Checklist for Fortigate admin access over SSL-VPN

This is a Checklist for Fortigate admin access over SSL-VPN

1. Trusted hosts

Ensure that the SSL-VPN source address or SSL-VPN address pool is on the trusted host list for admin access to the Fortigate.

config system admin
    edit "admin" 
        set trusthost5 10.212.134.0 255.255.255.0
        set accprofile "super_admin"
        set vdom "root"
        set password yourpassword
    next
end

2. Allowaccess on Interface

Ensure you have allowed the service or port access on the interface using the following command “set allowaccess ping https ssh” under the interface configuration.

config system interface
    edit "vlan100"
        set vdom "root"
        set ip 10.100.0.254 255.255.255.0
        set allowaccess ping https ssh
        set vlanforward enable
        set device-identification enable
        set role lan
        set snmp-index 12
        set interface "internal5"
        set vlanid 100
    next
end

3. Firewall policy

Ensure you have a firewall policy from the SSL-VPN interface to the LAN to where you intend to connect to.

config firewall policy
    edit 3
        set name "SSL_VPN_LAN"
        set srcintf "ssl.root"
        set dstintf "vlan100"
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "SSL_VPN"
    next

4. Routing table

Ensure you have a route to the Firewall interface. You may have split-tunneling specifying the routable addresses by SSL-VPN any route not specified will route locally via users local internet breakout. 10.100.0.0/24 is the LAN network directly connected to the firewall. You can specify just the individual firewall interface address if you wanted to.

config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set web-mode enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set split-tunneling-routing-address "10.100.0.0/24"
        config bookmark-group
            edit "gui-bookmarks"
            next
        end
    next
end

If using Windows you can check the routing table by running the command route print.

C:\WINDOWS\system32>route print

Please let me know what you thought of the guide and if it worked, what issues you ran into or if anything wasn’t clear. Thank you for reading.

How to configure a SSL-VPN with certificate authentication on a Fortigate.

This is a detailed guide on how to configure a SSL VPN with certificate authentication on a Fortigate. We will be using OPENSSL to generate the CA and certificates.

1. Generate the CA or root certificate (Certificate Authority)

You will need to generate a root certificate to sign the Server and Client certificate. You will need to install the CA and Server Certificate on the Fortigate and the Client PKCS#12 certificate on the end user computer where the Forticlient VPN application is installed. This will create a chain of trust called public key infrastructure (PKI).

1.1 Create the directories to hold the CA certificate.

sudo mkdir /etc/ssl/CA
sudo mkdir /etc/ssl/newcerts

1.2 Create additional CA files

The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, and another file to record which certificates have been issued:

sudo sh -c "echo '01' > /etc/ssl/CA/serial"
sudo touch /etc/ssl/CA/index.txt

1.3 Edit the config file – nano /etc/ssl/openssl.cnf

This specifies the file locations for OPENSSL.

nano /etc/ssl/openssl.cnf
dir             = /etc/ssl              # Where everything is kept
database        = $dir/CA/index.txt     # database index file.
certificate     = $dir/certs/cacert.pem # The CA certificate
serial          = $dir/CA/serial        # The current serial number
private_key     = $dir/private/cakey.pem# The private key

1.4 Generate Root Certificate

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Please note that your Organization Name (O) needs to match on all your certificates that will be forming the chain of trust.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

You will need to ensure that your organization unit name (OU) is unique on each certificate in terms of the above. Steps 2 and 3 cover the Certificate Signing Request of both Server and Client where you will need to take into account these values.

1.5 Install the Root Certificate and Key

sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/

2. Generate Server CSR (Certificate Signing Request) and Key

2.1 Generate Server Key

openssl genrsa -des3 -out server.key 2048

The next set of commands is so that you don’t have to enter a passphrase to generate the CSR (Certificate Signing Request)

openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

2.2 Generate Server CSR

Please note the following need to be accurate for it to work – the organization (o) need to match on all 3 certificates

openssl req -new -key server.key -out server.csr

3. Generate Client CSR (Certificate Signing Request) and key

Repeat step 2 – replacing the word server with client. You should have the following files.

root@dhcp-server:/home/david# ls
client.csr  client.key server.csr  server.key

4. Sign both the Server and Client CSR’s

This will create the server and client certificate.

sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf
sudo openssl ca -in client.csr -config /etc/ssl/openssl.cnf

You will now have both the .crt files

root@dhcp-server:/home/david# ls
client.crt  client.key  server.crt  server.key

5. Generate the .pfx file or pkcs12 Client certificate

This will be installed on the host where application is installed

openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile client.crt

You should now have the following files:

root@dhcp-server:/home/david# ls
client.crt  client.key  client.pfx  server.crt  server.key

6. Copy the CA certificate back to your home directory

cp /etc/ssl/certs/cacert.pem /home/david/

You will now have all the files you need for certificate authentication.

root@dhcp-server:/home/david# ls
cacert.pem  client.crt  client.key  client.pfx  server.crt  server.key

7. Install the Client certificate on the users computer

Copy the client.pfx to the users computer and double click the file. Using the Windows certificate wizard install the certificate to the personal certificate store.

8. Import CA Certificate to Fortigate

Import the cacert.pem file to your Fortigate. Under System/Certificates – Click Import and then CA Certificate. Then you will need to Click File and then the Upload button. You will now see the certificate installed

You will now see the certificate installed under Remote CA Certificates.

9. Import Server Certificate to Fortigate

You will need both server.crt and server.key for this. Again click Import and then time click local certificate. Upload the server and key file to the Fortigate as per below. Alternately you could generate the PKCS#12 or .pfx file (as was done withe client certificate).

You will now see the certificate on the Fortigate under local certificates. Please refer to the picture in step 8.

PLEASE NOTE: The following steps will assume that you have a working SSL VPN configuration and will not go through in detail the workings of a SSL-VPN setup.

10. Configure PKI user

10.1 You will need to specify a username, your CA certificate, and subject.

config user peer
    edit "yourusername"
        set ca "CA_Cert_1"
        set subject "C"
    next
end

10.2 Obtaining the subject from the certificate

root@dhcp-server:/home/david# openssl x509 -noout -in client.crt -subject
subject=C = UK, ST = Some-State, O = SecNetLinux, OU = Client, CN = Client

Once this has been completed you will see the PKI option on the GUI and can then put the PKI users that you have created into the corresponding SSLVPN groups.

10.3 Add two factor authentication

11. Configure the SSL-VPN settings

You will set the server certificate which you uploaded earlier ( set servercert “SSLSERVER” ) and also set the reqclientcert to enable. I have also set the default-portal to web-access although we will be using Forticlient.

config vpn ssl settings
    set reqclientcert enable
    set servercert "SSLSERVER"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set source-interface "wan1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
    config authentication-rule
        edit 1
            set groups "SSL_VPN"
            set portal "full-access"
        next
    end
end

Again I have not gone through too much detail regarding the SSL-VPN setup. You will need make sure you have your firewall policies, portal mappings etc in place for this to work. This guide assumes you have a working SSL-VPN configuration in place and that you are adding additional authentication.

12. Configure Forticlient

You will see once you have successfully installed the Client certificate as per step 7 it will populate the drop down next to Client Certificate.

13. Troubleshooting Commands on the Fortigate

diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug application sslvpn -1
diagnose debug enable

Please let me know what you thought of the guide and if it worked, what issues you ran into or if anything wasn’t clear. Thank you for reading.

How to configure route leaking between VRFs Fortigate CLI

This is a detailed guide on how to configure route leaking between VRFs on a Fortigate using the CLI

In this scenario I will be leaking the default route into another VRF.

You will need to configure a BGP neighbor in order for this to work. This can be any BGP neighbor. In this example I have connected another router to the dmz interface and configured BGP so that a neighbor relationship will form over this link.

1. Configure Vdom-mode

You will need to set the Fortigate to multi-vdom mode so that you can create two Inter-vdom links and put them in the two separate VRF’s. Multi-vdom means that you can create more than one Virtual Firewall on a single box. The Inter-vdom links that you create will remain in the root vdom.

config system global
    set vdom-mode multi-vdom

2. Allow overlapping of subnets

By default the Fortigate will not allow you to configure duplicate or overlapping networks on the same vdom. The two Inter-vdom links will be on the same subnet.

configure vdom
edit root
config system settings
    set allow-subnet-overlap enable

3. Configure Inter-Vdom Links

Configure the two Inter-Vdom Links in the same subnet. You will see that the links are put in their respective vrfs with the following commands set vrf (<0> to <31>).

config vdom
edit root
config system interface
edit "npu0_vlink0"
        set vdom "root"
        set vrf 1
        set ip 10.200.0.1 255.255.255.0
        set allowaccess ping https ssh snmp http
        set type physical
        set snmp-index 13
    next
    edit "npu0_vlink1"
        set vdom "root"
        set vrf 2
        set ip 10.200.0.2 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
        set type physical
        set snmp-index 14

You will need to put your physical or virtual interfaces into their respective VRF’s – for example:

config system interface
edit "wan1"
        set vdom "root"
        set vrf 1
        set ip x.x.x.x 255.255.255.252
next 
  edit "vlan100"
        set vdom "root"
        set vrf 2
        set ip 10.100.0.254 255.255.255.0
end

You will see that I have put my wan interface in into one of the VRF’s. This is because I am going to leak the default route from vrf 1 into vrf 2 so that vlan 100 will have internet access.

4. Configure prefix-list

Configure the prefix-list of the routes that you are wanting to leak. In this case I will be leaking the source subnet 10.100.0.0/24 (so the return route) of VRF 2 and the default route in VRF 1.

config router prefix-list
    edit "1"
        config rule
            edit 1
                set prefix 0.0.0.0 0.0.0.0
                unset ge
                unset le
            next
        end
    next
    edit "2"
        config rule
            edit 1
                set prefix 10.100.0.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
end

5. Configure route-map

The route map is used to identify the subnets used in the VRF Leaking and matched against the prefix-list in the previous step.

config router route-map
 edit "VRF1Routes"
        config rule
            edit 1
                set match-ip-address "1"
                unset set-ip-nexthop
                unset set-ip6-nexthop
                unset set-ip6-nexthop-local
                unset set-originator-id
            next
        end
    next
    edit "VRF2Routes"
        config rule
            edit 1
                set match-ip-address "2"
                unset set-ip-nexthop
                unset set-ip6-nexthop
                unset set-ip6-nexthop-local
                unset set-originator-id
            next
        end
    next
end

6. Configure VRF Leaking

I have included my full BGP configuration. As mentioned at the beginning the BGP neighbour connects to the dmz interface and you will need to specify this in your BGP configuration with the following command set update-source “yourinterface”. In order for the VRF leaking to work you need any up neighbour. Under the config vrf-leak the edit <no.> is the ” vrf Origin VRF ID <0 – 31>”. Under the config target the edit is the target or destination vrf “vrf Target VRF ID <0 – 31>”. Make sure that you assign the correct route map to each.

config router bgp
    set as 65536
    set router-id 1.1.1.1
    config neighbor
        edit "192.168.1.254"
            set remote-as 65535
            set update-source "dmz"
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "rip"
    end
    config redistribute "ospf"
    end
    config redistribute "static"
        set status enable
    end
    config redistribute "isis"
    end
    config redistribute6 "connected"
    end
    config redistribute6 "rip"
    end
    config redistribute6 "ospf"
    end
    config redistribute6 "static"
    end
    config redistribute6 "isis"
    end
    config vrf-leak
        edit "2"
            config target
                edit "1"
                    set route-map "VRF2Routes"
                    set interface "npu0_vlink1"
                next
            end
        next
        edit "1"
            config target
                edit "2"
                    set route-map "VRF1Routes"
                    set interface "npu0_vlink0"
                next
            end
        next
    end
end

7. Check the routing table

get router info routing-table all

## lines omitted for brevity ##

Routing table for VRF=1
S*      0.0.0.0/0 [10/0] via 10.50.0.254, wan1
B       10.100.0.0/24 [20/0] via 10.200.0.2, npu0_vlink0, 05:18:07
C       10.200.0.0/24 is directly connected, npu0_vlink0

Routing table for VRF=2
B*      0.0.0.0/0 [20/0] via 10.200.0.1, npu0_vlink1, 05:15:02
C       10.100.0.0/24 is directly connected, vlan100
C       10.200.0.0/24 is directly connected, npu0_vlink1
C       192.168.1.0/24 is directly connected, dmz
B       192.168.2.0/24 [20/0] via 192.168.1.254, dmz, 03:00:13

8. Configure firewall policies

This is an example of a firewall policy setup. You will need to configure a policy from the physical or VLAN interface to the VDOM-Link in VRF 2 and then a policy from the VDOM-Link to the WAN interface in VRF 1. I have also configure policies for a VIP (Virtual IP ) for connecting via Public IP to the server.

9. Test

david@WonderSH:~$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  _gateway (10.100.0.254)  0.587 ms  0.319 ms  0.326 ms
 2  10.200.0.1 (10.200.0.1)  0.354 ms  0.367 ms  0.351 ms
 3  vodafone.connect (10.50.0.254)  5.202 ms  4.974 ms  4.777 ms

If you feel that there is anything you can add or have a question please feel free to leave a comment below.

How to configure BGP over IPSEC VPN Fortigate CLI.

This is a quick reference on how to configure BGP over IPSEC VPN Fortigate CLI.

1. Scenario

2. Configure Firewall “BGP1”

2.1 Configure VPN IPSEC phase1-interface

config vpn ipsec phase1-interface

edit "BGP_1"
        set interface "port1"
        set peertype any
        set proposal des-md5 des-sha1
        set remote-gw 10.0.0.6
        set psksecret yourpassword                                                                         
end

2.2 Configure VPN IPSEC phase2-interface

config vpn ipsec phase2-interface

 edit "BGP_1"
        set phase1name "BGP_1"
        set proposal des-md5 des-sha1
        set src-subnet 0.0.0.0 0.0.0.0
        set dst-subnet 0.0.0.0 0.0.0.0
    next
end

2.3 Configure firewall policies

config firewall policy

edit 1
        set name "BGP-VPN"
        set srcintf "BGP_1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next

edit 2
        set name "BGP-VPN"
        set srcintf "port2"
        set dstintf "BGP_1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

2.4 Edit VPN interface

You will need to configure an IP address on either end of the tunnel including the corresponding remote IP address of the remote device.

config system interface
    edit "BGP_1"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.2 255.255.255.255
        set snmp-index 12
        set interface "port1"
    next
end

2.5 Configure BGP

Configure the IP address of the remote ends IPSEC VPN interface as the neighbour address as per step 2.4.

config router bgp
    set as 1111
    set router-id 1.1.1.1
    config neighbor
        edit "1.1.1.2"
            set remote-as 1112
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "rip"
    end
    config redistribute "ospf"
    end
    config redistribute "static"
    end
    config redistribute "isis"
    end
    config redistribute6 "connected"
    end
    config redistribute6 "rip"
    end
    config redistribute6 "ospf"
    end
    config redistribute6 "static"
    end
    config redistribute6 "isis"
    end
end


3. Configure Firewall BGP2

3.1 Configure VPN IPSEC phase1-interface

config vpn ipsec phase1-interface
edit "BGP_1"
        set interface "port1"
        set peertype any
        set proposal des-md5 des-sha1
        set remote-gw 10.0.0.2
        set psksecret yourpassword                                                                          
    next
end

3.2 Configure VPN IPSEC phase2-interface

config vpn ipsec phase2-interface

 edit "BGP_1"
        set phase1name "BGP_1"
        set proposal des-md5 des-sha1
        set src-subnet 0.0.0.0 0.0.0.0
        set dst-subnet 0.0.0.0 0.0.0.0
    next
end

3.3 Configure firewall policies


config firewall policy

edit 1
        set name "BGP-VPN"
        set srcintf "BGP_1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next

    edit 2
        set name "BGP-VPN"
        set srcintf "port2"
        set dstintf "BGP_1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

3.4 Edit VPN interface

config system interface
   edit "BGP_1"
        set vdom "root"
        set ip 1.1.1.2 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.1 255.255.255.255
        set snmp-index 12
        set interface "port1"
    next
end

3.5 Configure BGP

config router bgp
    set as 1112
    set router-id 1.1.1.2
    config neighbor
        edit "1.1.1.1"
            set remote-as 1111
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "rip"
    end
    config redistribute "ospf"
    end
    config redistribute "static"
    end
    config redistribute "isis"
    end
    config redistribute6 "connected"
    end
    config redistribute6 "rip"
    end
    config redistribute6 "ospf"
    end
    config redistribute6 "static"
    end
    config redistribute6 "isis"
    end
end

4. Diagnosis

4.1 Check the VPN tunnel is up

If the phase 2 tunnel is down you will see no SA’s (security associations) – for example sa=0

BGP2 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=BGP_1 ver=1 serial=1 10.0.0.6:0->10.0.0.2:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=16 ilast=7 olast=7 ad=/0
stat: rxp=287 txp=277 rxb=34664 txb=19048
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=BGP_1 proto=0 sa=1 ref=2 serial=2
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=30202 type=00 soft=0 mtu=1446 expire=40274/0B replaywin=2048
       seqno=116 esn=0 replaywin_lastseq=00000120 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42932/43200
  dec: spi=e7bd5aa2 esp=des key=8 5fed049f153a3bc1
       ah=md5 key=16 9fb00da00bba3e3ea0a7f456d04b8b84
  enc: spi=11c9c117 esp=des key=8 585db5038f75e4b2
       ah=md5 key=16 5fd1f5e42993cdf31243f2869cdf5bec
  dec:pkts/bytes=287/19656, enc:pkts/bytes=277/33496
run_tally=1

4.2 Check the BGP neighbour is up

BGP2 # get router info bgp summary
BGP router identifier 1.1.1.2, local AS number 1112
BGP table version is 2
2 BGP AS-PATH entries
0 BGP community entries

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.1         4       1111       9       8        1    0    0 00:06:06        4

Total number of neighbors 1

4.3 Check the BGP routing table


BGP2 # get router info routing-table bgp

Routing table for VRF=0
B       10.0.0.0/30 [20/0] via 1.1.1.1, BGP_1, 00:04:23
B       192.168.1.0/24 [20/0] via 1.1.1.1, BGP_1, 00:04:23

4.4 Ping test from host to host

PC2> ping 192.168.1.1

84 bytes from 192.168.1.1 icmp_seq=1 ttl=62 time=21.280 ms
84 bytes from 192.168.1.1 icmp_seq=2 ttl=62 time=19.798 ms
84 bytes from 192.168.1.1 icmp_seq=3 ttl=62 time=20.844 ms
84 bytes from 192.168.1.1 icmp_seq=4 ttl=62 time=30.281 ms
84 bytes from 192.168.1.1 icmp_seq=5 ttl=62 time=22.197 ms

Thank you for reading and please feel free to leave any feedback.

How to configure OSPF over IPSEC VPN Fortigate CLI.

This is a quick reference on how to configure OSPF over IPSEC VPN Fortigate CLI.

1. Scenario

2. Configure Firewall OSPF1

2.1 Configure VPN IPSEC phase1-interface

config vpn ipsec phase1-interface

edit "OSPF_1"
        set interface "port1"
        set peertype any
        set proposal des-md5 des-sha1
        set remote-gw 10.0.0.6
        set psksecret yourpassword                                                                         
end

2.2 Configure VPN IPSEC phase2-interface

config vpn ipsec phase2-interface

 edit "OSPF_1"
        set phase1name "OSPF_1"
        set proposal des-md5 des-sha1
        set src-subnet 0.0.0.0 0.0.0.0
        set dst-subnet 0.0.0.0 0.0.0.0
    next
end

2.3 Configure firewall policies

config firewall policy

edit 1
        set name "OSPF-VPN"
        set srcintf "OSPF_1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next

edit 2
        set name "OSPF-VPN"
        set srcintf "port2"
        set dstintf "OSPF_1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

2.4 Edit VPN interface

You will need to add an IP address and remote IP address to the IPSEC VPN interface so that OSPF can send multicast traffic over the IPSEC tunnel.

config system interface
    edit "OSPF_1"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.2 255.255.255.255
        set snmp-index 12
        set interface "port1"
    next
end

2.5 Configure OSPF

Under network configuration ensure that the network subnet covers what you have configured on the IPSEC VPN interface. The network statement is used to tell OSPF which interface/s to send out OSPF information.

config router ospf
    set router-id 1.1.1.1
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "VPN_OSPF"
            set interface "OSPF_1"
            set dead-interval 40
            set hello-interval 10
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 1.1.1.0 255.255.255.252
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "static"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end
    config redistribute "isis"
    end
end

3. Configure Firewall OSPF2

3.1 Configure VPN IPSEC phase1-interface

config vpn ipsec phase1-interface
edit "OSPF_1"
        set interface "port1"
        set peertype any
        set proposal des-md5 des-sha1
        set remote-gw 10.0.0.2
        set psksecret yourpassword                                                                          
    next
end

3.2 Configure VPN IPSEC phase2-interface

config vpn ipsec phase2-interface

 edit "OSPF_1"
        set phase1name "OSPF_1"
        set proposal des-md5 des-sha1
        set src-subnet 0.0.0.0 0.0.0.0
        set dst-subnet 0.0.0.0 0.0.0.0
    next
end

3.3 Configure firewall policies


config firewall policy

edit 1
        set name "OSPF-VPN"
        set srcintf "OSPF_1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next

    edit 2
        set name "OSPF-VPN"
        set srcintf "port2"
        set dstintf "OSPF_1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

3.4 Edit VPN interface

config system interface
   edit "OSPF_1"
        set vdom "root"
        set ip 1.1.1.2 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.1 255.255.255.255
        set snmp-index 12
        set interface "port1"
    next
end

3.5 Configure OSPF

config router ospf
    set router-id 1.1.1.2
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "VPN_OSPF"
            set interface "OSPF_1"
            set dead-interval 40
            set hello-interval 10
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 1.1.1.0 255.255.255.252
        next
    end
    config redistribute "connected"
        set status enable
    end
    config redistribute "static"
    end
    config redistribute "rip"
    end
    config redistribute "bgp"
    end
    config redistribute "isis"
    end
end

4. Diagnosis

4.1 Check the VPN tunnel is up

If the phase 2 tunnel is down you will see no SA’s (security associations) – for example sa=0

OSPF2 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=OSPF_1 ver=1 serial=1 10.0.0.6:0->10.0.0.2:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=16 ilast=7 olast=7 ad=/0
stat: rxp=287 txp=277 rxb=34664 txb=19048
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=OSPF_1 proto=0 sa=1 ref=2 serial=2
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=30202 type=00 soft=0 mtu=1446 expire=40274/0B replaywin=2048
       seqno=116 esn=0 replaywin_lastseq=00000120 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=42932/43200
  dec: spi=e7bd5aa2 esp=des key=8 5fed049f153a3bc1
       ah=md5 key=16 9fb00da00bba3e3ea0a7f456d04b8b84
  enc: spi=11c9c117 esp=des key=8 585db5038f75e4b2
       ah=md5 key=16 5fd1f5e42993cdf31243f2869cdf5bec
  dec:pkts/bytes=287/19656, enc:pkts/bytes=277/33496
run_tally=1

4.2 Check the OSPF neighbour

OSPF1 # get router info ospf neighbor

OSPF process 0, VRF 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.2           1   Full/ -         00:00:34    1.1.1.2         OSPF_1

4.3 Check the OSPF routing table

OSPF1 # get router info routing-table ospf

Routing table for VRF=0
O E2    10.0.0.4/30 [110/10] via 1.1.1.2, OSPF_1, 00:47:16
O E2    192.168.2.0/24 [110/10] via 1.1.1.2, OSPF_1, 00:47:16

4.4 Ping test from host to host

PC2> ping 192.168.1.1

84 bytes from 192.168.1.1 icmp_seq=1 ttl=62 time=21.280 ms
84 bytes from 192.168.1.1 icmp_seq=2 ttl=62 time=19.798 ms
84 bytes from 192.168.1.1 icmp_seq=3 ttl=62 time=20.844 ms
84 bytes from 192.168.1.1 icmp_seq=4 ttl=62 time=30.281 ms
84 bytes from 192.168.1.1 icmp_seq=5 ttl=62 time=22.197 ms

Thank you for reading and please feel free to leave any feedback.

How to connect using OpenVPN (Windows 10) to pfSense firewall.

This is a detailed guide on how to connect to your pfSense Firewall using OpenVPN for remote access.

There is a known issue with the latest OpenVPN version and Windows 10 with the TAP adapter not working. This guide incorporates the fix for this issue.

1. Create OpenVPN server on pfSense firewall

1.1 Click Add under VPN / OpenVPN / Servers

1.2. Click on “Use a wizard to setup a new server.

1.3 Select Authentication Type

Type of Server – Select local User Access

1.4 Create a Certificate Authority (CA)

1.5 Add new Certificate

1.6 General OpenVPN Server Information

1.6.1 Set your interface to where VPN Clients will be connecting (usually WAN)

1.6.2 Set Protocol to UDP

1.6.3 Set the local port or leave blank

Local port upon which OpenVPN will listen for connections. The default port is 1194. Leave this blank to auto-select an unused port.

1.6.4 Description

Add your own description

1.7 Cryptographic Settings

Leave as default for the purpose of setting up this basic VPN server.

1.8 Tunnel Settings

1.8.1 Configure IPv4 Tunnel Network

This will be network assigned to OpnVPN Clients.

1.8.2 Configure IPv4 Local Network

This will be the network that will be accessed by the OpnVPN Clients, for example: the local network or LAN.

1.9 Client Settings

1.9.1 Add DNS servers

1.10 Firewall Rule Configuration

The wizard will create the firewall rules automatically for you if you check the tick boxes. This will allow traffic to the OpnVPN server and allow traffic to the Local network behind the pfSense Firewall.

1.11 Click Finish

2. Create local users

2.1 Navigate to System / User Manager

2.2 Set username and password

This is the credentials the client will use to authenticate when connecting to the VPN.

2.3 Generate user certificate

3. Install OpenVPN on Windows 10

3.1 Download and Install an older version of OpenVPN

https://build.openvpn.net/downloads/releases/openvpn-2.1.3-install-win2k.exe

When you install this you will be prompted to install a TAP driver which is version 9.Once installed we can update to the latest version of OpenVPN

3.2 Install later Version

https://build.openvpn.net/downloads/releases/openvpn-install-2.4.7-I603.exe

Once the old version of OpenVPN is installed, install the version above.

3.3 Update the TAP drivers manually

3.3.1 Open device manager and right click TAP Windows Adapter and select update.

3.3.2 Select browse my computer for driver software

3.3.3 Point to the folder where you have saved the drivers. AMD64 for 64 bit and i386 for 32 bit.

4. Run OpenVPN GUI as administrator.



This will give you the OpenVPN icon in your windows tray. Right click the icon and click import. Before you do this you will need to download the client config from the pfSense Firewall.

5. Download Client VPN Configuration

5.1 Install openvpn-client-export on pfSense Firewall

Navigate to System / package manager and click on available packages. Search for openvpn-client-export and install.

5.2 Navigate to VPN / OpenVPN / Client Export

5.3 Click on Most Clients under Inline Configuration and download the client Configuration.

Scroll down to the section heading OpenVPN Clients. If all the other steps have been carried out correctly you will see the client configurations available to download.

6. Import file for client configuration.

6.1 Right click on the OpenVPN in your system tray as per screen shot above in point 4.

6.2 Click import file and select file from download location.

7. Connect to your VPN.

7.1 Right click the OpenVPN tray icon and click connect.

7.2 Enter user credentials.

Please feel free to leave any feedback.

Thank you for reading.

How to create a Site to Site IPSec VPN from a pfSense to a Fortigate behind a NAT Router.

This is a detailed guide on how to create a Site to Site IPSec VPN from a pfSense to a Fortigate behind a NAT Router.

1. Fortigate Configuration

1.1 Configure the Fortigate Phase 1

 
config vpn ipsec phase1-interface 
edit "PfSense" 
set interface "wan1" 
set proposal aes256-sha256 
set dhgrp 5 
set remote-gw x.x.x.x
set psksecret 
next 
end

1.2 Configure the Fortigate Phase 2

 
config vpn ipsec phase2-interface 
edit "pfSense" 
set phase1name "PfSense" 
set proposal aes256-sha256 
set pfs disable 
set keepalive enable 
set auto-negotiate enable 
set src-subnet 192.168.0.0 255.255.0.0 
set dst-subnet 10.0.100.0 255.255.255.0 
next 
end 

1.3 Configure a static route on the Fortigate

 
config router static set dst 10.0.100.0 255.255.255.0 
set device "PfSense"

1.4 Configure Fortigate firewall policies


config firewall policy
edit 11
set srcintf "PfSense"
set dstintf "lo0"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end


config firewall policy
edit 15
set srcintf "lo0"
set dstintf "PfSense"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

2. pfSense Configuration

2.1 Configure Phase 1 General Information on the pfSense 

pfsense - fortigate.PNG

Key Exchange Version = IKEv1

Remote Gateway = The public IP address of the Fortigate

2.2 Configure Phase1 Proposal ( Authentication) on the pfSense

pfsense - fortigate_1.PNG

Authentication Method = Mutual PSK

Negotiation Mode = Main

My Identifier = My IP address

Peer Identifier = This is important and needs to be the Private IP address of the WAN interface of the Fortigate or remote device. Normally this would just be the Peer IP address if the Public IP address was configured on the Remote Fortigate.

Pre-Shared Key = Make sure that the Pre-Shared key matches on both sides

2.3 Configure Phase1 Proposal ( Encryption) on the pfSense

Ensure that the Encryption Algorithms are an exact mirror on both devices. Also ensure that the timers match on either side.

2.4  Configure Advanced options on the pfSense 

pfsense - fortigate_2.PNG

You can leave this as the defaults values

2.5 Configure Pre-shared Keys TAB at the Top of the page

pfsense - fortigate_3.PNG

Click the TAB labelled Pre-Shared Keys and enter your Pre-shared Key again and the Private IP address of the WAN interface remote device (Fortigate).

2.6  Click the green Add P2 to add the pfSense’s phase 2 configuration 

pfsense - fortigate_4.PNG

Make sure that the Phase2 Selectors are an exact mirror to the Fortigate:

Networks

Authentication

Encryption

2.7  Configure Phase 2 General Information on the pfSense 

pfsense - fortigate_5.PNG

Set the local network to the local subnet connected to the pfSense.

Set the remote network to the remote subnet of the Fortigate.

2.8 Configure Phase  2 Proposal (SA/Key Exchange) on the pfSense

pfsense - fortigate_6.PNG

Make sure the phase 2 encryption and authentication match on both sides of the tunnel.

Configure Lifetime on the pfSense again ensuring that this matches on both end point devices.

(optional) PFS – In this case I have not configured it. As with all the encryption and authentication this will need to match on both sides. So if set to Group 2 on the pfSense this will need to match on the Fortigate.

2.9 PfSense Advanced Configuration

Set the automatically ping host value to the Privat IP address WAN interface of the Fortigate.

pfsense - fortigate_7.PNG

2.10 Configure pfSense Firewall Rules to allow traffic 

This can be found under the Firewall TAB labelled Rules

pfsense - fortigate_8.PNG

2.11 Check that the tunnel is up 

This is under the TAB Status labelled IPSec

pfsense - fortigate_9.PNG

3. Test the Connection 

 

C:\Users\Administrator&gt;ping 192.168.101.254 
Pinging 192.168.101.254 with 32 bytes of data: 
Reply from 192.168.101.254: bytes=32 time=28ms TTL=254 
Reply from 192.168.101.254: bytes=32 time=27ms TTL=254 
Reply from 192.168.101.254: bytes=32 time=28ms TTL=254 
Reply from 192.168.101.254: bytes=32 time=27ms TTL=254 
Ping statistics for 192.168.101.254: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 27ms, Maximum = 28ms, Average = 27ms 

If there is anything in the world of Security Networking Linux that you are struggling to find documented in detail on the Wide World Web please feel free to send us a message.

Please feel free to leave a comment on any of our guides if you feel that we have missed something or not quite got it right.

How to get OpenVPN to work on Windows 10

1. Install OpenVPN on Windows 10

1.1 Download and Install an older version of OpenVPN

https://build.openvpn.net/downloads/releases/openvpn-2.1.3-install-win2k.exe

When you install this you will be prompted to install a TAP driver which is version 9.Once installed we can update to the latest version of OpenVPN

1.2 Install later Version

https://build.openvpn.net/downloads/releases/openvpn-install-2.4.7-I603.exe

Once the old version of OpenVPN is installed, install the version above.

1.3 Update the TAP drivers manually

1.3.1 Open device manager and right click TAP Windows Adapter and select update.

1.3.2 Select browse my computer for driver software

1.3.3 Point to the folder where you have saved the drivers. AMD64 for 64 bit and i386 for 32 bit.

2. Run OpenVPN GUI as administrator.



This will give you the OpenVPN icon in your windows tray. Right click the icon and click import. Before you do this you will need to download the client config from the VPN Server.

3. Download Client VPN Configuration from your VPN server.

4. Import file for client configuration.

4.1. Right click on the OpenVPN in your system tray as per screen shot above in point 2.

4.3. Click import file and select file from download location.

5. Connect to your VPN.

5.1 Right click the OpenVPN tray icon and click connect.

5.2 Enter user credentials.

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

Thank you for reading and please feel free to leave any feedback.

How to connect using OpenVPN (Windows 10) to OpnSense firewall.

This is a detailed guide on how to connect to your OpnSense Firewall using OpenVPN for remote access. Piggybank Cloud lets you launch an OpnSense firewall with a click of a button. You can connect your virtual machines to your firewall all with ease from your Piggybank customer portal.

There is a known issue with the latest OpenVPN version and Windows 10 with the TAP adapter not working. This guide incorporates the fix for this issue.

1. Create OpenVPN server on OpnSense firewall

1.1. Click on “Use a wizard to setup a new server.

1.2 Select Authentication Type

Type of Server – Select local User Access

1.3 Create a Certificate Authority (CA)

1.4 Add new Certificate

1.5 General OpenVPN Server Information

1.5.1 Set your interface to where VPN Clients will be connecting (usually WAN)

1.5.2 Set Protocol to UDP

1.5.3 Set the local port or leave blank

Local port upon which OpenVPN will listen for connections. The default port is 1194. Leave this blank to auto-select an unused port.

1.5.4 Description

Add your own description

1.6 Cryptographic Settings

For this example I have left as the default settings as per screenshot.


1.7 Tunnel Settings

1.7.1 Configure IPv4 Tunnel Network

This will be network assigned to OpnVPN Clients.

1.7.2 Configure IPv4 Local Network

This will be the network that will be accessed by the OpnVPN Clients, for example: the local network or LAN.

1.8 Client Settings

1.8.1 Add DNS servers

1.9 Firewall Rule Configuration

The wizard will create the firewall rules automatically for you if you check the tick boxes. This will allow traffic to the OpnVPN server and allow traffic to the Local network behind the OpnSense Firewall.

1.9.1 WAN – Rules

1.9.2 OpenVPN -Rules

1.10 OpenVPN Server Example:

Please note: Certificate depth is set to do not check – this means that the same configuration can be used for multiple users to authenticate using the same OpnVPN server configuration.

2. Create local users

2.1 Navigate to System / Access / Users and click add.

2.2 Set user name and password

This is the credentials the client will use to authenticate when connecting to the VPN.

3. Install OpenVPN on Windows 10

3.1 Download and Install an older version of OpenVPN

https://build.openvpn.net/downloads/releases/openvpn-2.1.3-install-win2k.exe

When you install this you will be prompted to install a TAP driver which is version 9.Once installed we can update to the latest version of OpenVPN

3.2 Install later Version

https://build.openvpn.net/downloads/releases/openvpn-install-2.4.7-I603.exe

Once the old version of OpenVPN is installed, install the version above.

3.3 Update the TAP drivers manually

3.3.1 Open device manager and right click TAP Windows Adapter and select update.

3.3.2 Select browse my computer for driver software

3.3.3 Point to the folder where you have saved the drivers. AMD64 for 64 bit and i386 for 32 bit.

4. Run OpenVPN GUI as administrator.



This will give you the OpenVPN icon in your windows tray. Right click the icon and click import. Before you do this you will need to download the client config from the Opnsense Firewall.

5. Download Client VPN Configuration

5.1 Navigate to VPN / OpenVPN / Client Export.

5.2 Set export type to file only.

5.3 Click on the small cloud icon to the left of the page.

5.4 Edit the Client configuration file.

5.4.1 Right click the file you have downloaded from the firewall and remove UDP from line 8 as per screen shots.

5.4.2 The config should looks as follows with x.x.x.x being you public IP of your firewall.

6. Import file for client configuration.

6.1 Right click on the OpenVPN in your system tray as per screen shot above in point 4.

6.2 Click import file and select file from download location.

7. Connect to your VPN.

7.1 Right click the OpenVPN tray icon and click connect.

7.2 Enter user credentials.

Please feel free to leave any feedback. If you would like to explore Piggybank Cloud navigate to
https://piggybank.cloud/register.php

Thank you for reading.

How to create a pfSense Mobile (dialup) IPSEC VPN for a remote VPN client.

Hi all,

If you have an existing VPN client and would like to connect to a pfSense firewall this is how to do it.

I am currently connecting to my pfSense firewall which you can deploy with a click of a button on Piggybank Cloud.

pfsense_1.PNG

This will set up your public IP address and also give you your local LAN subnet. Alternatively you can add a virtual Ethernet adapter and configure your own private IP subnet.

Step1. Enable and configure Mobile Clients

Click on the IPSEC under VPN tab on the top menu.

Click on the mobile Clients Tab – VPN/IPSEC/Mobile Clients

Tick the box next to Enable IPSEC Mobile Client Support.

Set user authentication to local database

Set group authentication to system

pfsense_2.PNG

Configure your Virtual Address pool – this will be the subnet addresses that are assigned to the VPN clients.

Configure DNS servers

Click Save and apply

Step 2. Configure IPSEC Mobile Clients Phase 1 

Once you finish configuring the Mobile Clients setting you will be presented with a TAB to edit the Phase 1 of Mobile Clients.

pfsense_3.PNG

pfsense_4.PNG

Enter the following settings (you can apply your own encryption, hash, DHgroup, lifetime etc.) You need to ensure that both ends of the tunnel configuration (client and pfSense) match in terms of ike VPN settings.

  • Authentication methodMutual PSK + Xauth
  • Negotiation modeaggressive
  • My identifierMy IP address
  • Peer identfierUser Distinguished Name, for example “support@piggybank.cloud”
  • Pre-Shared Key: “Your PSK”
  • Encryption AlgorithmAES 128 
  • Hash AlgorithmSHA1
  • DH Key Group2
  • Lifetime86400
  • NAT TraversalForce
  • Click Save

Step 3. Configure IPSEC Mobile Clients Phase 2

The IPSEC settings can be configured to your own specification in terms of encryption, hash, pfs etc. as long as the client and the pfsense firewall IPSEC phase2 settings match.

pfsense_5.PNG

  • Click  inside the Mobile Phase 1 to expand its Phase 2 list.
  • Click (add P2) to add a new Phase 2
  • Enter the following settings:
    • ModeTunnel
    • Local Network: Phase 2 network address to be access by the VPN client (in this case the LAN subnet)
    • ProtocolESP
    • Encryption AlgorithmsAES 128 only
    • Hash AlgorithmsSHA1 only
    • PFS key groupoff
    • Lifetime28800
  • Add additional phase 2 (created separately)
  • Click Save
  • Click Apply Changes

pfsense_6.PNG

Step 4. Configure a user on the local database

System > User Manager

Configure your users by entering a username and password and allocating them to groups.

Please make sure you authorise users for VPN – IPsec xauth Dialin permission as per below otherwise your users will fail authentication.

pfsense_7.PNG

Step 5. Create a rule to allow traffic 

Under Firewall tab click rules and create a rule to allow IPSEC traffic under the IPSEC tab.

pfsense_28.PNG

Step 6. Configure your VPN Client

You can download a copy of the VPN client and a base config from Piggybank Cloud’s Demo account.

Navigate to the following url

https://piggybank.cloud/home/Demo.html

Check out the following guide to give you a tour of the platform and to get you familiar with the layout if you need help finding the client.

Get the full tour of Piggybank Cloud’s Client Portal and Virtual Datacentre.

pfsense_9.PNG

Click View VPN Details

Click Download VPN Config and Download VPN Client

This will give you the Demo accounts VPN’s details which you can change the following once the config is imported

pfsense_10.PNG

Install the VPN Client

Import the downloaded config into the VPN Client by clicking file and then import.

pfsense_14.PNG

Change the remote Host name of IP address (pfSense in this case)

pfsense_13.PNG

Change the Identification type – change this to User Fully Qualified Domain Name and add your UFQDN string that you have configured on the pfSense.

pfsense_12.PNG

Change the PSK (Pre Shared Key) to match what you have configured on your pfSense.

pfsense_11.PNG

Change the phase 1 settings to match what you have configured on the pfsense

pfsense_15.PNG

Change the phase 2 settings to match what you have configured on the pfSense

pfsense_16.PNG

Save your configuration

Step 6. Connect and test your VPN 

Highlight your VPN and click connect., enter you password and you should see the tunnel enabled.

pfsense_21.PNG

You can click on network to make sure that it is established.

pfsense_19.PNG

You should now be able to connect to your firewall on the LAN gateway address or test by pinging a device connect on the pfSenses LAN interface.

Thank you for reading and be sure to check out our growing number of guides.

Please feel free to leave your feedback below.