FortiOS 6 – IPSEC One-Click VPN (OCVPN)

Leave a reply

General configuration

If FortiCare Support is registered on the FortiGate, you can configure OCVPN in FortiOS under VPN > OneClick VPN Settings.

Once enabled, you can add the relevant Subnets, as well as view any Cloud Members currently participating in the cloud-serviced VPN (you may need to Refresh the Cloud Members table).

If you wish to change the polling interval, you must do so in the CLI Console (see below).

To enable and configure OCVPN – CLI:

config vpn ocvpn set status {enable | disable} set poll interval <30 – 120>

config subnets edit 1

set subnet 10.1.1.0 255.255.255.0

next edit 2 set subnet 10.1.2.0 255.255.255.0

next

end

end where:

Command Description
set status {enable | disable} This command enables or disables the service. After a device has been registered with FortiCare, enabling this feature registers the device with the OCVPN cloud service. Disabling causes the device to be unregistered, and removed from the table of VPN members.
poll interval <30 – 120> Set the OCVPN polling interval. Enter an integer value from 30 to 120 (default = 60).
config subnets This is the OCVPN subcommand for configuring the list of participating subnets.

Key exchange

Keys are generated automatically by OCVPN, but without explicit acknowledgment and state management, it would be impossible for the cloud to destroy keys after distribution to customer devices. Permanently storing customer keys in the cloud is undesirable for a host of reasons, so the RegAck request was introduced to effectively address the problem and allow the cloud to destroy keys after they have been installed. One key is generated per customer. When a new member joins, a new key is generated and distributed to all group members at the next poll interval (the default is 60 seconds).

Authentication is handled by SSL and proof of identity is established by the device serial number in the signed RSA certificate. The SN is sent in all messages to the cloud.

If you have a FortiWeb server performing authentication, the process is different. Since the OCVPN microservice doesn’t run on the FortiWeb server, OCVPN authentication and secure segregation of customer data is handled as follows:

  • FortiWeb extracts the ASN1 CN from the certificate and attaches it to the decrypted HTTP messages forwarded to OCVPN.
  • OCVPN checks the presented device SN against the SN included in the certificate ID. l If they don’t match, OCVPN returns ‘401 Unauthorized’ and the authentication transaction is cancelled.

Device polling and controller information

Instead of a central controller actively directing and pushing out the devices in response to network topology changes, FortiOS architecture uses device polling to propagate changes across nodes in the VPN. State changes One-Click VPN (OCVPN)   System states

are tracked carefully across the system so all devices always have the same view of the network (with some delay in propagating changes due to polling). Similarly the OCVPN cloud always know the state of each device. This is essential to being able to manage the keys properly, and be able to discard them after they have been installed on each device.

The control layer is implemented on each device as a state machine, where information is translated from the member table into a working configuration–with IPsec phase1 and phase2 objects with default parameters, firewall address and address group objects, firewall policies, and static routes. The resulting configuration may be edited normally, e.g. DPD settings, DH group, crypto transform, firewall policy profiles for AV/IPS, etc. This is to provide a level of flexibility and usability.

The control layer’s responsibility is to ensure that the network data on any device, and by extension the configuration, always stays in sync with the network view stored in the cloud, and in sync with all the other devices, regardless of intermittent network errors that could occur at any point in the system. The system is designed to handle network errors, changes, and events and keep the IPsec configuration consistently and reliable in sync.

Configuration information is managed in a fixed table: 16 nodes maximum, 16 subnets per node. After the table is populated, full mesh configuration is calculated and installed into the CMDB.

System states

The system is stateless across reboots. It re-registers after reboot, which re-initializes the state of the system. After bootup, the system is stateful across changes and polling interval queries/updates. The state file contains the hostname, current WAN ifname, current WAN IP, assigned slot, current state, previous state, current OCVPN table revision, last OCVPN response code (register/update), last polling response code, number of members, current member bitmask, previous member bitmask. The system uses this state information to track state changes locally and in the cloud.

Possible device states are:

enum cvpn_state { cvpn_st_none, cvpn_st_unregistered, cvpn_st_registering, cvpn_st_updating, cvpn_st_unregistering, cvpn_st_acknowledging, cvpn_st_registered

};

A normal sequence would be registering (updating) -> acknowledging -> registered.

Even though SSL/TCP is stateful and ensures delivery, the OCVPN microservice doesn’t run on a FortiWeb SSL termination server. See “Key exchange” on page 112 for more info about how FortiWeb configuration differs. The explicit acknowledgment message (RegAck) ensures the OCVPN service knows when all nodes have received and applied the latest revision of the network information and key.

Debugging and logging

OCVPN debugging and logging is handled through a common API function. All debugs (except polling) are logged to /tmp/ocvpn/log. When the size of the log file exceeds 128k, the file is truncated and only the most recent 32k is saved.

The following diagnose commands may be useful when troubleshooting and debugging OCVPN configurations.

Command Description
diag vpn ocvpn Top level diagnose command for OCVPN.
device-state Display OCVPN device state.
log Display OCVPN log file from the device.
status Display the current status of the device and last response code from the OCVPN service.
print-members Print the OCVPN member table. This command accesses the OCVPN cloud service to retrieve the latest information, irrespective of the state of the device. It prints the raw JSON responses from OCVPN.

 

 

Pages: 1 2
This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.