Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Parzysz
New Contributor

IKEv2 IPSEC with signature auth

Hi, I`m having problems with setting up IKEv2 IPSEC with remote site.

What I`ve done:

I`ve imported Certificate via GUI and whole Chain by which this certificate is signeg (Internal CA).

I`ve setup Custom Site-to-Site tunnel.

SA Policies do match.

Hovewer I can see in logs message saying:

ike 0:NVT_BIA:44590: reassembled fragmented message
ike 0:NVT_BIA:44590: initiator received AUTH msg
ike 0:NVT_BIA:44590: received peer identifier DER_ASN1_DN 'CN = RemoteIP, OU = VPN, O = CompanyName, C = UK'
ike 0:NVT_BIA:44590: Validating X.509 certificate
ike 0:NVT_BIA:44590: peer cert, subject='RemoteIP', issuer='IPSecCA'
ike 0:NVT_BIA:44590: peer ID verified
ike 0:NVT_BIA:44590: building fnbam peer candidate list
ike 0:NVT_BIA:44590: FNBAM_GROUP_ANY candidate ''
ike 0:NVT_BIA:44590: certificate validation pending
ike 0:NVT_BIA:44590: certificate validation complete
ike 0:NVT_BIA:44590: certificate validation succeeded
ike 0:NVT_BIA:44590: signature verification failed
11 REPLIES 11
Parzysz
New Contributor

I've tried to set peer verification but result is same as above no matter if I verify with rootca (self signed) or ipsec ca (signed by root, remote and local certificate signed by this ca)
Parzysz

FG Config

 

FortiGate # show vpn ipsec phase1-interface BIA
config vpn ipsec phase1-interface
 edit "BIA"
 set interface "wan1"
 set ike-version 2
 set local-gw LocalIP
 set authmethod signature
 set peertype any
 set proposal aes256-sha256
 set dpd disable
 set dhgrp 21
 set nattraversal disable
 set remote-gw RemoteIP
 set certificate "VPN3"
 next
end
 
FortiGate # show vpn ipsec phase2-interface BIA
config vpn ipsec phase2-interface
 edit "BIA"
 set phase1name "BIA"
 set proposal aes256-sha256
 set dhgrp 21
 set src-addr-type name
 set dst-addr-type name
 set keylifeseconds 28800
 set src-name "local_10.254.211.0"
 set dst-name "BIA_Remote"
 next
end

 

And still I  get signature verification Failed.

VPN3 (Local Certificate) and Remote Certificate are both signed by same CA.

Certificates have CN=Local/RemoteIP

  X509v3 Extended Key Usage:                 TLS Web Client Authentication, ipsec Internet Key Exchange  X509v3 Key Usage: critical                 Digital Signature, Key Encipherment, Data Encipherment

 

Manual verification of CA and certificates is ok.

Can anyone give me any tip what`s going on?

 

PSK works fine so it`s not a problem of Policies.

train_wreck
New Contributor III

I am having this same problem. Did you ever find out what is happening? It makes absolutely no sense that "certificate validation" is successful but "signature validation" is not.

 

Everything is the same as your setup; IKEv2, certificates verify properly but "signature" validation fails, with no indication as to why. If I switch to using IKEv1, the connection comes up fine, so it is just a problem with IKEv2.

 

Anyone at Fortinet around?????

emnoc
Esteemed Contributor III

Here's what I did 

 

http://socpuppet.blogspot.com/2018/06/ncp-vpnclient-ikev2-with-fortios-v60.html

 

I use the  subject "field"  and set mandatory ca verify to disable 

 

Ken 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
train_wreck
New Contributor III

emnoc wrote:

Here's what I did 

 

http://socpuppet.blogspot.com/2018/06/ncp-vpnclient-ikev2-with-fortios-v60.html

 

I use the  subject "field"  and set mandatory ca verify to disable 

 

Ken 

Nope, that doesn't work. I am trying to setup an IKEv2 site-to-site using certificate auth. That page you linked to references RA, not S2S.

 

I did "conf user peer", edited the peer for the remote site, did "set mandatory-ca-verify disable" and "set subject my.domain.com" (which is the exact and only value in the certificate subject name of the peer). I still receive the same error, "signature verification failed". Note that I receive the same error whether the other end is an identical Fortigate device or not - I get the same error when the other end is an ASA.

 

I really think it's a bug, since changing to IKEv1 (and changing NOTHING ELSE) fixes the problem. The certs are fine.

emnoc
Esteemed Contributor III

Regards of if it's RA or S2S the peer concept is the same in both types

 

To clarify the following;

 

I`ve imported Certificate via GUI and whole Chain by which this certificate is signeg (Internal CA).

 

So you imported the CA_Cert into  local and remote firewalls and imported  both the certificates ( end_users )  into both  fortigates?

 

I just look at a FGT60D to  FGT80C and we have the same setup with certificates installed for both FGT signed by a external CA. So in mine we have a chain-depth of  CA and FGT1 & FGT2  and in each FGT we imported the CA along with the certificates.

 

That and as long as you select the certificates for the local and peer, you should be good. I do not see the peer-certificate selected in your  cfg dump which seems strange.

 

Can you double check for 

 

config vpn  phase1-interface 

    edit < blah >

       set peer  < peer_named_cert>

    end

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
train_wreck
New Contributor III

APologies for the delay. Yes, I have exactly what you describe there. Here is the "conf vpn ipsec phase1-interface":

 

config vpn ipsec phase1-interface     edit "1176"         set type ddns         set interface "wan"         set ike-version 2         set keylife 28800         set authmethod signature         set proposal aes256-sha256 aes256-sha1         set localid-type asn1dn         set dpd disable         set comments "VPN: 1176 (Created by VPN wizard)"         set nattraversal forced         set remotegw-ddns "1176.pLAN9.co"         set certificate "FLA_req"         set peer "1176_peer"     next

 

Here is the show user peer:

 

config user peer     edit "1176_peer"

        set mandatory-ca-verify disable         set ca "CA_Cert_1"

        set cn "1176.pLAN9.co"     next

 

And "CA_Cert_1" is my CA. The CN of the other side is "CN=1176.pLAN9.co". I have tried adding the "CN=" part to the "set cn" value, and have also tried removing the "set cn" value (on IKEv1 I never had to set this value at all, nor did I have to set the "mandatory-ca-verify" option. It worked fine without these.).

 

Here is the debug log of a failure:

 

ike 0:1176:101832: initiator received AUTH msg ike 0:1176:101832: received peer identifier DER_ASN1_DN 'CN = 1176.pLAN9.co' ike 0:1176:101832: Validating X.509 certificate ike 0:1176:101832: peer cert, subject='1176.pLAN9.co', issuer='pLAN9 CA 2019-2021' ike 0:1176:101832: peer ID verified ike 0:1176:101832: building fnbam peer candidate list ike 0:1176:101832: FNBAM_GROUP_NAME candidate '1176_peer' ike 0:1176:101832: certificate validation pending ike 0:1176:101832: certificate validation complete ike 0:1176:101832: certificate validation succeeded ike 0:1176:101832: signature verification failed  

I really have no idea why it's failing - Everything looks right (as is typical with most VPN problems I encounter).

 

I'm probably just going to stay with IKEv1 if I can't get this to work, since IKEv1 already works with the same setup.... IKEv2 doesn't really offer much benefit in S2S setups anyway.

train_wreck

So I finally found the incredibly stupid and insecure solution to this: use SHA1 for the hashing algortithm in Phase 1 and Phase 2. Doing this (and making no other changes to the above config) causes the tunnel to come up without issue.

 

This is a pretty crap situation; I am forced to use a broken and insecure algorithm in order for the device to even function at all in a IKEv2 cert-based VPN. And this is a "security" device??

tanr
Valued Contributor II

I've got a somewhat similar setup with 5.6.8, IKEv2 with certs, etc. and am not using or allowing SHA1.

I think something else must be going on with your setup.

Labels
Top Kudoed Authors