The Symantec VPN client needs for ****outbound*** ports to not be changed (as is the usual practice) in order for the Syantec Gateway to accept the traffic and make the tunnel. Logs reviewed on the Symantec gateway reveal that traffic is incoming from from the network behind the Fortinet however, the traffic is appearing at ports 36000+, instead of port 500, which is the port used by the Symantec VPN Client. However, when we move the workstation running the VPN client inside the Fortinet firewall, it fails to form the tunnel. When we run the VPN client from outside our Fortinet 60 firewall, it works fine.
WHAT IS FORTINET VPN CLIENT WINDOWS
This proxy setup allows FAC to pass on the PEAP messages to Windows AD using Kerberos.We have a Symantec VPN Client going outbound to a Symantec 360 VPN router. The idea is that FAC uses RADIUS with FortiGate and Kerberos with Windows AD. On FAC, you configure the RADIUS service and configure a Windows AD as a backend. Because RADIUS supports EAP, then the authentication will work this time.Īnother option is to use FortiAuthenticator (FAC), which is Fortinet’s authentication server. The NPS service can then look up your AD users during authentication. For example, if you are using Windows AD, you can then configure the NPS service to run RADIUS. For this reason, when FortiGate sees that the user credentials need to be verified against an LDAP server, it doesn’t even try to do that and returns an error to FortiClient.Ī solution is to use RADIUS authentication instead. LDAP servers expect passwords in cleartext.
WHAT IS FORTINET VPN CLIENT HOW TO
The problem is that LDAP does not know how to handle EAP or any of the CHAP variants (CHAP, MSCHAP, MSCHAPv2) because LDAP is not really an authentication protocol, it’s a directory access protocol. The Windows native VPN client uses PEAP (more specifically PEAPv0/EAP-MSCHAPv2) as the authentication method. Proxyid=WIN_IKEv2-p2 proto=0 sa=1 ref=2 serial=1 add-route Natt: mode=none draft=0 interval=0 remote_port=0 Proxyid_num=1 child_num=0 refcnt=6 ilast=6 olast=6 ad=/0ĭpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1 Upload and then browse to the CA certificate you want to import.įGT-HQ # diagnose vpn tunnel list name WIN_IKEv2_0 If you need to import your intermediate CAs into FortiGate, follow the procedure below on the FortiGate GUI:
In my case, there are no intermediate CAs because my certificate was issued by my root CA (Check The Firewall Root CA). Note: If the requirements above are not met, the Windows client may fail to authenticate FortiGate, and the VPN will not come up. As a result, FortiGate will include the intermediate CAs when sending the certificate to the client during phase 1 negotiation, which allows the client to verify the certificate chain in case the intermediate CAs are not installed on its local certificate store. If there are intermediate CAs in the certificate chain, make sure to import those intermediate CAs into FortiGate local CA store.The certificate must include TLS Web Server Authentication as.Therefore, the server name on my Windows client configuration must be set toį as well.
In my case, I am using the FQDN as my certificate CN.