SSL VPN with certificate authentication
This topic provides a sample configuration of SSL VPN that requires users to authenticate using a certificate.
Sample network topology
Sample configuration
WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.
To configure SSL VPN using the GUI:
- Configure the interface and firewall address.
Port1 interface connects to the internal network.
- Go to Network > Interface and edit the wan1
- Set IP/Network Mask to 20.120.123/255.255.255.0.
- Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
- Click OK.
- Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
- Install the server certificate.
The server certificate is used for encrypting SSL VPN traffic and will be used for authentication. a. Go to System > Feature Visibility and ensure Certificates is enabled.
- Go to System > Certificates and select Import > Local Certificate.
- Set Type to Certificate. l Choose the Certificate file and the Key file for your certificate, and enter the Password.
- If desired, you can change the Certificate Name.
The server certificate now appears in the list of Certificates.
- Install the CA certificate.
The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.
- Go to System > Certificates and select Import > CA Certificate.
- Select Local PC and then select the certificate file.
The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.
- Configure PKI users and a user group.
To use certificate authentication, PKI users must be created in the CLI. Use the CLI console to enter the following commands:
config user peer
edit pki01
set ca CA_Cert_1 set subject User01
end l Ensure the subject matches the name of the user certificate. In this example, User01. Now that you have created a PKI user, a new menu is added to the GUI. a. Go to User& Device > PKI to see the new user.
- Edit the user account and expand Two-factorauthentication.
- Enable Require two-factorauthentication and set a Password for the account.
- Go to User& Device > User> UserGroups and create a group sslvpngroup.
- Add the PKI user pki01 to the group.
- Configure SSL VPN web portal.
- Go to VPN > SSL-VPN Portals to edit the full-access
This portal supports both web and tunnel mode.
- Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.
- Configure SSL VPN settings.
- Go to VPN > SSL-VPN Settings.
- Choose proper Listen on Interface, in this example, wan1.
- Listen on Port 10443.
- Set ServerCertificate to the authentication certificate.
- Enable Require Client Certificate.
- Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
- Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
- Configure SSL VPN firewall policy.
- Go to Policy & Objects > IPv4 Policy.
- Fill in the firewall policy name. In this example: sslvpn certificate auth.
- Incoming interface must be SSL-VPN tunnel interface(ssl.root).
- Set the Source Address to all and Source User to sslvpngroup.
- Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
- Set Destination Address to the internal protected subnet 168.1.0.
- Set schedule to always, service to ALL, and Action to Accept.
- Enable NAT.
- Configure any remaining firewall and security options as desired.
- Click OK.
To configure SSL VPN using the CLI:
- Configure the interface and firewall address.
config system interface edit “wan1” set vdom “root”
set ip 172.20.120.123 255.255.255.0
next
end
Configure internal interface and protected subnet. Connect Port1 interface to internal network.
config system interface edit “port1” set vdom “root”
set ip 192.168.1.99 255.255.255.0
next
end
config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0
next
end
- Install the CA certificate.
The server certificate is used for encrypting SSL VPN traffic and will be used for authentication. It is easier to install the server certificate from GUI. However, CLI can import a p12 certificate from a tftp server.
If you want to import a p12 certificate, put the certificate server_certificate.p12 on your tftp server, then run following command on the FortiGate.
execute vpn certificate local import tftp server_certificate.p12 <your tftp_server> p12 <your password for PKCS12 file>
To check server certificate is installed:
show vpn certificate local server_certificate
- Install the CA certificate.
The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.
It is easier to install the server certificate from GUI. However, CLI can import a CA certificates from a tftp server. If you want to import a CA certificate, put the CA certificate on your tftp server, then run following command on the FortiGate.
execute vpn certificate ca import tftp <your CA certificate name> <your tftp server>
To check that a new CA certificate is installed:
show vpn certificate ca
- Configure PKI users and a user group.
config user peer
edit pki01
set ca CA_Cert_1 set subject User01 set two-factor enable set passwd <your-password>
end config user group edit “sslvpngroup” set member “pki01”
next
end
- Configure SSL VPN web portal.
config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable
next
end
- Configure SSL VPN settings.
config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” set reqclientcert enable config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”
next
end
- Configure SSL VPN firewall policy.
Configure one firewall policy to allow remote user to access the internal network.
config firewall policy edit 1 set name “sslvpn web mode access”
set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable
next
end
Sample installation
To use the user certificate, you must first install it on the user’s PC. When the user tries to authenticate, the user certificate is checked against the CA certificate to verify that they match.
Every user should have a unique user certificate. This allows you to distinguish each user and revoke a specific user’s certificate, such as if a user no longer has VPN access.
To install the user certificate on Windows 7, 8, and 10:
- Double-click the certificate file to open the Import Wizard.
- Use the Import Wizard to import the certificate into the Personal store.
To install the user certificate on Mac OS X:
- Open the certificate file, to open Keychain Access.
- Double-click the certificate.
- Expand Trust and select Always Trust.
To see the results of tunnel connection:
- Download FortiClient from forticlient.com.
- Open the FortiClient Console and go to Remote Access > Configure VPN.
- Add a new connection.
l Set VPN Type to SSL VPN. l Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 172.20.120.123.
- Select Customize Port and set it to 10443.
- Enable Client Certificate and select the authentication certificate.
- Save your settings.
- Use the credentials you’ve set up to connect to the SSL VPN tunnel.
If the certificate is correct, you can connect.
To see the results of web portal:
- In a web browser, log into the portal http://172.20.120.123:10443.
A message requests a certificate for authentication.
- Select the user certificate.
- Enter your user credentials.
If the certificate is correct, you can connect to the SSL VPN web portal.
To check the SSL VPN connection using the GUI:
- Go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
- Go to Log & Report > VPN Events and view the details for the SSL connection log.
To check the SSL VPN connection using the CLI:
get vpn ssl monitor SSL VPN Login Users: | ||
Index User Auth Type | Timeout | From HTTP in/out HTTPS in/out |
0 pki01,cn=User01 | 1(1) | 229 10.1.100.254 0/0 0/0 |
1 pki01,cn=User01
SSL VPN sessions: |
1(1) | 291 10.1.100.254 0/0 0/0 |
Index User Source IP | Duration | I/O Bytes Tunnel/Dest IP |
0 pki01,cn=User01 | 10.1.100.254 | 9 22099/43228 10.212.134.200 |