FortiGate dialup-client configurations
This section explains how to set up a FortiGate dialup-client IPsec VPN. In a FortiGate dialup-client configuration, a FortiGate unit with a static IP address acts as a dialup server and a FortiGate unit having a dynamic IP address initiates a VPN tunnel with the FortiGate dialup server.
The following topics are included in this section: Configuration overview
Configuration overview
A dialup client can be a FortiGate unit. The FortiGate dialup client typically obtains a dynamic IP address from an ISP through the Dynamic Host Configuration Protocol (DHCP) or Point-to-Point Protocol over Ethernet (PPPoE) before initiating a connection to a FortiGate dialup server.
Example FortiGate dialup-client configuration
In a dialup-client configuration, the FortiGate dialup server does not rely on a Phase 1 remote gateway address to establish an IPsec VPN connection with dialup clients. As long as authentication is successful and the IPsec security policy associated with the tunnel permits access, the tunnel is established.
Several different ways to authenticate dialup clients and restrict access to private networks based on client credentials are available. To authenticate FortiGate dialup clients and help to distinguish them from FortiClient dialup clients when multiple clients will be connecting to the VPN through the same tunnel, best practices dictate that you assign a unique identifier (local ID or peer ID) to each FortiGate dialup client. For more information, see Phase 1 parameters on page 52.
Whenever you add a unique identifier (local ID) to a FortiGate dialup client for identification purposes, you must select Aggressive mode on the FortiGate dialup server and also specify the identifier as a peer ID on the FortiGate dialup server. For more information, see Phase 1 parameters on page 52.
Users behind the FortiGate dialup server cannot initiate the tunnel because the FortiGate dialup client does not have a static IP address. After the tunnel is initiated by users behind the FortiGate dialup client, traffic from the private network behind the FortiGate dialup server can be sent to the private network behind the FortiGate dialup client.
Encrypted packets from the FortiGate dialup client are addressed to the public interface of the dialup server. Encrypted packets from the dialup server are addressed either to the public IP address of the FortiGate dialup client (if the dialup client connects to the Internet directly), or if the FortiGate dialup client is behind a NAT device, encrypted packets from the dialup server are addressed to the public IP address of the NAT device.
If a router with NAT capabilities is in front of the FortiGate dialup client, the router must be NAT-T compatible for encrypted traffic to pass through the NAT device. For more information, see Phase 1 parameters on page 52.
When the FortiGate dialup server decrypts a packet from the FortiGate dialup client, the source address in the IP header may be one of the following values, depending on the configuration of the network at the far end of the tunnel:
- If the FortiGate dialup client connects to the Internet directly, the source address will be the private IP address of a host or server on the network behind the FortiGate dialup client.
- If the FortiGate dialup client is behind a NAT device, the source address will be the public IP address of the NAT device.
In some cases, computers on the private network behind the FortiGate dialup client may (by co-incidence) have IP addresses that are already used by computers on the network behind the FortiGate dialup server. In this type of situation (ambiguous routing), conflicts may occur in one or both of the FortiGate routing tables and traffic destined for the remote network through the tunnel may not be sent.
In many cases, computers on the private network behind the FortiGate dialup client will most likely obtain IP addresses from a local DHCP server behind the FortiGate dialup client. However, unless the local and remote networks use different private network address spaces, unintended ambiguous routing and IP-address overlap issues may arise.
To avoid these issues, you can configure FortiGate DHCP relay on the dialup client instead of using a DHCP server on the network behind the dialup client. The FortiGate dialup client can be configured to relay DHCP requests from the local private network to a DHCP server that resides on the network behind the FortiGate dialup server. You configure the FortiGate dialup client to pass traffic from the local private network to the remote network by enabling FortiGate DHCP relay on the FortiGate dialup client interface that is connected to the local private network.
Afterward, when a computer on the network behind the dialup client broadcasts a DHCP request, the dialup client relays the message through the tunnel to the remote DHCP server. The remote DHCP server responds with a private IP address for the computer. To avoid ambiguous routing and network overlap issues, the IP addresses assigned to computers behind the dialup client cannot match the network address space used by the private network behind the FortiGate dialup server.
Preventing network overlap in a FortiGate dialup-client configuration
When the DHCP server resides on the private network behind the FortiGate dialup server, the IP destination address specified in the IPsec security policy on the FortiGate dialup client must refer to that network.
You must add a static route to the DHCP server FortiGate unit if it is not directly connected to the private network behind the FortiGate dialup server; its IP address does not match the IP address of the private network. Also, the destination address in the IPsec security policy on the FortiGate dialup client must refer to the DHCP server address. The DHCP server must be configured to assign a range of IP addresses different from the DHCP server’s local network, and also different from the private network addresses behind the FortiGate dialup server. See Routing on page 1.
FortiGate dialup-client infrastructure requirements
The requirements are:
- The FortiGate dialup server must have a static public IP address.
- NAT mode is required if you want to create a route-based VPN.
- The FortiGate dialup server may operate in either NAT mode or transparent mode to support a policy-based VPN.
- Computers on the private network behind the FortiGate dialup client can obtain IP addresses either from a DHCP server behind the FortiGate dialup client, or a DHCP server behind the FortiGate dialup server.
- If the DHCP server resides on the network behind the dialup client, the DHCP server must be configured to assign IP addresses that do not match the private network behind the FortiGate dialup server.
- If the DHCP server resides on the network behind the FortiGate dialup server, the DHCP server must be configured to assign IP addresses that do not match the private network behind the FortiGate dialup client.
Configuring the server to accept FortiGate dialup-client connections
The procedures in this section assume that computers on the private network behind the FortiGate dialup client obtain IP addresses from a local DHCP server. The assigned IP addresses do not match the private network behind the FortiGate dialup server.
In situations where IP-address overlap between the local and remote private networks is likely to occur, FortiGate DHCP relay can be configured on the FortiGate dialup client to relay DHCP requests to a DHCP server behind the FortiGate dialup server. For more information, see To configure DHCP relay on a FortiGate interface on page 1.
Configuring dialup client capability for FortiGate dialup clients involves the following general configuration steps:
- Determine which IP addresses to assign to the private network behind the FortiGate dialup client, and add the IP addresses to the DHCP server behind the FortiGate dialup client. Refer to the software supplier’s documentation to configure the DHCP server.
- Configure the FortiGate dialup server. See Configuration overview on page 139. l Configure the FortiGate dialup client. See Configuration overview on page 139.
Before you begin, optionally reserve a unique identifier (peer ID) for the FortiGate dialup client. The dialup client will supply this value to the FortiGate dialup server for authentication purposes during the IPsec Phase 1 exchange. In addition, the value will enable you to distinguish FortiGate dialup-client connections from FortiClient dialup-client connections. The same value must be specified on the dialup server and on the dialup client.
At the FortiGate dialup server, define the Phase 1 parameters needed to authenticate the FortiGate dialup client and establish a secure connection. See Phase 1 parameters on page 52.
- Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
- Edit Network (full configuration options are only available once you click the Convert To Custom Tunnel button).
- Enter these settings in particular:
Remote Gateway | Select Dialup User. |
Interface | Select the interface through which clients connect to the FortiGate unit. |
- Edit Authentication and enter the following information:
Mode | If you will be assigning an ID to the FortiGate dialup client, select Aggressive. |
Peer Options | If you will be assigning an ID to the FortiGate dialup client, set Accept Types to This peer ID and type the identifier that you reserved for the FortiGate dialup client into the adjacent field. |
- Define the Phase 2 parameters needed to create a VPN tunnel with the FortiGate dialup client. See Phase 2 parameters on page 72. Enter these settings in particular:
Name | Enter a name to identify this Phase 2 configuration. |
Phase 1 | Select the name of the Phase 1 configuration that you defined. |
- Define names for the addresses or address ranges of the private networks that the VPN links. See Defining policy addresses on page 1. Enter these settings in particular:
l Define an address name for the server, host, or network behind the FortiGate dialup server. l Define an address name for the private network behind the FortiGate dialup client.
- Define the security policies to permit communications between the private networks through the VPN tunnel. Route-based and policy-based VPNs require different security policies. For detailed information about creating security policies, see Defining VPN security policies on page 1.
Route-based VPN security policy
Define an ACCEPT security policy to permit communications between hosts on the private network behind the FortiGate dialup client and the private network behind this FortiGate dialup server. Because communication cannot be initiated in the opposite direction, there is only one policy.
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Enter these settings in particular:
Name | Enter an appropriate name for the policy. |
Incoming Interface | Select the VPN tunnel (IPsec interface) created in Step 1. |
Outgoing Interface | Select the interface that connects to the private network behind this FortiGate unit. |
Source | Select all. |
Destination Address | Select all. |
Action | Select ACCEPT. |
NAT | Disable NAT. |
Policy-based VPN security policy
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Enter these settings in particular:
Name | Enter an appropriate name for the policy. | |||
Incoming Interface | Select the interface that connects to the private network behind this FortiGate unit. | |||
Outgoing Interface | Select the FortiGate unit’s public interface. | |||
Source | Select the address name that you defined for the private network behind this FortiGate unit. | |||
Destination Address | Select the address name that you defined. | |||
Action | Select IPsec. Under VPN Tunnel, select the name of the Phase 1 configuration that you created in Step “Configuration overview ” on page 139 from the drop-down list. Select Allow traffic to be initiated from the remote site. | |||
- To prevent traffic from the local network from initiating the tunnel after the tunnel has been established, you need to disable the outbound VPN traffic in the CLI config firewall policy edit <policy_number> set outbound disable
end
Place the policy in the policy list above any other policies having similar source and destination addresses.
If configuring a route-based policy, configure a default route for VPN traffic on this interface.
Configuring the FortiGate dialup client
At the FortiGate dialup client, define the Phase 1 parameters needed to authenticate the dialup server and establish a secure connection. See Phase 1 parameters on page 52.
- Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
- Edit Network (full configuration options are only available once you click the Convert To Custom Tunnel button).
- Enter these settings in particular:
Remote Gateway | Select Static IP Address. |
IP Address | Type the IP address of the dialup server’s public interface. |
Interface | Select the interface that connects to the public network. |
Mode | The FortiGate dialup client has a dynamic IP address, select Aggressive. |
Advanced | Select to view the following options. |
Local ID | If you defined a peer ID for the dialup client in the FortiGate dialup server configuration, enter the identifier of the dialup client. The value must be identical to the peer ID that you specified previously in the FortiGate dialup server configuration. |
- Edit Authentication and enter the following information:
Mode | The FortiGate dialup client has a dynamic IP address, select Aggressive. |
- Edit Phase 1 Proposal and enter the following information:
Local ID | If you defined a peer ID for the dialup client in the FortiGate dialup server configuration, enter the identifier of the dialup client. The value must be identical to the peer ID that you specified previously in the FortiGate dialup server configuration. |
- Define the Phase 2 parameters needed to create a VPN tunnel with the dialup server. See Phase 2 parameters on page 72. Enter these settings in particular:
Name | Enter a name to identify this Phase 2 configuration. |
Phase 1 | Select the name of the Phase 1 configuration that you defined. |
- Define names for the addresses or address ranges of the private networks that the VPN links. See Defining policy addresses on page 1. Enter these settings in particular:
l Define an address name for the server, host, or network behind the FortiGate dialup server. l Define an address name for the private network behind the FortiGate dialup client.
- Define security policies to permit communication between the private networks through the VPN tunnel. Routebased and policy-based VPNs require different security policies. For detailed information about creating security policies, see Defining VPN security policies on page 1.
Route-based VPN security policy
Define an ACCEPT security policy to permit communications between hosts on the private network behind this FortiGate dialup client and the private network behind the FortiGate dialup server. Because communication cannot be initiated in the opposite direction, there is only one policy.
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Enter these settings in particular:
Name | Enter an appropriate name for the policy. |
Incoming Interface | Select the interface that connects to the private network behind this FortiGate unit. |
Outgoing Interface | Select the VPN tunnel (IPsec interface) created in Step 1. |
Source | Select all. |
Destination Address | Select all. |
Action | Select ACCEPT. |
NAT | Disable NAT. |
Policy-based VPN security policy
Define an IPsec security policy to permit communications between the source and destination addresses.
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Enter these settings in particular:
Incoming Interface | Select the interface that connects to the private network behind this FortiGate unit. |
Outgoing Interface | Select the FortiGate unit’s public interface. |
Source | Select the address name that you defined for the private network behind this FortiGate unit. |
Destination Address | Select the address name that you defined for the private network behind the dialup server. |
Action | Select IPsec. Under VPN Tunnel, select the name of the Phase 1 configuration that you created in Step “Configuration overview ” on page
139 from the drop-down list. Clear Allow traffic to be initiated from the remote site to prevent traffic from the remote network from initiating the tunnel after the tunnel has been established. |
Place the policy in the policy list above any other policies having similar source and destination addresses.