FortiGate SSL VPN supports TLS 1.3. To connect to FortiGate SSL VPN using TLS 1.3, it is necessary to enable TLS 1.3 in Windows 10/11. Normally it is possible to enable it via the Internet browser properties:
- In Windows computer, start the Run prompt (Win + R) and type 'inetcpl.cpl', then press the Enter key.
- The Internet Properties window will be opened. Go to the Advanced section.
- Under the security section, check the box TLS 1.3.
- Apply the changes and restart the browser.
If the FortiClient still fails to connect to FortiGate SSL VPN using TLS 1.3 (Webmode is working fine), then it is necessary to check and edit the computer registry.
First, collectthe FortiGate SSL VPN debug. From the debug it is possible to see that FortiClient is not able to initiate an SSL connection using TLS 1.3:
dia de dis
dia de reset
dia de app sslvpn -1
dia de enable
FortiGate SSL VPN Debug Output:
// Forticlient failed to connect //
[19293:root:2fc]allocSSLConn:307 sconn 0x7f0946f57a00 (0:root)
[19293:root:2fc]SSL state:before SSL initialization (10.47.4.151)
[19293:root:2fc]SSL state:before SSL initialization:DH lib(10.47.4.151)
[19293:root:2fc]SSL_accept failed, 5:(null)
[19293:root:2fc]Destroy sconn 0x7f0946f57a00, connSize=0. (root)
// Webmode can access using TLS 1.3 //
[19293:root:302]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384 <<===
[19293:root:302]No client certificate
[19293:root:302]req: /remote/login
[19293:root:302]rmt_web_auth_info_parser_common:492 no session id in auth info
[19293:root:302]rmt_web_get_access_cache:841 invalid cache, ret=4103
[19293:root:302]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.81 <<====
Next, check and edit the computer registry to enable TLS 1.3:
- Go to \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
- If 'TLS 1.3' is not displaying as a child path under 'Protocols', create it. 'Right-click' 'Protocols', create 'new key', and name it 'TLS 1.3'.
- Then create another new key under 'TLS 1.3', and name it 'Client'.
- In the 'Client' section,create 2 DWORD (32-bit) values, name them 'DisabledByDefault' and 'Enabled' with default value 0.
- For 'Enabled', change the value to '1'.
- Final Look at the registry:
- Apply the changes and close the registry editor window.
- Restart the computer.
After restarting the computer, the FortiClient can connect to the FortiGate SSL VPN using TLS 1.3. SSL VPN debug on FortiGate:
[19293:root:31d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384<-
[19293:root:31d]req: /remote/login
[19293:root:31d]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])<-
[19293:root:31d]sslvpn_authenticate_user:183 authenticate user: [local] <-
[19293:root:31d][fam_auth_send_req_internal:652] The user local is authenticated.
[19293:root:31d]fam_do_cb:665 fnbamd return auth success.
