Setting up Fortinet Remote VPN AP

FortiRU Wireless controllers support remote AP setup mostly from SD6.0 Onwords. You will have a remote AP configured at your small office/remote office or home that can be managed/Provisioned by WLC  sitting at Data Center. In this case the data communication between controller and AP goes over the internet which is secure by open VPN encryption.

Configuring VPN AP:

First step, is to install a SSL Certificate for WLC controller (VPN server certificate) to manage and authenticate the remote APs.

+Before Processing to import the signed SSL certificate for controller first install the trusted CA certificates.

import

CA

+Similarly import all subordinate CA certificates(if any sub CA’s).

 

Create a certificate Signing request(csr) for Controller:

+Login to Controller, Go to Configuration ->Security-> Certificates -> Controller Certificates.

CSR

+Click on Add button (You can see a Certificate Add Popup), Fill in the Input Fields and click on Save.

+User can View CSR (select the radio button against the Pending CSR) and then Click View button or export the CSR by clicking Export Button

+Once the CSR is created, User can see Entry Created (showing the Type as Pending-CSR)

+Select the radio button against the Pending CSR, then click on Import Certificate Button

csr1

 

+User can see the Certificate Alias name, issued to, Issued By etc.

 

done

 

Step Two, Configuring Remote VPN AP and assigning a certificate for the VPN client.

i. Login to Controller, Go to Configuration -> Certificates -> AP Certificates and List of AP’s will be displayed, Make sure that the AP for which you are installing is Enabled and its Online.

AP1

ii. Select the radio button against the AP, then click on Create CSR Button
iii. A Create Signing Request – AP Certificate Popup will Appear
iv. Enter the Validity (in days) and then click Apply.

AP2

v. Click the Refresh Button, Once on Refresh, user can see CSR-Generation-in-Progress under User Req status.

AP3

vii. User can View CSR (select the radio button against the AP) and the Click View button or export the CSR by clicking Export Button

AP4

viii. Give the CSR File or the Contents to the CSR to the admin to get the Certificate and the CA Certificate
ix. Incase if the Certificates is issued by a different CA server, First install the CA Certificate as mentioned in “Trusted CA install section at the beginning .”.
x. Import the Certificate for the AP, by selecting the radio button against the AP and by clicking Import Button

 

AP5

xi. Once the Certificate is copied, user can see a message “Cert-Installation-In-Progress ” under user Req Status

xii. Once the Certificate is Installed, user can see “Cert-Installed” message under User Req Status

AP7

NOTE: AP must be on L3 connection(must assign IP)

 

Assigning the server certificate for the VPN server:

i. Login to Controller, Go to Configuration -> Certificates -> Controller Certificates
ii. Click on Application Button, A Popup will appear, select the certificate next to VPN Application and click save.

CERT1

iii. A popup message will be displayed asking user to run reload-vpn command from CLI ( On running reload-vpn, selected certificate will be used by VPN Server) Forti-Ru gives this option to user, because if already all AP’s are connected using VPN, running reload-vpn will cause all VPN AP’s to reboot, Hence when there are no stations, the user can run reload-vpn.

 

Creating a VPN SERVER on Controller:

I. Login to Controller, Go to Configuration -> Security -> VPN Server
ii. Fill in VPN Server/IP Name, it should be Controller’s Publicly reachable IP address or the hostname (FQDN), also fill the port, default will be 1194, IP pool and subnet needs to be added.

vpn server

 

Finally, Adding the AP to VPN Group:

i. Login to Controller, Go to Configuration -> security -> VPN server -> VPN AP’s

ii. Select the AP’s that you want to add to the VPN Group and Click on next

select1

iii. See the Column below Action required, if the status is “No Action Required“, Click activate, if there is any pending action, User need to finish the pending action before activating.

select2

iv. Once User clicks Activate, Initially the VPN connectivity status will be disconnected, AP will go for reboot

v. Once the AP comes back, AP will connect back to controller in VPN mode and user can see the status as Connected under VPN Connectivity Status.

select3

 

Troubleshooting command:

Controller level:

default(15)# show vpn-ap

default(15)# show vpn-server

default(15)# show vpn-ap <id>

default(15)# show ap-certificate <id>

default(15)# capture-packets -R ip.addr==x.x.x.x

+Run Capture packets command with filter as AP’s Real IP address, the communication between controller and AP should happen only on VPN port (in this case UDP port 1194)

 

AP Level:

ap 8> ip vpn show

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s