Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.1 Administration Guide
    7.4.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Windows IKEv2 native VPN with user certificate

    Windows IKEv2 native VPN with user certificate

    In this example, IKEv2 with Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) using mutual certificate authentication is configured. Mutual certificate authentication means that both the client and server use certificates to identify themselves. EAP uses RADIUS, which is handled by the Network Policy Server (NPS) on the Windows server. Certificates are generated and distributed through Active Directory Certificate Services (AD CS). An additional certificate is used to identify the IPsec gateway.

    This example assumes that the following Windows server roles are installed and available:

    • NPS (RADIUS)

    • AD CS with a generated CA

    • Group Policy Management

    • DNS server

    It is also assumed that a connection is established between the NPS and FortiGate, and a DNS entry exists for the NPS that the FortiGate can resolve.

    Certificates

    The following certificates are required:

    • CA certificate for EAP-TLS to sign the client and server certificates.

      The CA certificate must be able to sign other certificates. It is created after AD CSs CA role installation. It is named lab-local-CA, as lab.local is the domain that is used in this example. The CA certificate is automatically installed on the server that is hosting the AD CS role. In this example, that server is also hosting the NPS and DNS server.

      The Key Usage specifies Certificate Signing.

    • Client certificate for EAP-TLS used by the windows client.

      The client certificate is stored in the personal user certificate store and is used to authenticate the user. The certificate has Client Authentication and a SAN of the user's FQDN, and is signed by the CA. The CA is stored in Current User > Trusted Root Certification Authorities.

    • Server certificate for EAP-TLS used by the server providing RADIUS authentication.

      The NPS certificate must be in the hosting server's certificate store so that the NPS can access it. It has Server Authentication and a SAN DNS name to match the server's IP address. The user must use the FQDN to connect to the VPN. If the IP address that the name resolves to is used, the certificate will not be considered valid.

    • VPN certificate used to identify the FortiGate dialup gateway.

      The VPN certificate and private key are installed to the FortiGate using a CSR generated by the FortiGate

    Configure the Windows server

    The Windows server includes AD-CS, a RADIUS server, and a DNS server.

    After the AD CS role has been installed and configured, the CA is ready to sign certificates.

    Users and groups are defined first. The groups are configured to automatically receive certificates and relay membership to the FortiGate for granular access control through group matching in policies.

    RADIUS is used to authorize connecting users. The RADIUS server returns users' groups with the access-accept response, to indicate to the FortiGate what groups the users belong to.

    To create security groups and users:

    1. Open Active Directory Users and Computers.

    2. Create two groups, Group1 and Group2.

    3. Create two users, User1 and User2.

      1. To ensure that the automatic enrollment process succeeds in subsequent steps, ensure that each users has an email address configured in the Email field under Properties > General.

    4. Add User1 to Group1 and User2 to Group2.

    To create a certificate template to enable automatic enrollment for the user groups:

    1. Open Certification Authority.

    2. In the navigation pane, expand the new CA, right-click Certificate Template and click Manage.

    3. Configure a new certificate template:

      1. Right-click the User template and click Duplicate Template.

      2. On the General tab, enter a Template display name, such as User Auto Enroll.

      3. Enable Publish certificate in Active Directory and Do not automatically reenroll....

      4. Configure the remaining settings as required, then go to the Request Handling tab.

      5. Disable Allow private key to be exported and select Enroll subject without requiring any user input.

      6. On the Security tab, in Group or user name, click Add.

      7. Add Group1 and Group2.

      8. Select each group and, under Permissions, enable Read, Enroll, and Autoenroll.

      9. On the Extensions tab, click Application Policies then click Edit.

      10. Remove all of the policies expect for Client Authentication.

      11. Click OK then close the Certificate Templates console.

    4. In the navigation pane, right-click Certificate Template and click New > Certificate Template to Issue.

    5. Select the new certificate template, User Auto Enroll, then click OK.

    To create a group policy to enable automatic enrollment:

    1. Open the Group Policy Management console.

    2. In the navigation pane, go to Forest:lab.local > Domains > lab.local, and then click Group Policy Objects.

    3. Click Action, and then click New.

    4. Set a Name for the new GPO then click OK.

    5. Right-click the new GPO and click Edit.

    6. In the Group Policy Management Editor navigation pane, go to User configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

    7. In the content pane, double-click Certificate Services Client - Auto-Enrollment.

    8. Set Configuration Model to Enabled.

    9. Enable Renew expired certificates... and Update certificates....

    10. Click OK.

    To verify that users are receiving certificates:

    1. Log into an endpoint with a domain user.

    2. On the server, open Certification Authority.

    3. Expand the CA and select Issued Certificates.

    4. Verify that the user logged into the endpoint is listed under Requested Name. You can also check the local user certificate store on the endpoint.

    To generate and sign a CSR and import the signed certificate to the FortiGate:

    1. On the FortiGate and go to System > Certificates and click Create/Import > Generate CSR.

    2. Configure the CSR:

      Certificate Name

      vpn.lab.local

      ID Type

      Domain Name

      Domain Name

      vpn.lab.local

      Subject Alternative Name

      DNS:vpn.lab.local

    3. Configure the remaining settings as required, then click OK.

    4. Download the CSR to a location that is accessible to the CA server, in this example: C:\CSR\

    5. Sign the CSR with the previously created CA:

      1. Open the command prompt as an administrator and enter the following:

        certreq -submit -attrib "CertificateTemplate:WebServer" C:\CSR\vpn.lab.local.csr

        The Certification Authority List window opens.

      2. Select the CA and click OK.

      3. Save the signed certificate with a .cer file extension to a location that is accessible from the FortiGate.

    6. Import the signed certificate to the FortiGate:

      1. On the FortiGate, go to System > Certificates and click Create/Import > Certificate.

      2. Click Import Certificate.

      3. Set Type to Local Certificate.

      4. Click Upload and locate and select the signed certificate

      5. Click Create then click OK.

    To configure network policies on the RADIUS server:

    1. Open the Network Policy Server and, in the console tree, expand Policies.

    2. Right-click on Network Policies and click New.

    3. Enter a Policy name, such as VPN-Group1, then click Next.

    4. Under Condition description click Add:

      1. Select User Groups, then click Add.

      2. Click Add Groups.

      3. Enter the group name, Group1, click Check Names to confirm the group.

      4. Click OK in both windows.

    5. Click Next.

    6. Make sure that Access granted is selected, then click Next.

    7. On the Configure Authentication Methods page, click Add and add the EAP type Microsoft: Smart Care or other certificate.

    8. Edit the EAP type, select the previously generated certificate, then click OK.

    9. Deselect all of the Less secure authentication methods then click Next.

    10. Configure constraints as needed, then click Next.

    11. On the Configure Settings page, under RADIUS Attributes, select Vendor Specific, then click Add:

      1. In the Attributes list, select Vendor-Specific, then click Add.

      2. In the Attribute Information window, click Add.

      3. In the Vendor-Specific Attribute Information window, enter the Vendor Code, 12356, and select Yes. It conforms.

      4. Click Configure Attribute and configure the following:

        Vendor-assigned attribute number

        1

        Attribute format

        String

        Attribute value

        Group

      5. Click OK on all three windows and on the Add Vendor Specific Attribute window click Close.

    12. Click Next.

    13. On the Completing New Network Policy page, review the configuration, then click Finish.

    14. Duplicate the policy for Group2, and call the new policy VPN-Group2.

    15. Reorder the policies so that VPN-Group1 and VPN-Group2 are one and two in the processing order.

    To add the FortiGate as a RADIUS client:

    1. Open the Network Policy Server and, in the console tree, expand RADIUS Clients and Servers.

    2. Right-click on RADIUS Clients and click New.

    3. Add the FortiGate as a RADIUS client:

      Friendly name

      FGT1

      Address

      10.0.1.1

      Shared Secret

      Manually enter the shared secret.

    4. Click OK.

    To create a DNS entry for the VPN connection:

    1. Open the DNS Manager.

    2. Go to DC > Forward Lookup Zones and select lab.local.

    3. Right click in the content pane and select New Host (A or AAAA).

    4. Enter the VPN name. The FQDN should be auto-filled with vpn.lab.local.

    5. Enter an IP address.

    6. Click Add Host.

    Configure the FortiGate

    An IPsec VPN tunnel is configured to connect to the NPS (RADIUS) server for EAP authentication. For information about IPsec VPN, see IPsec VPNs.

    A RADIUS server is added to relay VPN authentication requests to the NPS server. For information about RADIUS servers, see RADIUS servers.

    Three groups are created that point to the RADIUS server for authentication: one group each for user group Group1, user group Group2, and the remote server. For information about groups, see User groups.

    Three firewall policies are created to test the functionality of the three user groups (see Policies):

    • Policy 1 allows VPN clients to communicate with each other.

    • Policy 2 allows VPN clients in the Group1 user group to communicate with Server1 and Server3.

    • Policy 3 allows VPN clients in the Group2 user group to communicate with Server1 and Server2.

    To configure IPsec VPN in the GUI:

    1. Go to VPN > IPsec Wizard.

    2. Enter a name for the VPN, such as VPN1.

    3. Set Template type to Custom, then click Next.

    4. In the Network section, configure the following:

      Remote Gateway

      Dialup User

      Interface

      port1

      Mode Config

      Enable

      Assign IP From

      Range

      Client Address Range

      10.58.58.1-10.58.58.10

      DNS Server

      192.168.1.100

      Enable IPv4 Split Tunnel

      Enable

      Accessible Networks

      Select the networks that VPN users will have access to.

    5. In the Authentication section, configure the following:

      Method

      Signature

      Certificate Name

      vpn.lab.local

      Version

      2

      Accept Types

      Any peer ID

    6. In the Phase 1 Proposal section, configure the following:

      Encryption / Authentication

      AES128 / SHA256

      Encryption / Authentication

      		 AES256 / SHA256

      Encryption / Authentication

      AES128 / SHA1

      Diffie-Hellman Groups

      14, 5, 2

      Local ID

      vpn.lab.local

    7. In the Phase 2 Selectors section, configure the following:

      Local Address

      Named Address - all

      Remote Address

      Named Address - all

      Encryption / Authentication

      AES128 / SHA256

      Encryption / Authentication

      		 AES256 / SHA256

      Encryption / Authentication

      AES128 / SHA1

      Enable Perfect Forward Secrecy (PFS)

      Disable

      Autokey Keep Alive

      Enable

    8. Enable EAP settings in the CLI:

      config vpn ipsec phase1-interface
    edit VPN1
        set eap enable
        set eap-identity send-request
    next
end
    To configure IPsec VPN in the CLI:
    config vpn ipsec phase1-interface
    edit "VPN1"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set authmethod signature
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 192.168.1.100
        set proposal aes128-sha256 aes256-sha256 aes128-sha1
        set localid "vpn.lab.local"
        set dpd on-idle
        set dhgrp 14 5 2
        set eap enable
        set eap-identity send-request
        set certificate "vpn.lab.local"
        set ipv4-start-ip 10.58.58.1
        set ipv4-end-ip 10.58.58.10
        set ipv4-split-include "10/8_net"
        set dpd-retryinterval 60
    next
end
config vpn ipsec phase2-interface
    edit "VPN1"
        set phase1name "VPN1"
        set proposal aes128-sha256 aes256-sha256 aes128-sha1
        set pfs disable
        set keepalive enable
        set src-addr-type name
        set dst-addr-type name
        set src-name "all"
        set dst-name "all"
    next
end
    To add the RADIUS server in the GUI:

    1. Go to User & Authentication > RADIUS Servers and click Create New.

    2. Enter a name for the server, such as NPS.

    3. Enter the Primary Server IP/Name and Secret.

      The Test User Credentials option will not work, as it does not use certificates for the test.

    4. Click OK.

    To add the RADIUS server in the CLI:
    config user radius
    edit "NPS"
        set server <ip>
        set secret **********
    next
end
    To configure the user groups in the GUI:

    1. Go to User & Authentication > User Groups and click Create New.

    2. Enter a name for the group, such as Group1.

    3. In the Remote Groups table, click Add:

      1. Set Remote Server to the just created RADIUS server, NPS.

      2. Set Groups to Specify and enter Group1.

      3. Click OK.

    4. Click OK.

    5. Create a second group called Group2 with the same Remote Server and Group Name set to Group2.

    6. Create a third group called RADIUS with the same Remote Server but no Group Name.

    To configure the user groups in the CLI:
    config user group
    edit "Group1"
        set member "NPS"
        config match
            edit 1
                set server-name "NPS"
                set group-name "Group1"
            next
        end
    next
    edit "Group2"
        set member "NPS"
        config match
            edit 1
                set server-name "NPS"
                set group-name "Group2"
            next
        end
    next
    edit "RADIUS"
        set member "NPS"
    next 
end
    To configure the policies in the GUI:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Configure policy 1:

      Name

      VPN-VPN

      Incoming Interface

      VPN1

      Outgoing Interface

      VPN1

      Source

      all, RADIUS

      Destination

      all

      Schedule

      always

      Service

      ALL

      NAT

      Disable

    3. Click OK.

    4. Click Create New again and configure policy 2:

      Name

      VPN Group1

      Incoming Interface

      VPN1

      Outgoing Interface

      Server1, Server3

      Source

      all, Group1

      Destination

      10.10.0.1, 10.10.0.3

      Schedule

      always

      Service

      ALL

      NAT

      Disable

    5. Click OK.

    6. Click Create New again and configure policy 3:

      Name

      VPN Group2

      Incoming Interface

      VPN1

      Outgoing Interface

      Server1, Server2

      Source

      all, Group2

      Destination

      10.10.0.1, 10.10.0.2

      Schedule

      always

      Service

      ALL

      NAT

      Disable

    7. Click OK.

    To configure the policies in the CLI:
    config firewall policy
    edit 1
        set name "VPN-VPN"
        set srcintf "VPN1"
        set dstintf "VPN1"
        set action accept
        set srcaddr "all" "RADIUS"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat disable
    next
    edit 2
        set name "VPN Group1"
        set srcintf "VPN1"
        set dstintf "Server1" "Server3"
        set action accept
        set srcaddr "all" "Group1"
        set dstaddr "10.10.0.1" "10.10.0.3"
        set schedule "always"
        set service "ALL"
        set nat disable
    next
    edit 3
        set name "VPN Group2"
        set srcintf "VPN1"
        set dstintf "Server1" "Server2"
        set action accept
        set srcaddr "all" "Group2"
        set dstaddr "10.10.0.1" "10.10.0.2"
        set schedule "always"
        set service "ALL"
        set nat disable
    next
end

    Configure the Windows client

    The configuration is done on a Windows 10 Enterprise endpoint.

    To add VPN connection and configure a VPN interface:

    1. Open the Settings page and go to Network & Internet > VPN.

    2. Click Add a VPN connection.

    3. Configure the following:

      VPN provider

      Windows (built-in)

      Connection name

      vpn.lab.local

      Server name or address

      vpn.lab.local

      VPN type

      IKEv2

      Type of sign-in info

      Certificate

    4. Click Save.

    5. Go to Network & Internet > Status and, under Advanced network settings, click Change adapter options.

    6. Select the VPN connection then click Change settings of this connection, or right-click on the connection and select Properties:

      1. Go to the Security tab and, in the Authentication section, click Properties.

      2. Select Use a certificate on this computer and enable Use simple certification selection.

      3. Enable Verify the server's identity by validating the certificate.

      4. Optionally, enable Connect to these servers and enter your NPS server's FQDN, in this case DC.lab.local.

      5. In the Trusted Root Certificate Authorities list, select the CA lab-local-CA.

      6. Click OK, then click OK again.

    To test the connection:

    1. Log in to the Windows endpoint as user1.

    2. Open the network settings and connect to the vpn.lab.local VPN.

    3. Ping each of the three servers to confirm that you can connect to server1 (10.10.0.1) and server3 (10.10.0.3), but not server2 (10.10.0.2).

    4. Log out of the Windows endpoint, then log back in as user2.

    5. Open the network settings and connect to the vpn.lab.local VPN.

    6. Ping each of the three servers to confirm that you can connect to server1 (10.10.0.1) and server2 (10.10.0.2), but not server3 (10.10.0.3).

    Previous
    Next

    Windows IKEv2 native VPN with user certificate

    Windows IKEv2 native VPN with user certificate

    In this example, IKEv2 with Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) using mutual certificate authentication is configured. Mutual certificate authentication means that both the client and server use certificates to identify themselves. EAP uses RADIUS, which is handled by the Network Policy Server (NPS) on the Windows server. Certificates are generated and distributed through Active Directory Certificate Services (AD CS). An additional certificate is used to identify the IPsec gateway.

    This example assumes that the following Windows server roles are installed and available:

    • NPS (RADIUS)

    • AD CS with a generated CA

    • Group Policy Management

    • DNS server

    It is also assumed that a connection is established between the NPS and FortiGate, and a DNS entry exists for the NPS that the FortiGate can resolve.

    Certificates

    The following certificates are required:

    • CA certificate for EAP-TLS to sign the client and server certificates.

      The CA certificate must be able to sign other certificates. It is created after AD CSs CA role installation. It is named lab-local-CA, as lab.local is the domain that is used in this example. The CA certificate is automatically installed on the server that is hosting the AD CS role. In this example, that server is also hosting the NPS and DNS server.

      The Key Usage specifies Certificate Signing.

    • Client certificate for EAP-TLS used by the windows client.

      The client certificate is stored in the personal user certificate store and is used to authenticate the user. The certificate has Client Authentication and a SAN of the user's FQDN, and is signed by the CA. The CA is stored in Current User > Trusted Root Certification Authorities.

    • Server certificate for EAP-TLS used by the server providing RADIUS authentication.

      The NPS certificate must be in the hosting server's certificate store so that the NPS can access it. It has Server Authentication and a SAN DNS name to match the server's IP address. The user must use the FQDN to connect to the VPN. If the IP address that the name resolves to is used, the certificate will not be considered valid.

    • VPN certificate used to identify the FortiGate dialup gateway.

      The VPN certificate and private key are installed to the FortiGate using a CSR generated by the FortiGate

    Configure the Windows server

    The Windows server includes AD-CS, a RADIUS server, and a DNS server.

    After the AD CS role has been installed and configured, the CA is ready to sign certificates.

    Users and groups are defined first. The groups are configured to automatically receive certificates and relay membership to the FortiGate for granular access control through group matching in policies.

    RADIUS is used to authorize connecting users. The RADIUS server returns users' groups with the access-accept response, to indicate to the FortiGate what groups the users belong to.

    To create security groups and users:

    1. Open Active Directory Users and Computers.

    2. Create two groups, Group1 and Group2.

    3. Create two users, User1 and User2.

      1. To ensure that the automatic enrollment process succeeds in subsequent steps, ensure that each users has an email address configured in the Email field under Properties > General.

    4. Add User1 to Group1 and User2 to Group2.

    To create a certificate template to enable automatic enrollment for the user groups:

    1. Open Certification Authority.

    2. In the navigation pane, expand the new CA, right-click Certificate Template and click Manage.

    3. Configure a new certificate template:

      1. Right-click the User template and click Duplicate Template.

      2. On the General tab, enter a Template display name, such as User Auto Enroll.

      3. Enable Publish certificate in Active Directory and Do not automatically reenroll....

      4. Configure the remaining settings as required, then go to the Request Handling tab.

      5. Disable Allow private key to be exported and select Enroll subject without requiring any user input.

      6. On the Security tab, in Group or user name, click Add.

      7. Add Group1 and Group2.

      8. Select each group and, under Permissions, enable Read, Enroll, and Autoenroll.

      9. On the Extensions tab, click Application Policies then click Edit.

      10. Remove all of the policies expect for Client Authentication.

      11. Click OK then close the Certificate Templates console.

    4. In the navigation pane, right-click Certificate Template and click New > Certificate Template to Issue.

    5. Select the new certificate template, User Auto Enroll, then click OK.

    To create a group policy to enable automatic enrollment:

    1. Open the Group Policy Management console.

    2. In the navigation pane, go to Forest:lab.local > Domains > lab.local, and then click Group Policy Objects.

    3. Click Action, and then click New.

    4. Set a Name for the new GPO then click OK.

    5. Right-click the new GPO and click Edit.

    6. In the Group Policy Management Editor navigation pane, go to User configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

    7. In the content pane, double-click Certificate Services Client - Auto-Enrollment.

    8. Set Configuration Model to Enabled.

    9. Enable Renew expired certificates... and Update certificates....

    10. Click OK.

    To verify that users are receiving certificates:

    1. Log into an endpoint with a domain user.

    2. On the server, open Certification Authority.

    3. Expand the CA and select Issued Certificates.

    4. Verify that the user logged into the endpoint is listed under Requested Name. You can also check the local user certificate store on the endpoint.

    To generate and sign a CSR and import the signed certificate to the FortiGate:

    1. On the FortiGate and go to System > Certificates and click Create/Import > Generate CSR.

    2. Configure the CSR:

      Certificate Name

      vpn.lab.local

      ID Type

      Domain Name

      Domain Name

      vpn.lab.local

      Subject Alternative Name

      DNS:vpn.lab.local

    3. Configure the remaining settings as required, then click OK.

    4. Download the CSR to a location that is accessible to the CA server, in this example: C:\CSR\

    5. Sign the CSR with the previously created CA:

      1. Open the command prompt as an administrator and enter the following:

        certreq -submit -attrib "CertificateTemplate:WebServer" C:\CSR\vpn.lab.local.csr

        The Certification Authority List window opens.

      2. Select the CA and click OK.

      3. Save the signed certificate with a .cer file extension to a location that is accessible from the FortiGate.

    6. Import the signed certificate to the FortiGate:

      1. On the FortiGate, go to System > Certificates and click Create/Import > Certificate.

      2. Click Import Certificate.

      3. Set Type to Local Certificate.

      4. Click Upload and locate and select the signed certificate

      5. Click Create then click OK.

    To configure network policies on the RADIUS server:

    1. Open the Network Policy Server and, in the console tree, expand Policies.

    2. Right-click on Network Policies and click New.

    3. Enter a Policy name, such as VPN-Group1, then click Next.

    4. Under Condition description click Add:

      1. Select User Groups, then click Add.

      2. Click Add Groups.

      3. Enter the group name, Group1, click Check Names to confirm the group.

      4. Click OK in both windows.

    5. Click Next.

    6. Make sure that Access granted is selected, then click Next.

    7. On the Configure Authentication Methods page, click Add and add the EAP type Microsoft: Smart Care or other certificate.

    8. Edit the EAP type, select the previously generated certificate, then click OK.

    9. Deselect all of the Less secure authentication methods then click Next.

    10. Configure constraints as needed, then click Next.

    11. On the Configure Settings page, under RADIUS Attributes, select Vendor Specific, then click Add:

      1. In the Attributes list, select Vendor-Specific, then click Add.

      2. In the Attribute Information window, click Add.

      3. In the Vendor-Specific Attribute Information window, enter the Vendor Code, 12356, and select Yes. It conforms.

      4. Click Configure Attribute and configure the following:

        Vendor-assigned attribute number

        1

        Attribute format

        String

        Attribute value

        Group

      5. Click OK on all three windows and on the Add Vendor Specific Attribute window click Close.

    12. Click Next.

    13. On the Completing New Network Policy page, review the configuration, then click Finish.

    14. Duplicate the policy for Group2, and call the new policy VPN-Group2.

    15. Reorder the policies so that VPN-Group1 and VPN-Group2 are one and two in the processing order.

    To add the FortiGate as a RADIUS client:

    1. Open the Network Policy Server and, in the console tree, expand RADIUS Clients and Servers.

    2. Right-click on RADIUS Clients and click New.

    3. Add the FortiGate as a RADIUS client:

      Friendly name

      FGT1

      Address

      10.0.1.1

      Shared Secret

      Manually enter the shared secret.

    4. Click OK.

    To create a DNS entry for the VPN connection:

    1. Open the DNS Manager.

    2. Go to DC > Forward Lookup Zones and select lab.local.

    3. Right click in the content pane and select New Host (A or AAAA).

    4. Enter the VPN name. The FQDN should be auto-filled with vpn.lab.local.

    5. Enter an IP address.

    6. Click Add Host.

    Configure the FortiGate

    An IPsec VPN tunnel is configured to connect to the NPS (RADIUS) server for EAP authentication. For information about IPsec VPN, see IPsec VPNs.

    A RADIUS server is added to relay VPN authentication requests to the NPS server. For information about RADIUS servers, see RADIUS servers.

    Three groups are created that point to the RADIUS server for authentication: one group each for user group Group1, user group Group2, and the remote server. For information about groups, see User groups.

    Three firewall policies are created to test the functionality of the three user groups (see Policies):

    • Policy 1 allows VPN clients to communicate with each other.

    • Policy 2 allows VPN clients in the Group1 user group to communicate with Server1 and Server3.

    • Policy 3 allows VPN clients in the Group2 user group to communicate with Server1 and Server2.

    To configure IPsec VPN in the GUI:

    1. Go to VPN > IPsec Wizard.

    2. Enter a name for the VPN, such as VPN1.

    3. Set Template type to Custom, then click Next.

    4. In the Network section, configure the following:

      Remote Gateway

      Dialup User

      Interface

      port1

      Mode Config

      Enable

      Assign IP From

      Range

      Client Address Range

      10.58.58.1-10.58.58.10

      DNS Server

      192.168.1.100

      Enable IPv4 Split Tunnel

      Enable

      Accessible Networks

      Select the networks that VPN users will have access to.

    5. In the Authentication section, configure the following:

      Method

      Signature

      Certificate Name

      vpn.lab.local

      Version

      2

      Accept Types

      Any peer ID

    6. In the Phase 1 Proposal section, configure the following:

      Encryption / Authentication

      AES128 / SHA256

      Encryption / Authentication

      		 AES256 / SHA256

      Encryption / Authentication

      AES128 / SHA1

      Diffie-Hellman Groups

      14, 5, 2

      Local ID

      vpn.lab.local

    7. In the Phase 2 Selectors section, configure the following:

      Local Address

      Named Address - all

      Remote Address

      Named Address - all

      Encryption / Authentication

      AES128 / SHA256

      Encryption / Authentication

      		 AES256 / SHA256

      Encryption / Authentication

      AES128 / SHA1

      Enable Perfect Forward Secrecy (PFS)

      Disable

      Autokey Keep Alive

      Enable

    8. Enable EAP settings in the CLI:

      config vpn ipsec phase1-interface
    edit VPN1
        set eap enable
        set eap-identity send-request
    next
end
    To configure IPsec VPN in the CLI:
    config vpn ipsec phase1-interface
    edit "VPN1"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set authmethod signature
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 192.168.1.100
        set proposal aes128-sha256 aes256-sha256 aes128-sha1
        set localid "vpn.lab.local"
        set dpd on-idle
        set dhgrp 14 5 2
        set eap enable
        set eap-identity send-request
        set certificate "vpn.lab.local"
        set ipv4-start-ip 10.58.58.1
        set ipv4-end-ip 10.58.58.10
        set ipv4-split-include "10/8_net"
        set dpd-retryinterval 60
    next
end
config vpn ipsec phase2-interface
    edit "VPN1"
        set phase1name "VPN1"
        set proposal aes128-sha256 aes256-sha256 aes128-sha1
        set pfs disable
        set keepalive enable
        set src-addr-type name
        set dst-addr-type name
        set src-name "all"
        set dst-name "all"
    next
end
    To add the RADIUS server in the GUI:

    1. Go to User & Authentication > RADIUS Servers and click Create New.

    2. Enter a name for the server, such as NPS.

    3. Enter the Primary Server IP/Name and Secret.

      The Test User Credentials option will not work, as it does not use certificates for the test.

    4. Click OK.

    To add the RADIUS server in the CLI:
    config user radius
    edit "NPS"
        set server <ip>
        set secret **********
    next
end
    To configure the user groups in the GUI:

    1. Go to User & Authentication > User Groups and click Create New.

    2. Enter a name for the group, such as Group1.

    3. In the Remote Groups table, click Add:

      1. Set Remote Server to the just created RADIUS server, NPS.

      2. Set Groups to Specify and enter Group1.

      3. Click OK.

    4. Click OK.

    5. Create a second group called Group2 with the same Remote Server and Group Name set to Group2.

    6. Create a third group called RADIUS with the same Remote Server but no Group Name.

    To configure the user groups in the CLI:
    config user group
    edit "Group1"
        set member "NPS"
        config match
            edit 1
                set server-name "NPS"
                set group-name "Group1"
            next
        end
    next
    edit "Group2"
        set member "NPS"
        config match
            edit 1
                set server-name "NPS"
                set group-name "Group2"
            next
        end
    next
    edit "RADIUS"
        set member "NPS"
    next 
end
    To configure the policies in the GUI:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Configure policy 1:

      Name

      VPN-VPN

      Incoming Interface

      VPN1

      Outgoing Interface

      VPN1

      Source

      all, RADIUS

      Destination

      all

      Schedule

      always

      Service

      ALL

      NAT

      Disable

    3. Click OK.

    4. Click Create New again and configure policy 2:

      Name

      VPN Group1

      Incoming Interface

      VPN1

      Outgoing Interface

      Server1, Server3

      Source

      all, Group1

      Destination

      10.10.0.1, 10.10.0.3

      Schedule

      always

      Service

      ALL

      NAT

      Disable

    5. Click OK.

    6. Click Create New again and configure policy 3:

      Name

      VPN Group2

      Incoming Interface

      VPN1

      Outgoing Interface

      Server1, Server2

      Source

      all, Group2

      Destination

      10.10.0.1, 10.10.0.2

      Schedule

      always

      Service

      ALL

      NAT

      Disable

    7. Click OK.

    To configure the policies in the CLI:
    config firewall policy
    edit 1
        set name "VPN-VPN"
        set srcintf "VPN1"
        set dstintf "VPN1"
        set action accept
        set srcaddr "all" "RADIUS"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat disable
    next
    edit 2
        set name "VPN Group1"
        set srcintf "VPN1"
        set dstintf "Server1" "Server3"
        set action accept
        set srcaddr "all" "Group1"
        set dstaddr "10.10.0.1" "10.10.0.3"
        set schedule "always"
        set service "ALL"
        set nat disable
    next
    edit 3
        set name "VPN Group2"
        set srcintf "VPN1"
        set dstintf "Server1" "Server2"
        set action accept
        set srcaddr "all" "Group2"
        set dstaddr "10.10.0.1" "10.10.0.2"
        set schedule "always"
        set service "ALL"
        set nat disable
    next
end

    Configure the Windows client

    The configuration is done on a Windows 10 Enterprise endpoint.

    To add VPN connection and configure a VPN interface:

    1. Open the Settings page and go to Network & Internet > VPN.

    2. Click Add a VPN connection.

    3. Configure the following:

      VPN provider

      Windows (built-in)

      Connection name

      vpn.lab.local

      Server name or address

      vpn.lab.local

      VPN type

      IKEv2

      Type of sign-in info

      Certificate

    4. Click Save.

    5. Go to Network & Internet > Status and, under Advanced network settings, click Change adapter options.

    6. Select the VPN connection then click Change settings of this connection, or right-click on the connection and select Properties:

      1. Go to the Security tab and, in the Authentication section, click Properties.

      2. Select Use a certificate on this computer and enable Use simple certification selection.

      3. Enable Verify the server's identity by validating the certificate.

      4. Optionally, enable Connect to these servers and enter your NPS server's FQDN, in this case DC.lab.local.

      5. In the Trusted Root Certificate Authorities list, select the CA lab-local-CA.

      6. Click OK, then click OK again.

    To test the connection:

    1. Log in to the Windows endpoint as user1.

    2. Open the network settings and connect to the vpn.lab.local VPN.

    3. Ping each of the three servers to confirm that you can connect to server1 (10.10.0.1) and server3 (10.10.0.3), but not server2 (10.10.0.2).

    4. Log out of the Windows endpoint, then log back in as user2.

    5. Open the network settings and connect to the vpn.lab.local VPN.

    6. Ping each of the three servers to confirm that you can connect to server1 (10.10.0.1) and server2 (10.10.0.2), but not server3 (10.10.0.3).

    Previous
    Next