Wednesday, January 22, 2014

iOS native IPSec VPN with a FortiGate using certificates and AD (LDAP) authentication

Is the title too complicated?  Let me explain a bit about the requirements:
  1. iOS native IPSec VPN - that is make VPN between an iOS device and a FortiGate without additional software install on the iOS device
  2. User credential checked against Active Directory (over LDAPS)
  3. Certificate based VPN (do not allow to use preshare key and allow on demand VPN with iOS device)
All in one shot!  This example uses FortiOS 4.0 MR3 Patch 15 (FOS 4.3.15).

You need a working Microsoft Active Directory Domain with Enterprise CA enabled.  Without this, you cannot really do LDAPS and hance authtication information will be travel in plain text from FortiGate to MSADDC.  I use Windows 2008R2.  IP address of your DC in this example is 192.168.1.1

Once the DC and CA (actually can be on the same computer for lab exercise demo) ready, you need to create a user group, say "VPN" in Active Directory Users and Computers.  At your domain controller, open a command prompt and enter the following:

dsquery group -name "VPN"

You should have a result looks like:

"CN=VPN,OU=Builtin,DC=domain,DC=com"

You will need this information in setting up the user group in FortGate in later stage.

First, you need to have your CA cert exported - you only need the CA cert, no need to export the key.  Then in FortiGate, create the CA cert entry:

config vpn certificate ca
    edit "EXAMPLE_CA"
        set ca "-----BEGIN CERTIFICATE-----

CONTENTS REMOVED DUE TO SECURITY - YOU SHOULD HAVE THE CERT HERE
-----END CERTIFICATE-----"
    next
end
In FortiGate, create a LDAPS entry.
config user ldap
    edit "EXAMPLE-DC"
        set server "192.168.1.1"
        set cnid "sAMAccountName"
        set dn "OU=Users,DC=example,DC=com"
        set port 636
        set type regular
        set username "example\\domainuser"
        set password ENC ENCRYPTEDPASSWORDGOESHERE
        set secure ldaps
        set ca-cert "EXAMPLE_CA"
    next

Then create the user group.  The group-name here is the result comes from the command prompt output in the DC.

config user group
    edit "LDAP-VPN"
        set member "EXAMPLE-DC"
            config match
                edit 1
                    set server-name "EXAMPLE-DC"
                    set group-name "CN=VPN,OU=Builtin,DC=domain,DC=com"
                next
            end
    next
end

Load a VPN cert.  REMEMBER THE COMMON NAME OF THIS CERT MUST MARCH THE CONNECTING HOSTNAME.  So if your iOS devices connects to vpn.example.com, then the common name of this cert must be the same.

config vpn certificate caedit "ipad"
        set password ENC ENCRYPTEDPASSWORDGOESHERE
        set private-key "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,4BD4C7C7AC6240E3

CONTENTS REMOVED DUE TO SECURITY - YOU SHOULD HAVE THE KEY HERE

-----END RSA PRIVATE KEY-----"
        set certificate "-----BEGIN CERTIFICATE-----
CONTENTS REMOVED DUE TO SECURITY - YOU SHOULD HAVE THE CERT HERE
-----END CERTIFICATE-----"
    next
end
Create interface base Phase 1.  Assuming the WAN interface is called "wan"
config vpn ipsec phase1-interface
    edit "IPSEC_iOS"
        set type dynamic
        set interface "wan"
        set dhgrp 2
        set authmethod rsa-signature
        set xauthtype auto
        set mode-cfg enable
        set proposal 3des-md5 3des-sha1
        set rsa-certificate "ipad"
        set authusrgrp "LDAP-VPN"
        set ipv4-start-ip 192.168.2.1
        set ipv4-end-ip 192.168.2.254
        set ipv4-netmask 255.255.255.0
        set dns-mode auto
        set banner "Welcome to EXAMPLE VPN!"
    next
end


Create interface based Phase 2:

config vpn ipsec phase2-interface
    edit "IPSEC_iOS"
        set keepalive enable
        set phase1name "IPSEC_iOS"
        set proposal aes256-md5 aes256-sha1
        set dhgrp 2
    next
end

Make a static route for this newly created range.  "0" here means to create a new entry.

config router static
    edit 0
        set device "IPSEC_iOS"
        set dst 192.168.2.0 255.255.255.0
    next
end


It would be nice to define this range in an address object.

config firewall address
    edit "IPSEC_iOS_RANGE"
        set associated-interface "IPSEC_iOS"
        set subnet 192.168.2.0 255.255.255.0
    next
end 


Create the firewall policy.  Again "0" here means create a new entry.

config firewall policy
    edit 0
        set srcintf "IPSEC_iOS"
        set dstintf "Internal"
            set srcaddr "IPSEC_iOS_RANGE"            
            set dstaddr "all"            
        set action accept
        set schedule "always"
            set service "ANY"            
        set logtraffic enable
        set nat enable
    next
end

That's it for the FortiGate configuration.

Now come to configure the iOS device.  First you email (or better deploy via MDM) the P12 certificate to the iOS device.  Then create the VPN entry as follow:


 
And you can enable the VPN, a welcome message will show up.
 
 
Notice the "VPN" logo on the upper left conner.  Enlarged for reference:
 
 
FortiGate Cookbook shall include this. 
 
Enjoy!

1 comment:

Roman lesnar said...

I am very much pleased with the contents you have mentioned. I wanted to thank you for this great article. vpn review