GUI.

A group of certificate holders can be created based on existing user accounts for dialup clients. To create the certificate group afterward, use the config user peergrp CLI command.

Viewing server certificate information and obtaining the local DN
  1. Go to System > Certificates.
  2. Note the CN value in the Subject field (for example, CN = 172.16.10.125, CN = info@fortinet.com, or CN = www.example.com).
Viewing CA root certificate information and obtaining the CA certificate name
  1. Go to System > Certificates > CA Certificates.
  2. Note the value in the Name column (for example, CA_Cert_1).

Configuring certificate authentication for a VPN

With peer certificates loaded, peer users and peer groups defined, you can configure your VPN to authenticate users by certificate.

Enabling access for a specific certificate holder or a group of certificate holders
  1. At the FortiGate VPN server, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. From the Authentication Method list, select RSA Signature.
  4. From the Certificate Name list, select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client
  5. Under Peer Options, select one of these options:
    • To accept a specific certificate holder, select Accept this peer certificate only and select the name of the certificate that belongs to the remote peer or dialup client. The certificate DN must be added to the FortiGate configuration through CLI commands before it can be selected here. See Before you begin.
    • To accept dialup clients who are members of a certificate group, select Accept this peer certificate group only and select the name of the group. The group must be added to the FortiGate configuration through CLI commands before it can be selected here. See Before you begin.
  6. If you want the FortiGate VPN server to supply the DN of a local server certificate for authentication purposes, select Advanced and then from the Local ID list, select the DN of the certificate that the FortiGate VPN server is to use.
  7. Select OK.

Enabling VPN access by peer identifier

Whether you use certificates or pre-shared keys to authenticate the FortiGate unit, you can require that remote peers or clients have a particular peer ID. This adds another piece of information that is required to gain access to the VPN. More than one FortiGate/FortiClient dialup client may connect through the same VPN tunnel when the dialup clients share a preshared key and assume the same identifier.

note icon

In circumstances where multiple remote dialup VPN tunnels exist, each tunnel must have a peer ID set.

A peer ID, also called local ID, can be up to 63 characters long containing standard regular expression characters. Local ID is set in phase1 Aggressive Mode configuration.

You cannot require a peer ID for a remote peer or client that uses a pre-shared key and has a static IP address.

Authenticating remote peers or dialup clients using one peer ID
  1. At the FortiGate VPN server, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. Select Aggressive mode in any of the following cases:
    • The FortiGate VPN server authenticates a FortiGate dialup client that uses a dedicated tunnel
    • A FortiGate unit has a dynamic IP address and subscribes to a dynamic DNS service
    • FortiGate/FortiClient dialup clients sharing the same preshared key and local ID connect through the same VPN tunnel
  4. For the Peer Options, select This peer ID and type the identifier into the corresponding field.
  5. Select OK.
Assigning an identifier (local ID) to a FortiGate unit

Use this procedure to assign a peer ID to a FortiGate unit that acts as a remote peer or dialup client.

  1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. Select Advanced.
  4. In the Local ID field, type the identifier that the FortiGate unit will use to identify itself.
  5. Set Mode to Aggressive if any of the following conditions apply:
    • The FortiGate unit is a dialup client that will use a unique ID to connect to a FortiGate dialup server through a dedicated tunnel.
    • The FortiGate unit has a dynamic IP address, subscribes to a dynamic DNS service, and will use a unique ID to connect to the remote VPN peer through a dedicated tunnel.
    • The FortiGate unit is a dialup client that shares the specified ID with multiple dialup clients to connect to a FortiGate dialup server through the same tunnel.
  6. Select OK.
Configuring the FortiClient application

Follow this procedure to add a peer ID to an existing FortiClient configuration:

  1. Start the FortiClient application.
  2. Go to VPN > Connections, select the existing configuration.
  3. Select Advanced > Edit > Advanced.
  4. Under Policy, select Config.
  5. In the Local ID field, type the identifier that will be shared by all dialup clients. This value must match the This peer ID value that you specified previously in the Phase 1 gateway configuration on the FortiGate unit.
  6. Select OK to close all dialog boxes.
  7. Configure all dialup clients the same way using the same preshared key and local ID.

Enabling VPN access with user accounts and pre-shared keys

You can permit access only to remote peers or dialup clients that have pre-shared keys and/or peer IDs configured in user accounts on the FortiGate unit.

If you want two VPN peers (or a FortiGate unit and a dialup client) to accept reciprocal connections based on peer IDs, you must enable the exchange of their identifiers when you define the Phase 1 parameters.

The following procedures assume that you already have an existing Phase 1 configuration (see Digital certificates). Follow the procedures below to add ID checking to the existing configuration.

Before you begin, you must obtain the identifier (local ID) of the remote peer or dialup client. If you are using the FortiClient Endpoint Security application as a dialup client, refer to the Authenticating FortiClient Dialup Clients Technical Note to view or assign an identifier. To assign an identifier to a FortiGate dialup client or a FortiGate unit that has a dynamic IP address and subscribes to a dynamic DNS service, see Assigning an identifier (local ID) to a FortiGate unit .

If required, a dialup user group can be created from existing user accounts for dialup clients.

The following procedure supports FortiGate/FortiClient dialup clients that use unique preshared keys and/or peer IDs. The client must have an account on the FortiGate unit and be a member of the dialup user group.

The dialup user group must be added to the FortiGate configuration before it can be selected.

The FortiGate dialup server compares the local ID that you specify at each dialup client to the FortiGate user-account user name. The dialup-client preshared key is compared to a FortiGate user-account password.

Authenticating dialup clients using unique preshared keys and/or peer IDs
  1. At the FortiGate VPN server, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. If the clients have unique peer IDs, set Mode to Aggressive.
  4. Clear the Pre-shared Key field.
    The user account password will be used as the preshared key.
  5. Select Peer ID from dialup group and then select the group name from the list of user groups.
  6. Select OK.

Follow this procedure to add a unique pre-shared key and unique peer ID to an existing FortiClient configuration.

Configuring FortiClient - pre-shared key and peer ID
  1. Start the FortiClient Endpoint Security application.
  2. Go to VPN > Connections, select the existing configuration.
  3. Select Advanced > Edit.
  4. In the Preshared Key field, type the FortiGate password that belongs to the dialup client (for example, 1234546).
    The user account password will be used as the preshared key.
  5. Select Advanced.
  6. Under Policy, select Config.
  7. In the Local ID field, type the FortiGate user name that you assigned previously to the dialup client (for example, FortiClient1).
  8. Select OK to close all dialog boxes.

Configure all FortiClient dialup clients this way using unique preshared keys and local IDs.

Follow this procedure to add a unique pre-shared key to an existing FortiClient configuration.

Configuring FortiClient - preshared key only
  1. Start the FortiClient Endpoint Security application.
  2. Go to VPN > Connections, select the existing configuration
  3. Select Advanced > Edit.
  4. In the Preshared Key field, type the user name, followed by a “+” sign, followed by the password that you specified previously in the user account settings on the FortiGate unit (for example, FC2+1FG6LK)
  5. Select OK to close all dialog boxes.

Configure all the FortiClient dialup clients this way using their unique peer ID and pre‑shared key values.

Authenticating remote peers and clients

Certificates or pre-shared keys restrict who can access the VPN tunnel, but they do not identify or authenticate the remote peers or dialup clients. You have the following options for authentication:

Methods of authenticating remote VPN peers

Certificates or Pre-shared key

Local ID

User account pre-shared keys

Reference

Certificates

See Enabling VPN access for specific certificate holders .

Either

X

See Enabling VPN access by peer identifier.

Pre-shared key

X

See Enabling VPN access with user accounts and pre-shared keys.

Pre-shared key

X

X

See Enabling VPN access with user accounts and pre-shared keys.

Repeated authentication in Internet Key Exchange (IKEv2) protocol

This feature provides the option to control whether a device requires its peer to re-authenticate or whether re-key is sufficient. It does not influence the re-authentication or re-key behavior of the device itself, which is controlled by the peer (with the default being to re-key).

This solution is in response to RFC 4478. This solution is intended to limit the time that security associations (SAs) can be used by a third party who has gained control of the IPsec peer.

CLI syntax:

config vpn ipsec phase1-interface

edit p1

set reauth [enable | disable]

next

end

disable: Disable IKE SA re-authentication.

enable: Enable IKE SA re-authentication.

Enabling VPN access for specific certificate holders

When a VPN peer or dialup client is configured to authenticate using digital certificates, it sends the Distinguished Name (DN) of its certificate to the FortiGate unit. This DN can be used to allow VPN access for the certificate holder. That is, a FortiGate unit can be configured to deny connections to all remote peers and dialup clients except the one having the specified DN.

Before you begin

The following procedures assume that you already have an existing Phase 1 configuration (see Digital certificates). Follow the procedures below to add certificate-based authentication parameters to the existing configuration.

Before you begin, you must obtain the certificate DN of the remote peer or dialup client. If you are using the FortiClient application as a dialup client, refer to FortiClient online help for information about how to view the certificate DN. To view the certificate DN of a FortiGate unit, see Viewing server certificate information and obtaining the local DN .

Use the config user peer CLI command to load the DN value into the FortiGate configuration. For example, if a remote VPN peer uses server certificates issued by your own organization, you would enter information similar to the following:

config user peer

edit DN_FG1000

set cn 192.168.2.160

set cn-type ipv4

end

The value that you specify to identify the entry (for example, DN_FG1000) is displayed in the Accept this peer certificate only list in the IPsec Phase 1 configuration when you return to the GUI.

If the remote VPN peer has a CA-issued certificate to support a higher level of credibility, you would enter information similar to the following in the CLI:

config user peer

edit CA_FG1000

set ca CA_Cert_1

set subject FG1000_at_site1

end

The value that you specify to identify the entry (for example, CA_FG1000) is displayed in the Accept this peer certificate only list in the IPsec Phase 1 configuration when you return to the GUI.

A group of certificate holders can be created based on existing user accounts for dialup clients. To create the certificate group afterward, use the config user peergrp CLI command.

Viewing server certificate information and obtaining the local DN
  1. Go to System > Certificates.
  2. Note the CN value in the Subject field (for example, CN = 172.16.10.125, CN = info@fortinet.com, or CN = www.example.com).
Viewing CA root certificate information and obtaining the CA certificate name
  1. Go to System > Certificates > CA Certificates.
  2. Note the value in the Name column (for example, CA_Cert_1).

Configuring certificate authentication for a VPN

With peer certificates loaded, peer users and peer groups defined, you can configure your VPN to authenticate users by certificate.

Enabling access for a specific certificate holder or a group of certificate holders
  1. At the FortiGate VPN server, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. From the Authentication Method list, select RSA Signature.
  4. From the Certificate Name list, select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client
  5. Under Peer Options, select one of these options:
    • To accept a specific certificate holder, select Accept this peer certificate only and select the name of the certificate that belongs to the remote peer or dialup client. The certificate DN must be added to the FortiGate configuration through CLI commands before it can be selected here. See Before you begin.
    • To accept dialup clients who are members of a certificate group, select Accept this peer certificate group only and select the name of the group. The group must be added to the FortiGate configuration through CLI commands before it can be selected here. See Before you begin.
  6. If you want the FortiGate VPN server to supply the DN of a local server certificate for authentication purposes, select Advanced and then from the Local ID list, select the DN of the certificate that the FortiGate VPN server is to use.
  7. Select OK.

Enabling VPN access by peer identifier

Whether you use certificates or pre-shared keys to authenticate the FortiGate unit, you can require that remote peers or clients have a particular peer ID. This adds another piece of information that is required to gain access to the VPN. More than one FortiGate/FortiClient dialup client may connect through the same VPN tunnel when the dialup clients share a preshared key and assume the same identifier.

note icon

In circumstances where multiple remote dialup VPN tunnels exist, each tunnel must have a peer ID set.

A peer ID, also called local ID, can be up to 63 characters long containing standard regular expression characters. Local ID is set in phase1 Aggressive Mode configuration.

You cannot require a peer ID for a remote peer or client that uses a pre-shared key and has a static IP address.

Authenticating remote peers or dialup clients using one peer ID
  1. At the FortiGate VPN server, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. Select Aggressive mode in any of the following cases:
    • The FortiGate VPN server authenticates a FortiGate dialup client that uses a dedicated tunnel
    • A FortiGate unit has a dynamic IP address and subscribes to a dynamic DNS service
    • FortiGate/FortiClient dialup clients sharing the same preshared key and local ID connect through the same VPN tunnel
  4. For the Peer Options, select This peer ID and type the identifier into the corresponding field.
  5. Select OK.
Assigning an identifier (local ID) to a FortiGate unit

Use this procedure to assign a peer ID to a FortiGate unit that acts as a remote peer or dialup client.

  1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. Select Advanced.
  4. In the Local ID field, type the identifier that the FortiGate unit will use to identify itself.
  5. Set Mode to Aggressive if any of the following conditions apply:
    • The FortiGate unit is a dialup client that will use a unique ID to connect to a FortiGate dialup server through a dedicated tunnel.
    • The FortiGate unit has a dynamic IP address, subscribes to a dynamic DNS service, and will use a unique ID to connect to the remote VPN peer through a dedicated tunnel.
    • The FortiGate unit is a dialup client that shares the specified ID with multiple dialup clients to connect to a FortiGate dialup server through the same tunnel.
  6. Select OK.
Configuring the FortiClient application

Follow this procedure to add a peer ID to an existing FortiClient configuration:

  1. Start the FortiClient application.
  2. Go to VPN > Connections, select the existing configuration.
  3. Select Advanced > Edit > Advanced.
  4. Under Policy, select Config.
  5. In the Local ID field, type the identifier that will be shared by all dialup clients. This value must match the This peer ID value that you specified previously in the Phase 1 gateway configuration on the FortiGate unit.
  6. Select OK to close all dialog boxes.
  7. Configure all dialup clients the same way using the same preshared key and local ID.

Enabling VPN access with user accounts and pre-shared keys

You can permit access only to remote peers or dialup clients that have pre-shared keys and/or peer IDs configured in user accounts on the FortiGate unit.

If you want two VPN peers (or a FortiGate unit and a dialup client) to accept reciprocal connections based on peer IDs, you must enable the exchange of their identifiers when you define the Phase 1 parameters.

The following procedures assume that you already have an existing Phase 1 configuration (see Digital certificates). Follow the procedures below to add ID checking to the existing configuration.

Before you begin, you must obtain the identifier (local ID) of the remote peer or dialup client. If you are using the FortiClient Endpoint Security application as a dialup client, refer to the Authenticating FortiClient Dialup Clients Technical Note to view or assign an identifier. To assign an identifier to a FortiGate dialup client or a FortiGate unit that has a dynamic IP address and subscribes to a dynamic DNS service, see Assigning an identifier (local ID) to a FortiGate unit .

If required, a dialup user group can be created from existing user accounts for dialup clients.

The following procedure supports FortiGate/FortiClient dialup clients that use unique preshared keys and/or peer IDs. The client must have an account on the FortiGate unit and be a member of the dialup user group.

The dialup user group must be added to the FortiGate configuration before it can be selected.

The FortiGate dialup server compares the local ID that you specify at each dialup client to the FortiGate user-account user name. The dialup-client preshared key is compared to a FortiGate user-account password.

Authenticating dialup clients using unique preshared keys and/or peer IDs
  1. At the FortiGate VPN server, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. If the clients have unique peer IDs, set Mode to Aggressive.
  4. Clear the Pre-shared Key field.
    The user account password will be used as the preshared key.
  5. Select Peer ID from dialup group and then select the group name from the list of user groups.
  6. Select OK.

Follow this procedure to add a unique pre-shared key and unique peer ID to an existing FortiClient configuration.

Configuring FortiClient - pre-shared key and peer ID
  1. Start the FortiClient Endpoint Security application.
  2. Go to VPN > Connections, select the existing configuration.
  3. Select Advanced > Edit.
  4. In the Preshared Key field, type the FortiGate password that belongs to the dialup client (for example, 1234546).
    The user account password will be used as the preshared key.
  5. Select Advanced.
  6. Under Policy, select Config.
  7. In the Local ID field, type the FortiGate user name that you assigned previously to the dialup client (for example, FortiClient1).
  8. Select OK to close all dialog boxes.

Configure all FortiClient dialup clients this way using unique preshared keys and local IDs.

Follow this procedure to add a unique pre-shared key to an existing FortiClient configuration.

Configuring FortiClient - preshared key only
  1. Start the FortiClient Endpoint Security application.
  2. Go to VPN > Connections, select the existing configuration
  3. Select Advanced > Edit.
  4. In the Preshared Key field, type the user name, followed by a “+” sign, followed by the password that you specified previously in the user account settings on the FortiGate unit (for example, FC2+1FG6LK)
  5. Select OK to close all dialog boxes.

Configure all the FortiClient dialup clients this way using their unique peer ID and pre‑shared key values.