Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.5 Administration Guide
    7.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Cross-validation for IPsec VPN

    Cross-validation for IPsec VPN

    FortiOS supports a cross-validation mechanism for IPsec VPN, aimed at bolstering security and user authentication by mitigating the risk of unauthorized access and identity spoofing. This mechanism functions by cross-checking whether the username provided by the client matches the identity field specified in the peer certificate. The identity field, which could be an Othername, RFC 822 Name, or CN, serves as a unique identifier for the client.

    config vpn ipsec phase1-interface
    edit <name>
        set cert-peer-username-validation {none | othername | rfc822name | cn}
        set cert-peer-username-strip {enable | disable}
    next
end
    Note

    Validation can be enabled for IPsec VPN when the peer sends certificates for authentication and XAUTH, EAP, SAML, or azure-ad-autoconnect is used. Name matching is not case sensitive.
    To configure cross-validation for IPsec VPN:

    1. Configure IPsec VPN phase1:

      config vpn ipsec phase1-interface
    edit "toclient"
        set type dynamic
        set interface "port8"
        set authmethod signature
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256
        set dpd on-idle
        set dhgrp 5
        set xauthtype auto
        set authusrgrp "vpnad01- ldap-group"
        set cert-peer-username-validation othername
        set cert-peer-username-strip enable
        set certificate "FTG-D"
    next
end

    2. Configure IPsec VPN phase2:

      config vpn ipsec phase2-interface
    edit "toclient"
        set phase1name "toclient"
        set proposal aes128-sha256 aes256-sha256
        set dhcp-ipsec enable
    next
end

    3. In FortiClient, input a username that corresponds with the identity in the certificate, such as tester2.

    4. Verify that the cross-validation succeeded and the tunnel is established:

      # diagnose vpn ike gateway list

vd: root/0
name: toclient_0
version: 1
interface: port8 16
addr: 173.1.1.1:4500 -> 173.1.1.2:64917
tun_id: 173.1.1.2/::10.0.0.12
remote_location: 0.0.0.0
network-id: 0
transport: UDP
created: 17s ago
xauth-user: tester2
2FA: no
peer-id: DC=com, DC=vpnfosqa, CN=Users, CN=tester2
peer-id-auth: yes
FortiClient UID: 43B7079E9D244365A91CB0F139EA470F
nat: peer
pending-queue: 0
IKE SA: created 1/1  established 1/1  time 20/20/20 ms
IPsec SA: created 1/2  established 1/2  time 0/95/190 ms
 
  id/spi: 26 df4fd267a4ba2093/a9161305effacd5a
  direction: responder
  status: established 17-17s ago = 20ms
  proposal: aes128-sha256
  key: 3cbdc74916c1b2aa-e00b39fda1b2e324
  QKD: no
  lifetime/rekey: 86400/86112
  DPD sent/recv: 00000000/00000002
  peer-id: DC=com, DC=vpnfosqa, CN=Users, CN=tester2

    5. In FortiClient, input a username that does not correspond with the identity in the certificate, such as tester1.

    6. Verify that the cross-validation failed:

      # diagnose debug application fnbamd -1
# diagnose debug enable
 
ike V=root:0:toclient:23: received p1 notify type INITIAL-CONTACT
ike V=root:0:toclient:23: received peer identifier DER_ASN1_DN 'DC=com, DC=vpnfosqa, CN=Users, CN=tester2'
ike V=root:0:toclient:23: re-validate gw ID
ike V=root:0:toclient:23: gw validation OK
ike V=root:0:toclient:23: Validating X.509 certificate
  
[984] __ldap_next_state-State: Primary Group Query -> Done
[1982] ldap_copy_grp_list-copied CN=Domain Admins,CN=Users,DC=vpnfosqa,DC=com
[1982] ldap_copy_grp_list-copied CN=Administrators,CN=Builtin,DC=vpnfosqa,DC=com
[1982] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=vpnfosqa,DC=com
[626] fnbam_user_auth_group_match-req id: 2207758716938, server: vpnad01, local auth: 0, dn match: 1
[580] __group_match-Check if vpnad01 is a group member
[586] __group_match-Group 'vpnad01- ldap-group' passed group matching
[589] __group_match-Add matched group 'vpnad01- ldap-group'(17)
[202] find_matched_usr_grps-Passed group matching
[2423] fnbamd_ldap_result-Result for ldap svr vpnad01 is SUCCESS
[626] fnbam_user_auth_group_match-req id: 2207758716938, server: vpnad01, local auth: 0, dn match: 1
[580] __group_match-Check if vpnad01 is a group member
[586] __group_match-Group 'vpnad01- ldap-group' passed group matching
[589] __group_match-Add matched group 'vpnad01- ldap-group'(17)
[2431] fnbamd_ldap_result-Passed group matching
[239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 0x20208AC900A, len=2750
ike V=root:0:toclient_0:23: XAUTH 2207758716938 result FNBAM_SUCCESS
ike V=root:0:toclient_0: XAUTH succeeded for user "tester1" group "vpnad01- ldap-group" 2FA=no
[1254] fnbamd_rads_destroy-
ike V=root:0:toclient_0: client cert username validation failed. Input username [tester1] does not match name [tester2@vpnfosqa.com] in client cert.
[1830] fnbamd_ldaps_destroy-
ike V=root:0:toclient_0: connection expiring due to client cert username validation failure
[442] fnbamd_ldap_auth_ctx_free-Freeing 'vpnad01' ctx
ike V=root:0:toclient_0: going to be deleted
    Previous
    Next

    Cross-validation for IPsec VPN

    Cross-validation for IPsec VPN

    FortiOS supports a cross-validation mechanism for IPsec VPN, aimed at bolstering security and user authentication by mitigating the risk of unauthorized access and identity spoofing. This mechanism functions by cross-checking whether the username provided by the client matches the identity field specified in the peer certificate. The identity field, which could be an Othername, RFC 822 Name, or CN, serves as a unique identifier for the client.

    config vpn ipsec phase1-interface
    edit <name>
        set cert-peer-username-validation {none | othername | rfc822name | cn}
        set cert-peer-username-strip {enable | disable}
    next
end
    Note

    Validation can be enabled for IPsec VPN when the peer sends certificates for authentication and XAUTH, EAP, SAML, or azure-ad-autoconnect is used. Name matching is not case sensitive.
    To configure cross-validation for IPsec VPN:

    1. Configure IPsec VPN phase1:

      config vpn ipsec phase1-interface
    edit "toclient"
        set type dynamic
        set interface "port8"
        set authmethod signature
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256
        set dpd on-idle
        set dhgrp 5
        set xauthtype auto
        set authusrgrp "vpnad01- ldap-group"
        set cert-peer-username-validation othername
        set cert-peer-username-strip enable
        set certificate "FTG-D"
    next
end

    2. Configure IPsec VPN phase2:

      config vpn ipsec phase2-interface
    edit "toclient"
        set phase1name "toclient"
        set proposal aes128-sha256 aes256-sha256
        set dhcp-ipsec enable
    next
end

    3. In FortiClient, input a username that corresponds with the identity in the certificate, such as tester2.

    4. Verify that the cross-validation succeeded and the tunnel is established:

      # diagnose vpn ike gateway list

vd: root/0
name: toclient_0
version: 1
interface: port8 16
addr: 173.1.1.1:4500 -> 173.1.1.2:64917
tun_id: 173.1.1.2/::10.0.0.12
remote_location: 0.0.0.0
network-id: 0
transport: UDP
created: 17s ago
xauth-user: tester2
2FA: no
peer-id: DC=com, DC=vpnfosqa, CN=Users, CN=tester2
peer-id-auth: yes
FortiClient UID: 43B7079E9D244365A91CB0F139EA470F
nat: peer
pending-queue: 0
IKE SA: created 1/1  established 1/1  time 20/20/20 ms
IPsec SA: created 1/2  established 1/2  time 0/95/190 ms
 
  id/spi: 26 df4fd267a4ba2093/a9161305effacd5a
  direction: responder
  status: established 17-17s ago = 20ms
  proposal: aes128-sha256
  key: 3cbdc74916c1b2aa-e00b39fda1b2e324
  QKD: no
  lifetime/rekey: 86400/86112
  DPD sent/recv: 00000000/00000002
  peer-id: DC=com, DC=vpnfosqa, CN=Users, CN=tester2

    5. In FortiClient, input a username that does not correspond with the identity in the certificate, such as tester1.

    6. Verify that the cross-validation failed:

      # diagnose debug application fnbamd -1
# diagnose debug enable
 
ike V=root:0:toclient:23: received p1 notify type INITIAL-CONTACT
ike V=root:0:toclient:23: received peer identifier DER_ASN1_DN 'DC=com, DC=vpnfosqa, CN=Users, CN=tester2'
ike V=root:0:toclient:23: re-validate gw ID
ike V=root:0:toclient:23: gw validation OK
ike V=root:0:toclient:23: Validating X.509 certificate
  
[984] __ldap_next_state-State: Primary Group Query -> Done
[1982] ldap_copy_grp_list-copied CN=Domain Admins,CN=Users,DC=vpnfosqa,DC=com
[1982] ldap_copy_grp_list-copied CN=Administrators,CN=Builtin,DC=vpnfosqa,DC=com
[1982] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=vpnfosqa,DC=com
[626] fnbam_user_auth_group_match-req id: 2207758716938, server: vpnad01, local auth: 0, dn match: 1
[580] __group_match-Check if vpnad01 is a group member
[586] __group_match-Group 'vpnad01- ldap-group' passed group matching
[589] __group_match-Add matched group 'vpnad01- ldap-group'(17)
[202] find_matched_usr_grps-Passed group matching
[2423] fnbamd_ldap_result-Result for ldap svr vpnad01 is SUCCESS
[626] fnbam_user_auth_group_match-req id: 2207758716938, server: vpnad01, local auth: 0, dn match: 1
[580] __group_match-Check if vpnad01 is a group member
[586] __group_match-Group 'vpnad01- ldap-group' passed group matching
[589] __group_match-Add matched group 'vpnad01- ldap-group'(17)
[2431] fnbamd_ldap_result-Passed group matching
[239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 0x20208AC900A, len=2750
ike V=root:0:toclient_0:23: XAUTH 2207758716938 result FNBAM_SUCCESS
ike V=root:0:toclient_0: XAUTH succeeded for user "tester1" group "vpnad01- ldap-group" 2FA=no
[1254] fnbamd_rads_destroy-
ike V=root:0:toclient_0: client cert username validation failed. Input username [tester1] does not match name [tester2@vpnfosqa.com] in client cert.
[1830] fnbamd_ldaps_destroy-
ike V=root:0:toclient_0: connection expiring due to client cert username validation failure
[442] fnbamd_ldap_auth_ctx_free-Freeing 'vpnad01' ctx
ike V=root:0:toclient_0: going to be deleted
    Previous
    Next