DIGIPASS Authentication for FortiGate IPSec VPN - Vasco

INTEGRATION GUIDE 

DIGIPASS Authentication for 

FortiGate IPSec VPN

Disclaimer 

DIGIPASS Authentication for FortiGate IPSec VPN 

Disclaimer of Warranties and Limitation of Liabilities 

All information contained in this document is provided 'as is'; VASCO Data Security assumes no 

responsibility for its accuracy and/or completeness. 

In no event will VASCO Data Security be liable for damages arising directly or indirectly from any 

use of the information contained in this document. 

Copyright 

Copyright © 2010 VASCO Data Security, Inc, VASCO Data Security International GmbH. All 

rights reserved. VASCO ® , Vacman ® , IDENTIKEY ® , aXsGUARD, DIGIPASS ® and ® logo 

are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data 

Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. 

and/or VASCO Data Security International GmbH own or are licensed under all title, rights and 

interest in VASCO Products, updates and upgrades thereof, including copyrights, patent 

rights, trade secret rights, mask work rights, database rights and all other intellectual and 

industrial property rights in the U.S. and other countries. Microsoft and Windows are 

trademarks or registered trademarks of Microsoft Corporation. Other names may be 

trademarks of their respective owners. 

1 DIGIPASS Authentication for FortiGate IPSec VPN


Table of Contents 

Disclaimer ...................................................................................................................... 1 

Table of Contents ........................................................................................................... 2 

Reference guide ............................................................................................................. 3 

1 Reader ...................................................................................................................... 4 

2 Overview................................................................................................................... 4 

3 Problem Description ................................................................................................. 4 

4 Solution .................................................................................................................... 4 

5 Technical Concept ..................................................................................................... 5 

5.1 General overview .................................................................................................. 5 

5.2 FortiGate prerequisites ........................................................................................... 5 

5.3 IDENTIKEY SERVER Prerequisites ............................................................................ 5 

6 FortiGate configuration ............................................................................................. 6 

6.1 RADIUS configuration ............................................................................................ 7 

6.2 Group configuration ............................................................................................... 8 

6.3 IPSec configuration ............................................................................................... 9 

6.4 Firewall configuration ........................................................................................... 11 

7 FortiClient configuration ......................................................................................... 12 

8 IDENTIKEY Server .................................................................................................. 16 

8.1 Policy configuration ............................................................................................. 16 

8.2 Client configuration ............................................................................................. 19 

9 Test FortiGate VPN Client ........................................................................................ 21 

10 About VASCO Data Security .................................................................................. 23 



Reference guide 

ID Title Author Publisher Date ISBN 


1 Reader 


This Document is a guideline for configuring the partner product with IDENTIKEY SERVER or 

Axsguard IDENTIFIER. For details about the setup and configuration of IDENTIEKEY SERVER and 

Axsguard IDENTIFIER, we refer to the Installation and administration manuals of these products. 

Axsguard IDENTIFIER is the appliance based solution, running IDENTIKEY SERVER by default. 

Within this document, VASCO Data Security, provides the reader guidelines for configuring the 

partner product with this specific configuration in combination with VASCO Server and Digipass. 

Any change in the concept might require a change in the configuration of the VASCO Server 

products. 

The product name`IDENTIKEY SERVER`will be used throughout the document keeping in mind 

that this document applies as well to the Axsguard IDENTIFIER. 

2 Overview 

The purpose of this document is to demonstrate how to configure IDENTIKEY SERVER to work 

with a FortiGate device. Authentication is arranged on one central place where it can be used in a 

regular VPN or SSL/VPN connection. 

3 Problem Description 

The basic working of the FortiGate is based on authentication to an existing media (LDAP, 

RADIUS, local authentication …). To use the IDENTIKEY SERVER with FortiGate, the external 

authentication settings need to be changed or added manually. 

4 Solution 

After configuring IDENTIKEY SERVER and FortiGate in the right way, you eliminate the weakest 

link in any security infrastructure – the use of static passwords – that are easily stolen guessed, 

reused or shared. 

In this integration guide we will make use of a FortiGate 60B. This combines a firewall, an IPSec, 

PPTP or SSL/VPN and a UTM suite in one. For authentication, we focused on the IPSec VPN part. 

Figure 1: Solution 



5 Technical Concept 

5.1 General overview 

The main goal of the FortiGate is to perform authentication to secure all kind of VPN connections 

and web traffic. As the FortiGate can perform authentication to an external service using the 

RADIUS protocol, we will place the IDENTIKEY SERVER as back-end service, to secure the 

authentication with our proven IDENTIKEY SERVER software. 

5.2 FortiGate prerequisites 

Please make sure you have a working setup of the FortiGate. It is very important this is working 

correctly before you start implementing the authentication to the IDENTIKEY SERVER. 

Currently all FortiGate devices use the same web config and CLI interface. This means 

our integration guide is suited for the complete product range of FortiGate devices. 

5.3 IDENTIKEY SERVER Prerequisites 

In this guide we assume you already have IDENTIKEY SERVER installed and working. If this is not 

the case, make sure you get IDENTIKEY SERVER working before installing any other features. 



6 FortiGate configuration 

The FortiGate device is configured by web config or by CLI, there is even a CLI window available 

in the web config screen. 

By default the web config is reachable by https://. 

In our case this becomes: https://192.168.0.3 

Figure 2: FortiGate configuration 



6.1 RADIUS configuration 

Go to UserRemote. Select the RADIUS tab and click on the Create New button. 

Fill in the IDENTIKEY SERVER details, IP address and shared secret. Specify the authentication 

scheme to PAP. Also don’t forget to fill in a NAS IP. This will be the IP address on the Firewall 

Interface which is used to send the RADIUS request to the IDENTIKEY SERVER. Click OK to save 

the settings. 

Figure 3: Group configuration (1) 



6.2 Group configuration 

Now go to UserUser Group and click the Create New button. 

Fill in an appropriate name and choose firewall as type. Leave the protection profile as default 

on unfiltered. Select the RADIUS settings we created in chapter 5.1 on the left side of the 

screen and click the button to add it to the members of this group. Click OK to continue. 


You will now see the group appearing in the list. 




6.3 IPSec configuration 

Go to VPNIPSEC, select the Auto Key (IKE) tab and click the Create Phase1 button. 

Give this phase an appropriate name and select Preshared Key as Authentication Method. 

Fill in a secret in the Pre-Shared Key box. Click on the Advanced… button on the bottom of the 

screen. 

Figure 6: IPSec configuration (1) 

In the XAUTH section, select Enable as Server. Mark PAP as authentication mechanism and 

select the User Group you created in Chapter 5.2. Click OK to save this new Phase1. 




Once you created Phase1, click on the Create Phase2 button. 

Enter an appropriate name for this phase and select the Phase1 you create in the previous step. 

Click the Advanced… button and make the following changes. 

1-Encryption: 3DES Authentication: SHA1 

2-Encryption: 3DES Authentication: MD5 

Enable replay detection 

Enable perfect forward secrecy (PFS) 

DH Group: 5 

Keylife: Seconds 1800 

Auto Keep Alive Enable 

DHCP-IPsec Enable 

Click the OK button to save phase 2. 




6.4 Firewall configuration 

Go to FirewallPolicy and click the Create New button. 

Give this policy an appropriate name. Select the correct Source and Destination network 

details and make sure Shedule is always, service is ANY and Action is IPSEC. Choose the 

correct Phase1 tunnel for the VPN Tunnel and select Allow inbound and outbound. Click OK 

to save the firewall policy. 

Figure 9: Firewall configuration 

The Fortigate appliance is now set up. We first have to do some configuration on the client side 

too. 



7 FortiClient configuration 

Open the FortiClient on the client side. 

Select the following options on the Connections tab: 

Start VPN before logging on to Windows 

Keep IPSec Service running forever unless manually stopped 

Beep when connection error occers 

o Stop after 60 seconds 

Click the Advanced>>> button and select Add… 

Figure 10: FortiClient configuration (2) 

Fill in a connection name and select Manual configuration. 

Enter the network settings and select Preshared Key as authentication method. Fill in the 

Preshared Key set in Chapter 5.3. Click the Advanced… button to continue. 




Click on the Config… button in the Policy group. 


On the next screen select Autokey Keep Alive. And click OK. 




Now select eXtended Authentication and click the Config… button. 


Select Prompt to login and click OK. 




Select OK in the Advanced Settings and the New Connection screen. 

Now the connection is ready to be used, but we will first set up the IDENTIKEY SERVER. 




8 IDENTIKEY Server 

Go to the IDENTIKEY Server web administration page, and authenticate with and administrative 

account. 

8.1 Policy configuration 

To add a new policy, select PoliciesCreate. 

Figure 17: Policy configuration (1) 

There are some policies available by default. You can also create new policies to suit your needs. 

Those can be independent policies or inherit their settings from default or other policies. 



Fill in a policy ID and description. Choose the option most suitable in your situation. If you want 

the policy to inherit setting from another policy, choose the right policy in the Inherits From list. 

Otherwise leave this field to None. 


In the policy options configure it to use the right back-end server. This could be the local 

database, but also active directory or another radius server. 

This is probably the same that was in your default client authentication options before you 

changed it. Or you use the local database, Windows or you go further to another radius server. 

In our example we select our newly made Demo Policy and change it like this: 

Local auth.: Digipass/Password 

Back-End Auth.: Default (None) 

Back-End Protocol: Default (None) 

Dynamic User Registration: Default (No) 

Password Autolearn: Default (No) 

Stored Password Proxy: Default (No) 

Windows Group Check: Default (No Check) 

After configuring this Policy, the authentication will happen locally in the IDENTIKEY Server. So 

user credentials are passed through to the IDENTIKEY Server, it will check these credentials to its 

local user database and will answer to the client with an Access-Accept or Access-Reject 

message. 



In the Policy tab, click the Edit button, and change the Local Authentication to 

Digipass/Password. 


The user details can keep their default settings. 




8.2 Client configuration 

Now create a new component by right-clicking the Components and choose New Component. 

Figure 21: Client configuration (1) 



As component type choose RADIUS Client. The location is the IP address of the client. In the 

policy field you should find your newly created policy. Fill in the shared secret you entered 

also in the client for the RADIUS options. In our example this was “vasco”. Click Create. 

Figure 22: Client configuration (2) 

Now the client and the IDENTIKEY Server are set up. We will now see if the configuration is 

working. 



9 Test FortiGate VPN Client 

In the Connections tab, select the correct connection and click the Connect button. Currently 

the Status is Down. 

Figure 23: Test FortiGate VPN Client (1) 

Enter a username and One-Time Password (OTP) and click OK. 




The connection screen will show you the IKE Negotiation details and will state that the 

Negotiation succeeded when the authentication was successful. Click OK to close. 


You will now see that the Status has changed to Up (time). 




10 About VASCO Data Security 

VASCO designs, develops, markets and supports patented Strong User Authentication products 

for e-Business and e-Commerce. 

VASCO’s User Authentication software is carried by the end user on its DIGIPASS products which 

are small “calculator” hardware devices, or in a software format on mobile phones, other portable 

devices, and PC’s. 

At the server side, VASCO’s VACMAN products guarantee that only the designated DIGIPASS user 

gets access to the application. 

VASCO’s target markets are the applications and their several hundred million users that utilize 

fixed password as security. 

VASCO’s time-based system generates a “one-time” password that changes with every use, and 

is virtually impossible to hack or break. 

VASCO designs, develops, markets and supports patented user authentication products for the 

financial world, remote access, e-business and e-commerce. VASCO’s user authentication 

software is delivered via its DIGIPASS hardware and software security products. With over 25 

million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for 

strong User Authentication with over 500 international financial institutions and almost 3000 

blue-chip corporations and governments located in more than 100 countries.

DIGIPASS Authentication for FortiGate IPSec VPN - Vasco

Create successful ePaper yourself

Delete template?

Save as template?