I’ve noticed quite a few issues with Forticlient as of late. It seems to constantly be freezing and/or just not functioning. Being that I mainly use the free version, there is no ability to get support on the issues I face. So, I decided to create a backup plan and use the native vpn applications on both windows and apple with certificate authentication.
Things you will need to accomplish this setup:
1.) Certificate Services running on a Domain Controller / Server used to create and manage certificates with OpenSSL.
2.) Fortigate Firewall
3.) Windows / Apple Device
I do not plan on going into any detail regarding setting up Certificate Services on a Domain Controller or explaining how to use OpenSSL as a CA. This would take forever and I barely understand it myself.
If using OpenSSL like me, use this guide here – its fantastic:
https://jamielinux.com/docs/openssl-certificate-authority/introduction.html
You will need 3 types of certificates at minimum:
1.) Root CA (or Intermediate signed by Root) to sign your certs
2.) Certificate for Server Authentication (This will reside on your Fortigate IPSEC endpoint)
3.) Certificate for Client Authentication (This will reside on your windows/apple endpoint)
The most important part of generating the certificates is that they have to use “Subject Alternative Names” that match their fqdn names.
For example:
Your Fortigate IPSEC device has a fqdn of vpn.mydomain.com. The subject alternative name on the server certificate must be vpn.mydomain.com.
Your endpoint device has a fqdn of jaredsmacbook.local or jaredswindows.local, The subject alternative name on the client certificate must match those names exactly.
Once your certs are generated, install the Root CA on the Fortigate and endpoint. Install your Server certificate on the Fortigate and the client certificate on the device you are looking to get connected.
Next, we’ll configure a PKI user on Fortigate. For the “set ca” command, you’ll need to reference the Root CA you imported earlier.
Now onto VPN setup. I was pleasantly surprised to find out that this configuration will work with both windows and apple setups. I also don’t like using the ipsec wizad, I always roll custom. So, create a new custom ipsec tunnel:
For the first section, make sure you enable “Mode Config” and set your ip info as you desire:
For the authentication section, select the options listed below. For the Certificate Name, this is the Server Certificate we imported. For the Peer Certificate field, this is the PKI user we created earlier.
For the Phase 1 Proposal use the settings shown. The LOCAL ID HAS TO MATCH the Server Certificate Subject Alternative Name
Phase 2 Settings as shown:
Click OK to save.
Create a quick firewall policy for the vpn to access what it needs:
We should now be all set and ready to go on the Fortigate. Go to Pt.2 for Client Configurations.
