Fortinet white logo
Fortinet white logo

Administration Guide

Windows IKEv2 native VPN with user certificate

Windows IKEv2 native VPN with user certificate

In this example, IKEv2 with Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) using mutual certificate authentication is configured. Mutual certificate authentication means that both the client and server use certificates to identify themselves. EAP uses RADIUS, which is handled by the Network Policy Server (NPS) on the Windows server. Certificates are generated and distributed through Active Directory Certificate Services (AD CS). An additional certificate is used to identify the IPsec gateway.

This example assumes that the following Windows server roles are installed and available:

  • NPS (RADIUS)

  • AD CS with a generated CA

  • Group Policy Management

  • DNS server

It is also assumed that a connection is established between the NPS and FortiGate, and a DNS entry exists for the NPS that the FortiGate can resolve.

Certificates

The following certificates are required:

  • CA certificate for EAP-TLS to sign the client and server certificates.

    The CA certificate must be able to sign other certificates. It is created after AD CSs CA role installation. It is named lab-local-CA, as lab.local is the domain that is used in this example. The CA certificate is automatically installed on the server that is hosting the AD CS role. In this example, that server is also hosting the NPS and DNS server.

    The Key Usage specifies Certificate Signing.

  • Client certificate for EAP-TLS used by the windows client.

    The client certificate is stored in the personal user certificate store and is used to authenticate the user. The certificate has Client Authentication and a SAN of the user's FQDN, and is signed by the CA. The CA is stored in Current User > Trusted Root Certification Authorities.

  • Server certificate for EAP-TLS used by the server providing RADIUS authentication.

    The NPS certificate must be in the hosting server's certificate store so that the NPS can access it. It has Server Authentication and a SAN DNS name to match the server's IP address. The user must use the FQDN to connect to the VPN. If the IP address that the name resolves to is used, the certificate will not be considered valid.

  • VPN certificate used to identify the FortiGate dialup gateway.

    The VPN certificate and private key are installed to the FortiGate using a CSR generated by the FortiGate

Configure the Windows server

The Windows server includes AD-CS, a RADIUS server, and a DNS server.

After the AD CS role has been installed and configured, the CA is ready to sign certificates.

Users and groups are defined first. The groups are configured to automatically receive certificates and relay membership to the FortiGate for granular access control through group matching in policies.

RADIUS is used to authorize connecting users. The RADIUS server returns users' groups with the access-accept response, to indicate to the FortiGate what groups the users belong to.

To create security groups and users:
  1. Open Active Directory Users and Computers.

  2. Create two groups, Group1 and Group2.

  3. Create two users, User1 and User2.

    1. To ensure that the automatic enrollment process succeeds in subsequent steps, ensure that each users has an email address configured in the Email field under Properties > General.

  4. Add User1 to Group1 and User2 to Group2.

To create a certificate template to enable automatic enrollment for the user groups:
  1. Open Certification Authority.

  2. In the navigation pane, expand the new CA, right-click Certificate Template and click Manage.

  3. Configure a new certificate template:

    1. Right-click the User template and click Duplicate Template.

    2. On the General tab, enter a Template display name, such as User Auto Enroll.

    3. Enable Publish certificate in Active Directory and Do not automatically reenroll....

    4. Configure the remaining settings as required, then go to the Request Handling tab.

    5. Disable Allow private key to be exported and select Enroll subject without requiring any user input.

    6. On the Security tab, in Group or user name, click Add.

    7. Add Group1 and Group2.

    8. Select each group and, under Permissions, enable Read, Enroll, and Autoenroll.

    9. On the Extensions tab, click Application Policies then click Edit.

    10. Remove all of the policies expect for Client Authentication.

    11. Click OK then close the Certificate Templates console.

  4. In the navigation pane, right-click Certificate Template and click New > Certificate Template to Issue.

  5. Select the new certificate template, User Auto Enroll, then click OK.

To create a group policy to enable automatic enrollment:
  1. Open the Group Policy Management console.

  2. In the navigation pane, go to Forest:lab.local > Domains > lab.local, and then click Group Policy Objects.

  3. Click Action, and then click New.

  4. Set a Name for the new GPO then click OK.

  5. Right-click the new GPO and click Edit.

  6. In the Group Policy Management Editor navigation pane, go to User configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

  7. In the content pane, double-click Certificate Services Client - Auto-Enrollment.

  8. Set Configuration Model to Enabled.

  9. Enable Renew expired certificates... and Update certificates....

  10. Click OK.

To verify that users are receiving certificates:
  1. Log into an endpoint with a domain user.

  2. On the server, open Certification Authority.

  3. Expand the CA and select Issued Certificates.

  4. Verify that the user logged into the endpoint is listed under Requested Name. You can also check the local user certificate store on the endpoint.

To generate and sign a CSR and import the signed certificate to the FortiGate:
  1. On the FortiGate and go to System > Certificates and click Create/Import > Generate CSR.

  2. Configure the CSR:

    Certificate Name

    vpn.lab.local

    ID Type

    Domain Name

    Domain Name

    vpn.lab.local

    Subject Alternative Name

    DNS:vpn.lab.local

  3. Configure the remaining settings as required, then click OK.

  4. Download the CSR to a location that is accessible to the CA server, in this example: C:\CSR\

  5. Sign the CSR with the previously created CA:

    1. Open the command prompt as an administrator and enter the following:

      certreq -submit -attrib "CertificateTemplate:WebServer" C:\CSR\vpn.lab.local.csr

      The Certification Authority List window opens.

    2. Select the CA and click OK.

    3. Save the signed certificate with a .cer file extension to a location that is accessible from the FortiGate.

  6. Import the signed certificate to the FortiGate:

    1. On the FortiGate, go to System > Certificates and click Create/Import > Certificate.

    2. Click Import Certificate.

    3. Set Type to Local Certificate.

    4. Click Upload and locate and select the signed certificate

    5. Click Create then click OK.

To configure network policies on the RADIUS server:
  1. Open the Network Policy Server and, in the console tree, expand Policies.

  2. Right-click on Network Policies and click New.

  3. Enter a Policy name, such as VPN-Group1, then click Next.

  4. Under Condition description click Add:

    1. Select User Groups, then click Add.

    2. Click Add Groups.

    3. Enter the group name, Group1, click Check Names to confirm the group.

    4. Click OK in both windows.

  5. Click Next.

  6. Make sure that Access granted is selected, then click Next.

  7. On the Configure Authentication Methods page, click Add and add the EAP type Microsoft: Smart Care or other certificate.

  8. Edit the EAP type, select the previously generated certificate, then click OK.

  9. Deselect all of the Less secure authentication methods then click Next.

  10. Configure constraints as needed, then click Next.

  11. On the Configure Settings page, under RADIUS Attributes, select Vendor Specific, then click Add:

    1. In the Attributes list, select Vendor-Specific, then click Add.

    2. In the Attribute Information window, click Add.

    3. In the Vendor-Specific Attribute Information window, enter the Vendor Code, 12356, and select Yes. It conforms.

    4. Click Configure Attribute and configure the following:

      Vendor-assigned attribute number

      1

      Attribute format

      String

      Attribute value

      Group

    5. Click OK on all three windows and on the Add Vendor Specific Attribute window click Close.

  12. Click Next.

  13. On the Completing New Network Policy page, review the configuration, then click Finish.

  14. Duplicate the policy for Group2, and call the new policy VPN-Group2.

  15. Reorder the policies so that VPN-Group1 and VPN-Group2 are one and two in the processing order.

To add the FortiGate as a RADIUS client:
  1. Open the Network Policy Server and, in the console tree, expand RADIUS Clients and Servers.

  2. Right-click on RADIUS Clients and click New.

  3. Add the FortiGate as a RADIUS client:

    Friendly name

    FGT1

    Address

    10.0.1.1

    Shared Secret

    Manually enter the shared secret.

  4. Click OK.

To create a DNS entry for the VPN connection:
  1. Open the DNS Manager.

  2. Go to DC > Forward Lookup Zones and select lab.local.

  3. Right click in the content pane and select New Host (A or AAAA).

  4. Enter the VPN name. The FQDN should be auto-filled with vpn.lab.local.

  5. Enter an IP address.

  6. Click Add Host.

Configure the FortiGate

An IPsec VPN tunnel is configured to connect to the NPS (RADIUS) server for EAP authentication. For information about IPsec VPN, see IPsec VPN.

A RADIUS server is added to relay VPN authentication requests to the NPS server. For information about RADIUS servers, see RADIUS servers.

Three groups are created that point to the RADIUS server for authentication: one group each for user group Group1, user group Group2, and the remote server. For information about groups, see User groups.

Three firewall policies are created to test the functionality of the three user groups (see Policies):

  • Policy 1 allows VPN clients to communicate with each other.

  • Policy 2 allows VPN clients in the Group1 user group to communicate with Server1 and Server3.

  • Policy 3 allows VPN clients in the Group2 user group to communicate with Server1 and Server2.

To configure IPsec VPN in the GUI:
  1. Go to VPN > IPsec Wizard.

  2. Enter a name for the VPN, such as VPN1.

  3. Set Template type to Custom, then click Next.

  4. In the Network section, configure the following:

    Remote Gateway

    Dialup User

    Interface

    port1

    Mode Config

    Enable

    Assign IP From

    Range

    Client Address Range

    10.58.58.1-10.58.58.10

    DNS Server

    192.168.1.100

    Enable IPv4 Split Tunnel

    Enable

    Accessible Networks

    Select the networks that VPN users will have access to.

  5. In the Authentication section, configure the following:

    Method

    Signature

    Certificate Name

    vpn.lab.local

    Version

    2

    Accept Types

    Any peer ID

  6. In the Phase 1 Proposal section, configure the following:

    Encryption / Authentication

    AES128 / SHA256

    Encryption / Authentication

    AES256 / SHA256

    Encryption / Authentication

    AES128 / SHA1

    Diffie-Hellman Groups

    14, 5, 2

    Local ID

    vpn.lab.local

  7. In the Phase 2 Selectors section, configure the following:

    Local Address

    Named Address - all

    Remote Address

    Named Address - all

    Encryption / Authentication

    AES128 / SHA256

    Encryption / Authentication

    AES256 / SHA256

    Encryption / Authentication

    AES128 / SHA1

    Enable Perfect Forward Secrecy (PFS)

    Disable

    Autokey Keep Alive

    Enable

  8. Enable EAP settings in the CLI:

    config vpn ipsec phase1-interface
        edit VPN1
            set eap enable
            set eap-identity send-request
        next
    end
    
To configure IPsec VPN in the CLI:
config vpn ipsec phase1-interface
    edit "VPN1"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set authmethod signature
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 192.168.1.100
        set proposal aes128-sha256 aes256-sha256 aes128-sha1
        set localid "vpn.lab.local"
        set dpd on-idle
        set dhgrp 14 5 2
        set eap enable
        set eap-identity send-request
        set certificate "vpn.lab.local"
        set ipv4-start-ip 10.58.58.1
        set ipv4-end-ip 10.58.58.10
        set ipv4-split-include "10/8_net"
        set dpd-retryinterval 60
    next
end
config vpn ipsec phase2-interface
    edit "VPN1"
        set phase1name "VPN1"
        set proposal aes128-sha256 aes256-sha256 aes128-sha1
        set pfs disable
        set keepalive enable
        set src-addr-type name
        set dst-addr-type name
        set src-name "all"
        set dst-name "all"
    next
end
To add the RADIUS server in the GUI:
  1. Go to User & Authentication > RADIUS Servers and click Create New.

  2. Enter a name for the server, such as NPS.

  3. Enter the Primary Server IP/Name and Secret.

    The Test User Credentials option will not work, as it does not use certificates for the test.

  4. Click OK.

To add the RADIUS server in the CLI:
config user radius
    edit "NPS"
        set server <ip>
        set secret **********
    next
end
To configure the user groups in the GUI:
  1. Go to User & Authentication > User Groups and click Create New.

  2. Enter a name for the group, such as Group1.

  3. In the Remote Groups table, click Add:

    1. Set Remote Server to the just created RADIUS server, NPS.

    2. Set Groups to Specify and enter Group1.

    3. Click OK.

  4. Click OK.

  5. Create a second group called Group2 with the same Remote Server and Group Name set to Group2.

  6. Create a third group called RADIUS with the same Remote Server but no Group Name.

To configure the user groups in the CLI:
config user group
    edit "Group1"
        set member "NPS"
        config match
            edit 1
                set server-name "NPS"
                set group-name "Group1"
            next
        end
    next
    edit "Group2"
        set member "NPS"
        config match
            edit 1
                set server-name "NPS"
                set group-name "Group2"
            next
        end
    next
    edit "RADIUS"
        set member "NPS"
    next 
end
To configure the policies in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure policy 1:

    Name

    VPN-VPN

    Incoming Interface

    VPN1

    Outgoing Interface

    VPN1

    Source

    all, RADIUS

    Destination

    all

    Schedule

    always

    Service

    ALL

    NAT

    Disable

  3. Click OK.

  4. Click Create New again and configure policy 2:

    Name

    VPN Group1

    Incoming Interface

    VPN1

    Outgoing Interface

    Server1, Server3

    Source

    all, Group1

    Destination

    10.10.0.1, 10.10.0.3

    Schedule

    always

    Service

    ALL

    NAT

    Disable

  5. Click OK.

  6. Click Create New again and configure policy 3:

    Name

    VPN Group2

    Incoming Interface

    VPN1

    Outgoing Interface

    Server1, Server2

    Source

    all, Group2

    Destination

    10.10.0.1, 10.10.0.2

    Schedule

    always

    Service

    ALL

    NAT

    Disable

  7. Click OK.

To configure the policies in the CLI:
config firewall policy
    edit 1
        set name "VPN-VPN"
        set srcintf "VPN1"
        set dstintf "VPN1"
        set action accept
        set srcaddr "all" "RADIUS"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat disable
    next
    edit 2
        set name "VPN Group1"
        set srcintf "VPN1"
        set dstintf "Server1" "Server3"
        set action accept
        set srcaddr "all" "Group1"
        set dstaddr "10.10.0.1" "10.10.0.3"
        set schedule "always"
        set service "ALL"
        set nat disable
    next
    edit 3
        set name "VPN Group2"
        set srcintf "VPN1"
        set dstintf "Server1" "Server2"
        set action accept
        set srcaddr "all" "Group2"
        set dstaddr "10.10.0.1" "10.10.0.2"
        set schedule "always"
        set service "ALL"
        set nat disable
    next
end

Configure the Windows client

The configuration is done on a Windows 10 Enterprise endpoint.

To add VPN connection and configure a VPN interface:
  1. Open the Settings page and go to Network & Internet > VPN.

  2. Click Add a VPN connection.

  3. Configure the following:

    VPN provider

    Windows (built-in)

    Connection name

    vpn.lab.local

    Server name or address

    vpn.lab.local

    VPN type

    IKEv2

    Type of sign-in info

    Certificate

  4. Click Save.

  5. Go to Network & Internet > Status and, under Advanced network settings, click Change adapter options.

  6. Select the VPN connection then click Change settings of this connection, or right-click on the connection and select Properties:

    1. Go to the Security tab and, in the Authentication section, click Properties.

    2. Select Use a certificate on this computer and enable Use simple certification selection.

    3. Enable Verify the server's identity by validating the certificate.

    4. Optionally, enable Connect to these servers and enter your NPS server's FQDN, in this case DC.lab.local.

    5. In the Trusted Root Certificate Authorities list, select the CA lab-local-CA.

    6. Click OK, then click OK again.

To test the connection:
  1. Log in to the Windows endpoint as user1.

  2. Open the network settings and connect to the vpn.lab.local VPN.

  3. Ping each of the three servers to confirm that you can connect to server1 (10.10.0.1) and server3 (10.10.0.3), but not server2 (10.10.0.2).

  4. Log out of the Windows endpoint, then log back in as user2.

  5. Open the network settings and connect to the vpn.lab.local VPN.

  6. Ping each of the three servers to confirm that you can connect to server1 (10.10.0.1) and server2 (10.10.0.2), but not server3 (10.10.0.3).

Windows IKEv2 native VPN with user certificate

Windows IKEv2 native VPN with user certificate

In this example, IKEv2 with Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) using mutual certificate authentication is configured. Mutual certificate authentication means that both the client and server use certificates to identify themselves. EAP uses RADIUS, which is handled by the Network Policy Server (NPS) on the Windows server. Certificates are generated and distributed through Active Directory Certificate Services (AD CS). An additional certificate is used to identify the IPsec gateway.

This example assumes that the following Windows server roles are installed and available:

  • NPS (RADIUS)

  • AD CS with a generated CA

  • Group Policy Management

  • DNS server

It is also assumed that a connection is established between the NPS and FortiGate, and a DNS entry exists for the NPS that the FortiGate can resolve.

Certificates

The following certificates are required:

  • CA certificate for EAP-TLS to sign the client and server certificates.

    The CA certificate must be able to sign other certificates. It is created after AD CSs CA role installation. It is named lab-local-CA, as lab.local is the domain that is used in this example. The CA certificate is automatically installed on the server that is hosting the AD CS role. In this example, that server is also hosting the NPS and DNS server.

    The Key Usage specifies Certificate Signing.

  • Client certificate for EAP-TLS used by the windows client.

    The client certificate is stored in the personal user certificate store and is used to authenticate the user. The certificate has Client Authentication and a SAN of the user's FQDN, and is signed by the CA. The CA is stored in Current User > Trusted Root Certification Authorities.

  • Server certificate for EAP-TLS used by the server providing RADIUS authentication.

    The NPS certificate must be in the hosting server's certificate store so that the NPS can access it. It has Server Authentication and a SAN DNS name to match the server's IP address. The user must use the FQDN to connect to the VPN. If the IP address that the name resolves to is used, the certificate will not be considered valid.

  • VPN certificate used to identify the FortiGate dialup gateway.

    The VPN certificate and private key are installed to the FortiGate using a CSR generated by the FortiGate

Configure the Windows server

The Windows server includes AD-CS, a RADIUS server, and a DNS server.

After the AD CS role has been installed and configured, the CA is ready to sign certificates.

Users and groups are defined first. The groups are configured to automatically receive certificates and relay membership to the FortiGate for granular access control through group matching in policies.

RADIUS is used to authorize connecting users. The RADIUS server returns users' groups with the access-accept response, to indicate to the FortiGate what groups the users belong to.

To create security groups and users:
  1. Open Active Directory Users and Computers.

  2. Create two groups, Group1 and Group2.

  3. Create two users, User1 and User2.

    1. To ensure that the automatic enrollment process succeeds in subsequent steps, ensure that each users has an email address configured in the Email field under Properties > General.

  4. Add User1 to Group1 and User2 to Group2.

To create a certificate template to enable automatic enrollment for the user groups:
  1. Open Certification Authority.

  2. In the navigation pane, expand the new CA, right-click Certificate Template and click Manage.

  3. Configure a new certificate template:

    1. Right-click the User template and click Duplicate Template.

    2. On the General tab, enter a Template display name, such as User Auto Enroll.

    3. Enable Publish certificate in Active Directory and Do not automatically reenroll....

    4. Configure the remaining settings as required, then go to the Request Handling tab.

    5. Disable Allow private key to be exported and select Enroll subject without requiring any user input.

    6. On the Security tab, in Group or user name, click Add.

    7. Add Group1 and Group2.

    8. Select each group and, under Permissions, enable Read, Enroll, and Autoenroll.

    9. On the Extensions tab, click Application Policies then click Edit.

    10. Remove all of the policies expect for Client Authentication.

    11. Click OK then close the Certificate Templates console.

  4. In the navigation pane, right-click Certificate Template and click New > Certificate Template to Issue.

  5. Select the new certificate template, User Auto Enroll, then click OK.

To create a group policy to enable automatic enrollment:
  1. Open the Group Policy Management console.

  2. In the navigation pane, go to Forest:lab.local > Domains > lab.local, and then click Group Policy Objects.

  3. Click Action, and then click New.

  4. Set a Name for the new GPO then click OK.

  5. Right-click the new GPO and click Edit.

  6. In the Group Policy Management Editor navigation pane, go to User configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

  7. In the content pane, double-click Certificate Services Client - Auto-Enrollment.

  8. Set Configuration Model to Enabled.

  9. Enable Renew expired certificates... and Update certificates....

  10. Click OK.

To verify that users are receiving certificates:
  1. Log into an endpoint with a domain user.

  2. On the server, open Certification Authority.

  3. Expand the CA and select Issued Certificates.

  4. Verify that the user logged into the endpoint is listed under Requested Name. You can also check the local user certificate store on the endpoint.

To generate and sign a CSR and import the signed certificate to the FortiGate:
  1. On the FortiGate and go to System > Certificates and click Create/Import > Generate CSR.

  2. Configure the CSR:

    Certificate Name

    vpn.lab.local

    ID Type

    Domain Name

    Domain Name

    vpn.lab.local

    Subject Alternative Name

    DNS:vpn.lab.local

  3. Configure the remaining settings as required, then click OK.

  4. Download the CSR to a location that is accessible to the CA server, in this example: C:\CSR\

  5. Sign the CSR with the previously created CA:

    1. Open the command prompt as an administrator and enter the following:

      certreq -submit -attrib "CertificateTemplate:WebServer" C:\CSR\vpn.lab.local.csr

      The Certification Authority List window opens.

    2. Select the CA and click OK.

    3. Save the signed certificate with a .cer file extension to a location that is accessible from the FortiGate.

  6. Import the signed certificate to the FortiGate:

    1. On the FortiGate, go to System > Certificates and click Create/Import > Certificate.

    2. Click Import Certificate.

    3. Set Type to Local Certificate.

    4. Click Upload and locate and select the signed certificate

    5. Click Create then click OK.

To configure network policies on the RADIUS server:
  1. Open the Network Policy Server and, in the console tree, expand Policies.

  2. Right-click on Network Policies and click New.

  3. Enter a Policy name, such as VPN-Group1, then click Next.

  4. Under Condition description click Add:

    1. Select User Groups, then click Add.

    2. Click Add Groups.

    3. Enter the group name, Group1, click Check Names to confirm the group.

    4. Click OK in both windows.

  5. Click Next.

  6. Make sure that Access granted is selected, then click Next.

  7. On the Configure Authentication Methods page, click Add and add the EAP type Microsoft: Smart Care or other certificate.

  8. Edit the EAP type, select the previously generated certificate, then click OK.

  9. Deselect all of the Less secure authentication methods then click Next.

  10. Configure constraints as needed, then click Next.

  11. On the Configure Settings page, under RADIUS Attributes, select Vendor Specific, then click Add:

    1. In the Attributes list, select Vendor-Specific, then click Add.

    2. In the Attribute Information window, click Add.

    3. In the Vendor-Specific Attribute Information window, enter the Vendor Code, 12356, and select Yes. It conforms.

    4. Click Configure Attribute and configure the following:

      Vendor-assigned attribute number

      1

      Attribute format

      String

      Attribute value

      Group

    5. Click OK on all three windows and on the Add Vendor Specific Attribute window click Close.

  12. Click Next.

  13. On the Completing New Network Policy page, review the configuration, then click Finish.

  14. Duplicate the policy for Group2, and call the new policy VPN-Group2.

  15. Reorder the policies so that VPN-Group1 and VPN-Group2 are one and two in the processing order.

To add the FortiGate as a RADIUS client:
  1. Open the Network Policy Server and, in the console tree, expand RADIUS Clients and Servers.

  2. Right-click on RADIUS Clients and click New.

  3. Add the FortiGate as a RADIUS client:

    Friendly name

    FGT1

    Address

    10.0.1.1

    Shared Secret

    Manually enter the shared secret.

  4. Click OK.

To create a DNS entry for the VPN connection:
  1. Open the DNS Manager.

  2. Go to DC > Forward Lookup Zones and select lab.local.

  3. Right click in the content pane and select New Host (A or AAAA).

  4. Enter the VPN name. The FQDN should be auto-filled with vpn.lab.local.

  5. Enter an IP address.

  6. Click Add Host.

Configure the FortiGate

An IPsec VPN tunnel is configured to connect to the NPS (RADIUS) server for EAP authentication. For information about IPsec VPN, see IPsec VPN.

A RADIUS server is added to relay VPN authentication requests to the NPS server. For information about RADIUS servers, see RADIUS servers.

Three groups are created that point to the RADIUS server for authentication: one group each for user group Group1, user group Group2, and the remote server. For information about groups, see User groups.

Three firewall policies are created to test the functionality of the three user groups (see Policies):

  • Policy 1 allows VPN clients to communicate with each other.

  • Policy 2 allows VPN clients in the Group1 user group to communicate with Server1 and Server3.

  • Policy 3 allows VPN clients in the Group2 user group to communicate with Server1 and Server2.

To configure IPsec VPN in the GUI:
  1. Go to VPN > IPsec Wizard.

  2. Enter a name for the VPN, such as VPN1.

  3. Set Template type to Custom, then click Next.

  4. In the Network section, configure the following:

    Remote Gateway

    Dialup User

    Interface

    port1

    Mode Config

    Enable

    Assign IP From

    Range

    Client Address Range

    10.58.58.1-10.58.58.10

    DNS Server

    192.168.1.100

    Enable IPv4 Split Tunnel

    Enable

    Accessible Networks

    Select the networks that VPN users will have access to.

  5. In the Authentication section, configure the following:

    Method

    Signature

    Certificate Name

    vpn.lab.local

    Version

    2

    Accept Types

    Any peer ID

  6. In the Phase 1 Proposal section, configure the following:

    Encryption / Authentication

    AES128 / SHA256

    Encryption / Authentication

    AES256 / SHA256

    Encryption / Authentication

    AES128 / SHA1

    Diffie-Hellman Groups

    14, 5, 2

    Local ID

    vpn.lab.local

  7. In the Phase 2 Selectors section, configure the following:

    Local Address

    Named Address - all

    Remote Address

    Named Address - all

    Encryption / Authentication

    AES128 / SHA256

    Encryption / Authentication

    AES256 / SHA256

    Encryption / Authentication

    AES128 / SHA1

    Enable Perfect Forward Secrecy (PFS)

    Disable

    Autokey Keep Alive

    Enable

  8. Enable EAP settings in the CLI:

    config vpn ipsec phase1-interface
        edit VPN1
            set eap enable
            set eap-identity send-request
        next
    end
    
To configure IPsec VPN in the CLI:
config vpn ipsec phase1-interface
    edit "VPN1"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set authmethod signature
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 192.168.1.100
        set proposal aes128-sha256 aes256-sha256 aes128-sha1
        set localid "vpn.lab.local"
        set dpd on-idle
        set dhgrp 14 5 2
        set eap enable
        set eap-identity send-request
        set certificate "vpn.lab.local"
        set ipv4-start-ip 10.58.58.1
        set ipv4-end-ip 10.58.58.10
        set ipv4-split-include "10/8_net"
        set dpd-retryinterval 60
    next
end
config vpn ipsec phase2-interface
    edit "VPN1"
        set phase1name "VPN1"
        set proposal aes128-sha256 aes256-sha256 aes128-sha1
        set pfs disable
        set keepalive enable
        set src-addr-type name
        set dst-addr-type name
        set src-name "all"
        set dst-name "all"
    next
end
To add the RADIUS server in the GUI:
  1. Go to User & Authentication > RADIUS Servers and click Create New.

  2. Enter a name for the server, such as NPS.

  3. Enter the Primary Server IP/Name and Secret.

    The Test User Credentials option will not work, as it does not use certificates for the test.

  4. Click OK.

To add the RADIUS server in the CLI:
config user radius
    edit "NPS"
        set server <ip>
        set secret **********
    next
end
To configure the user groups in the GUI:
  1. Go to User & Authentication > User Groups and click Create New.

  2. Enter a name for the group, such as Group1.

  3. In the Remote Groups table, click Add:

    1. Set Remote Server to the just created RADIUS server, NPS.

    2. Set Groups to Specify and enter Group1.

    3. Click OK.

  4. Click OK.

  5. Create a second group called Group2 with the same Remote Server and Group Name set to Group2.

  6. Create a third group called RADIUS with the same Remote Server but no Group Name.

To configure the user groups in the CLI:
config user group
    edit "Group1"
        set member "NPS"
        config match
            edit 1
                set server-name "NPS"
                set group-name "Group1"
            next
        end
    next
    edit "Group2"
        set member "NPS"
        config match
            edit 1
                set server-name "NPS"
                set group-name "Group2"
            next
        end
    next
    edit "RADIUS"
        set member "NPS"
    next 
end
To configure the policies in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure policy 1:

    Name

    VPN-VPN

    Incoming Interface

    VPN1

    Outgoing Interface

    VPN1

    Source

    all, RADIUS

    Destination

    all

    Schedule

    always

    Service

    ALL

    NAT

    Disable

  3. Click OK.

  4. Click Create New again and configure policy 2:

    Name

    VPN Group1

    Incoming Interface

    VPN1

    Outgoing Interface

    Server1, Server3

    Source

    all, Group1

    Destination

    10.10.0.1, 10.10.0.3

    Schedule

    always

    Service

    ALL

    NAT

    Disable

  5. Click OK.

  6. Click Create New again and configure policy 3:

    Name

    VPN Group2

    Incoming Interface

    VPN1

    Outgoing Interface

    Server1, Server2

    Source

    all, Group2

    Destination

    10.10.0.1, 10.10.0.2

    Schedule

    always

    Service

    ALL

    NAT

    Disable

  7. Click OK.

To configure the policies in the CLI:
config firewall policy
    edit 1
        set name "VPN-VPN"
        set srcintf "VPN1"
        set dstintf "VPN1"
        set action accept
        set srcaddr "all" "RADIUS"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat disable
    next
    edit 2
        set name "VPN Group1"
        set srcintf "VPN1"
        set dstintf "Server1" "Server3"
        set action accept
        set srcaddr "all" "Group1"
        set dstaddr "10.10.0.1" "10.10.0.3"
        set schedule "always"
        set service "ALL"
        set nat disable
    next
    edit 3
        set name "VPN Group2"
        set srcintf "VPN1"
        set dstintf "Server1" "Server2"
        set action accept
        set srcaddr "all" "Group2"
        set dstaddr "10.10.0.1" "10.10.0.2"
        set schedule "always"
        set service "ALL"
        set nat disable
    next
end

Configure the Windows client

The configuration is done on a Windows 10 Enterprise endpoint.

To add VPN connection and configure a VPN interface:
  1. Open the Settings page and go to Network & Internet > VPN.

  2. Click Add a VPN connection.

  3. Configure the following:

    VPN provider

    Windows (built-in)

    Connection name

    vpn.lab.local

    Server name or address

    vpn.lab.local

    VPN type

    IKEv2

    Type of sign-in info

    Certificate

  4. Click Save.

  5. Go to Network & Internet > Status and, under Advanced network settings, click Change adapter options.

  6. Select the VPN connection then click Change settings of this connection, or right-click on the connection and select Properties:

    1. Go to the Security tab and, in the Authentication section, click Properties.

    2. Select Use a certificate on this computer and enable Use simple certification selection.

    3. Enable Verify the server's identity by validating the certificate.

    4. Optionally, enable Connect to these servers and enter your NPS server's FQDN, in this case DC.lab.local.

    5. In the Trusted Root Certificate Authorities list, select the CA lab-local-CA.

    6. Click OK, then click OK again.

To test the connection:
  1. Log in to the Windows endpoint as user1.

  2. Open the network settings and connect to the vpn.lab.local VPN.

  3. Ping each of the three servers to confirm that you can connect to server1 (10.10.0.1) and server3 (10.10.0.3), but not server2 (10.10.0.2).

  4. Log out of the Windows endpoint, then log back in as user2.

  5. Open the network settings and connect to the vpn.lab.local VPN.

  6. Ping each of the three servers to confirm that you can connect to server1 (10.10.0.1) and server2 (10.10.0.2), but not server3 (10.10.0.3).