Windows IKEv2 native VPN with user certificate
In this example, IKEv2 with Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) using mutual certificate authentication is configured. Mutual certificate authentication means that both the client and server use certificates to identify themselves. EAP uses RADIUS, which is handled by the Network Policy Server (NPS) on the Windows server. Certificates are generated and distributed through Active Directory Certificate Services (AD CS). An additional certificate is used to identify the IPsec gateway.
This example assumes that the following Windows server roles are installed and available:
-
NPS (RADIUS)
-
AD CS with a generated CA
-
Group Policy Management
-
DNS server
It is also assumed that a connection is established between the NPS and FortiGate, and a DNS entry exists for the NPS that the FortiGate can resolve.
Certificates
The following certificates are required:
-
CA certificate for EAP-TLS to sign the client and server certificates.
The CA certificate must be able to sign other certificates. It is created after AD CSs CA role installation. It is named lab-local-CA, as lab.local is the domain that is used in this example. The CA certificate is automatically installed on the server that is hosting the AD CS role. In this example, that server is also hosting the NPS and DNS server.
The Key Usage specifies Certificate Signing.
-
Client certificate for EAP-TLS used by the windows client.
The client certificate is stored in the personal user certificate store and is used to authenticate the user. The certificate has Client Authentication and a SAN of the user's FQDN, and is signed by the CA. The CA is stored in Current User > Trusted Root Certification Authorities.
-
Server certificate for EAP-TLS used by the server providing RADIUS authentication.
The NPS certificate must be in the hosting server's certificate store so that the NPS can access it. It has Server Authentication and a SAN DNS name to match the server's IP address. The user must use the FQDN to connect to the VPN. If the IP address that the name resolves to is used, the certificate will not be considered valid.
-
VPN certificate used to identify the FortiGate dialup gateway.
The VPN certificate and private key are installed to the FortiGate using a CSR generated by the FortiGate
Configure the Windows server
The Windows server includes AD-CS, a RADIUS server, and a DNS server.
After the AD CS role has been installed and configured, the CA is ready to sign certificates.
Users and groups are defined first. The groups are configured to automatically receive certificates and relay membership to the FortiGate for granular access control through group matching in policies.
RADIUS is used to authorize connecting users. The RADIUS server returns users' groups with the access-accept response, to indicate to the FortiGate what groups the users belong to.
To create security groups and users:
-
Open Active Directory Users and Computers.
-
Create two groups, Group1 and Group2.
-
Create two users, User1 and User2.
-
To ensure that the automatic enrollment process succeeds in subsequent steps, ensure that each users has an email address configured in the Email field under Properties > General.
-
-
Add User1 to Group1 and User2 to Group2.
To create a certificate template to enable automatic enrollment for the user groups:
-
Open Certification Authority.
-
In the navigation pane, expand the new CA, right-click Certificate Template and click Manage.
-
Configure a new certificate template:
-
Right-click the User template and click Duplicate Template.
-
On the General tab, enter a Template display name, such as User Auto Enroll.
-
Enable Publish certificate in Active Directory and Do not automatically reenroll....
-
Configure the remaining settings as required, then go to the Request Handling tab.
-
Disable Allow private key to be exported and select Enroll subject without requiring any user input.
-
On the Security tab, in Group or user name, click Add.
-
Add Group1 and Group2.
-
Select each group and, under Permissions, enable Read, Enroll, and Autoenroll.
-
On the Extensions tab, click Application Policies then click Edit.
-
Remove all of the policies expect for Client Authentication.
-
Click OK then close the Certificate Templates console.
-
-
In the navigation pane, right-click Certificate Template and click New > Certificate Template to Issue.
-
Select the new certificate template, User Auto Enroll, then click OK.
To create a group policy to enable automatic enrollment:
-
Open the Group Policy Management console.
-
In the navigation pane, go to Forest:lab.local > Domains > lab.local, and then click Group Policy Objects.
-
Click Action, and then click New.
-
Set a Name for the new GPO then click OK.
-
Right-click the new GPO and click Edit.
-
In the Group Policy Management Editor navigation pane, go to User configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
-
In the content pane, double-click Certificate Services Client - Auto-Enrollment.
-
Set Configuration Model to Enabled.
-
Enable Renew expired certificates... and Update certificates....
-
Click OK.
To verify that users are receiving certificates:
-
Log into an endpoint with a domain user.
-
On the server, open Certification Authority.
-
Expand the CA and select Issued Certificates.
-
Verify that the user logged into the endpoint is listed under Requested Name. You can also check the local user certificate store on the endpoint.
To generate and sign a CSR and import the signed certificate to the FortiGate:
-
On the FortiGate and go to System > Certificates and click Generate.
-
Configure the CSR:
Certificate Name
vpn.lab.local
ID Type
Domain Name
Domain Name
vpn.lab.local
Subject Alternative Name
DNS:vpn.lab.local
-
Configure the remaining settings as required, then click OK.
-
Download the CSR to a location that is accessible to the CA server, in this example: C:\CSR\
-
Sign the CSR with the previously created CA:
-
Open the command prompt as an administrator and enter the following:
certreq -submit -attrib "CertificateTemplate:WebServer" C:\CSR\vpn.lab.local.csr
The Certification Authority List window opens.
-
Select the CA and click OK.
-
Save the signed certificate with a .cer file extension to a location that is accessible from the FortiGate.
-
-
Import the signed certificate to the FortiGate:
-
On the FortiGate, go to System > Certificates and click Import > Local Certificate.
-
Click Upload and locate and select the signed certificate
-
Click OK.
-
To configure network policies on the RADIUS server:
-
Open the Network Policy Server and, in the console tree, expand Policies.
-
Right-click on Network Policies and click New.
-
Enter a Policy name, such as VPN-Group1, then click Next.
-
Under Condition description click Add:
-
Select User Groups, then click Add.
-
Click Add Groups.
-
Enter the group name, Group1, click Check Names to confirm the group.
-
Click OK in both windows.
-
-
Click Next.
-
Make sure that Access granted is selected, then click Next.
-
On the Configure Authentication Methods page, click Add and add the EAP type Microsoft: Smart Care or other certificate.
-
Edit the EAP type, select the previously generated certificate, then click OK.
-
Deselect all of the Less secure authentication methods then click Next.
-
Configure constraints as needed, then click Next.
-
On the Configure Settings page, under RADIUS Attributes, select Vendor Specific, then click Add:
-
In the Attributes list, select Vendor-Specific, then click Add.
-
In the Attribute Information window, click Add.
-
In the Vendor-Specific Attribute Information window, enter the Vendor Code, 12356, and select Yes. It conforms.
-
Click Configure Attribute and configure the following:
Vendor-assigned attribute number
1
Attribute format
String
Attribute value
Group
-
Click OK on all three windows and on the Add Vendor Specific Attribute window click Close.
-
-
Click Next.
-
On the Completing New Network Policy page, review the configuration, then click Finish.
-
Duplicate the policy for Group2, and call the new policy VPN-Group2.
-
Reorder the policies so that VPN-Group1 and VPN-Group2 are one and two in the processing order.
To add the FortiGate as a RADIUS client:
-
Open the Network Policy Server and, in the console tree, expand RADIUS Clients and Servers.
-
Right-click on RADIUS Clients and click New.
-
Add the FortiGate as a RADIUS client:
Friendly name
FGT1
Address
10.0.1.1
Shared Secret
Manually enter the shared secret.
-
Click OK.
To create a DNS entry for the VPN connection:
-
Open the DNS Manager.
-
Go to DC > Forward Lookup Zones and select lab.local.
-
Right click in the content pane and select New Host (A or AAAA).
-
Enter the VPN name. The FQDN should be auto-filled with vpn.lab.local.
-
Enter an IP address.
-
Click Add Host.
Configure the FortiGate
An IPsec VPN tunnel is configured to connect to the NPS (RADIUS) server for EAP authentication. For information about IPsec VPN, see IPsec VPNs.
A RADIUS server is added to relay VPN authentication requests to the NPS server. For information about RADIUS servers, see RADIUS servers.
Three groups are created that point to the RADIUS server for authentication: one group each for user group Group1, user group Group2, and the remote server. For information about groups, see User groups.
Three firewall policies are created to test the functionality of the three user groups (see Policies):
-
Policy 1 allows VPN clients to communicate with each other.
-
Policy 2 allows VPN clients in the Group1 user group to communicate with Server1 and Server3.
-
Policy 3 allows VPN clients in the Group2 user group to communicate with Server1 and Server2.
To configure IPsec VPN in the GUI:
-
Go to VPN > IPsec Wizard.
-
Enter a name for the VPN, such as vpn1.
-
Set Template type to Custom, then click Next.
-
In the Network section, configure the following:
Remote Gateway
Dialup User
Interface
port1
Mode Config
Enable
Assign IP From
Range
Client Address Range
10.58.58.1-10.58.58.10
DNS Server
192.168.1.100
Enable IPv4 Split Tunnel
Enable
Accessible Networks
Select the networks that VPN users will have access to.
-
In the Authentication section, configure the following:
Method
Signature
Certificate Name
vpn.lab.local
Version
2
Accept Types
Any peer ID
-
In the Phase 1 Proposal section, configure the following:
Encryption / Authentication
AES128 / SHA256
Encryption / Authentication
AES256 / SHA256 Encryption / Authentication
AES128 / SHA1
Diffie-Hellman Groups
14, 5, 2
Local ID
vpn.lab.local
-
In the Phase 2 Selectors section, configure the following:
Local Address
Named Address - all
Remote Address
Named Address - all
Encryption / Authentication
AES128 / SHA256
Encryption / Authentication
AES256 / SHA256 Encryption / Authentication
AES128 / SHA1
Enable Perfect Forward Secrecy (PFS)
Disable
Autokey Keep Alive
Enable
-
Enable EAP settings in the CLI:
config vpn ipsec phase1-interface edit vpn1 set eap enable set eap-identity send-request next end
To configure IPsec VPN in the CLI:
config vpn ipsec phase1-interface edit "vpn1" set type dynamic set interface "port1" set ike-version 2 set authmethod signature set peertype any set net-device disable set mode-cfg enable set ipv4-dns-server1 192.168.1.100 set proposal aes128-sha256 aes256-sha256 aes128-sha1 set localid "vpn.lab.local" set dpd on-idle set dhgrp 14 5 2 set eap enable set eap-identity send-request set certificate "vpn.lab.local" set ipv4-start-ip 10.58.58.1 set ipv4-end-ip 10.58.58.10 set ipv4-split-include "10/8_net" set dpd-retryinterval 60 next end config vpn ipsec phase2-interface edit "vpn1" set phase1name "vpn1" set proposal aes128-sha256 aes256-sha256 aes128-sha1 set pfs disable set keepalive enable set src-addr-type name set dst-addr-type name set src-name "all" set dst-name "all" next end
To add the RADIUS server in the GUI:
-
Go to User & Authentication > RADIUS Servers and click Create New.
-
Enter a name for the server, such as NPS.
-
Enter the Primary Server IP/Name and Secret.
The Test User Credentials option will not work, as it does not use certificates for the test.
-
Click OK.
To add the RADIUS server in the CLI:
config user radius edit "NPS" set server <ip> set secret ********** next end
To configure the user groups in the GUI:
-
Go to User & Authentication > User Groups and click Create New.
-
Enter a name for the group, such as Group1.
-
In the Remote Groups table, click Add:
-
Set Remote Server to the just created RADIUS server, NPS.
-
Set Groups to Specify and enter Group1.
-
Click OK.
-
-
Click OK.
-
Create a second group called Group2 with the same Remote Server and Group Name set to Group2.
-
Create a third group called RADIUS with the same Remote Server but no Group Name.
To configure the user groups in the CLI:
config user group edit "Group1" set member "NPS" config match edit 1 set server-name "NPS" set group-name "Group1" next end next edit "Group2" set member "NPS" config match edit 1 set server-name "NPS" set group-name "Group2" next end next edit "RADIUS" set member "NPS" next end
To configure the policies in the GUI:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
Configure policy 1:
Name
VPN-VPN
Incoming Interface
VPN1
Outgoing Interface
VPN1
Source
all, RADIUS
Destination
all
Schedule
always
Service
ALL
NAT
Disable
-
Click OK.
-
Click Create New again and configure policy 2:
Name
VPN Group1
Incoming Interface
VPN1
Outgoing Interface
Server1, Server3
Source
all, Group1
Destination
10.10.0.1, 10.10.0.3
Schedule
always
Service
ALL
NAT
Disable
-
Click OK.
-
Click Create New again and configure policy 3:
Name
VPN Group2
Incoming Interface
VPN1
Outgoing Interface
Server1, Server2
Source
all, Group2
Destination
10.10.0.1, 10.10.0.2
Schedule
always
Service
ALL
NAT
Disable
-
Click OK.
To configure the policies in the CLI:
config firewall policy edit 1 set name "VPN-VPN" set srcintf "VPN1" set dstintf "VPN1" set action accept set srcaddr "all" "RADIUS" set dstaddr "all" set schedule "always" set service "ALL" set nat disable next edit 2 set name "VPN Group1" set srcintf "VPN1" set dstintf "Server1" "Server3" set action accept set srcaddr "all" "Group1" set dstaddr "10.10.0.1" "10.10.0.3" set schedule "always" set service "ALL" set nat disable next edit 3 set name "VPN Group2" set srcintf "VPN1" set dstintf "Server1" "Server2" set action accept set srcaddr "all" "Group2" set dstaddr "10.10.0.1" "10.10.0.2" set schedule "always" set service "ALL" set nat disable next end
Configure the Windows client
The configuration is done on a Windows 10 Enterprise endpoint.
To add VPN connection and configure a VPN interface:
-
Open the Settings page and go to Network & Internet > VPN.
-
Click Add a VPN connection.
-
Configure the following:
VPN provider
Windows (built-in)
Connection name
vpn.lab.local
Server name or address
vpn.lab.local
VPN type
IKEv2
Type of sign-in info
Certificate
-
Click Save.
-
Go to Network & Internet > Status and, under Advanced network settings, click Change adapter options.
-
Select the VPN connection then click Change settings of this connection, or right-click on the connection and select Properties:
-
Go to the Security tab and, in the Authentication section, click Properties.
-
Select Use a certificate on this computer and enable Use simple certification selection.
-
Enable Verify the server's identity by validating the certificate.
-
Optionally, enable Connect to these servers and enter your NPS server's FQDN, in this case DC.lab.local.
-
In the Trusted Root Certificate Authorities list, select the CA lab-local-CA.
-
Click OK, then click OK again.
-
To test the connection:
-
Log in to the Windows endpoint as user1.
-
Open the network settings and connect to the vpn.lab.local VPN.
-
Ping each of the three servers to confirm that you can connect to server1 (10.10.0.1) and server3 (10.10.0.3), but not server2 (10.10.0.2).
-
Log out of the Windows endpoint, then log back in as user2.
-
Open the network settings and connect to the vpn.lab.local VPN.
-
Ping each of the three servers to confirm that you can connect to server1 (10.10.0.1) and server2 (10.10.0.2), but not server3 (10.10.0.3).