Dialup VPN Options

Dialup VPN

FortiGate as dialup client

This recipe provides sample configuration of dialup IPsec VPN and the dialup client. In this example, a branch office FortiGate connects via dialup IPsec VPN to the HQ FortiGate.

The following shows the sample network topology for this recipe:

You can configure dialup IPsec VPN with FortiGate as the dialup client using the FortiOSGUI or CLI.

To configure IPsec VPN with FortiClient as the dialup client on the GUI:

  1. Configure the dialup VPN server FortiGate:
  2. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
  3. Enter a proper VPN name.
  4. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select The remote site is behind NAT.
  5. Click Next.
  6. Configure the following settings for Authentication:
    1. For Incoming Interface, select the proper incoming interface.
    2. For Authentication Method, select Pre-shared Key. In the Pre-shared Key field, enter your-psk as the key.
    3. Click Next.
  7. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select the proper local interface.
    2. Configure the Local Subnets as 1.100.0/24. iii. Configure the Remote Subnets as 172.16.101.0/24.
    3. Click Create.
    4. Configure the dialup VPN client FortiGate:
  8. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a proper VPN name.
    2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select This site is behind NAT.
    3. Click Next.
  9. Configure the following settings for Authentication:
    1. For IP Address, enter 101.1.1. ii. For Outgoing Interface, enter port13.

iii. For Authentication Method, select Pre-shared Key. iv. In the Pre-shared Key field, enter your-psk as the key.

  1. Click Next.
  1. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select the proper local interface. In this example, it is port9.
    2. Configure the Local Subnets as 16.101.0. iii. Configure the Remote Subnets as 10.1.100.0. iv. Click Create.

To configure IPsec VPN with FortiClient as the dialup client using the CLI:

  1. In the FortiOS CLI, configure the user, user group, and firewall address by running the following commands. Only the HQ dialup server FortiGate needs this configuration. The address is an IP pool to assign an IP address for the dialup client FortiGate.

config user local edit “vpnuser1” set type password set passwd your-password

next

end config user group edit “vpngroup” set member”vpnuser1″

next

end

config firewall address

edit “client_range” set type iprange set start-ip 10.10.10.1 set end-ip 10.10.10.200

next

end

  1. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. It can work in static mode (as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface:
  2. Configure the HQ FortiGate:

config system interface edit “wan1” set vdom “root” set ip 11.101.1 255.255.255.0

next

end

config router static edit 1 set gateway 11.101.1.2 set device “wan1”

next

end

  1. Configure the branch office FortiGate:

config system interface edit “port13” set vdom “root” set ip 173.1.1.1 255.255.255.0

next

end

config router static edit 1 set gateway 173.1.1.2 set device “port13”

next

end

  1. Configure the internal interface and protected subnet. The internal interface connects to the internal network.

Traffic from this interface will route out the IPsec VPN tunnel: a. Configure the HQ FortiGate:

config system interface edit “dmz” set vdom “root”

set ip 10.1.100.1 255.255.255.0

next

end

config firewall address edit “10.1.100.0” set subnet 10.1.100.0 255.255.255.0

next end

  1. Configure the branch office FortiGate:

config system interface edit “port9” set vdom “root”

set ip 172.16.101.1 255.255.255.0

next

end

config firewall address edit “172.16.101.0” set subnet 172.16.101.0 255.255.255.0

next

end

  1. Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature authentication is also an option:
  2. Configure the HQ FortiGate:

config vpn ipsec phase1-interface edit “for_Branch” set type dynamic set interface “wan1” set mode aggressive set peertype any set mode-cfg enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle set xauthtype auto set authusrgrp “vpngroup” set net-device enable set assign-ip-from name set dns-mode auto set ipv4-split-include “10.1.100.0” set ipv4-name “client_range” set save-password enable set psksecret sample set dpd-retryinterval 60

next

end

  1. Configure the branch office FortiGate:

config vpn ipsec phase1-interface edit “to_HQ” set interface “port13” set mode aggressive set peertype any set mode-cfg enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set xauthtype client set authusr “vpnuser1” set authpasswd vpnuser1-password set remote-gw 11.101.1.1 set psksecret sample

next end

  1. Configure the IPsec phase2-interface:
    1. Configure the HQ FortiGate:

config vpn ipsec phase2-interface edit “for_Branch_p2” set phase1 name “for_Branch”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Configure the branch office FortiGate:

config vpn ipsec phase2-interface edit “to_HQ_p2” set phase1name “to_HQ”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Configure the static routes on the branch office FortiGate. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down:

config router static edit 2 set dst 10.1.100.0 255.255.255.0 set device “to_HQ”

next edit 3 set dst 10.1.100.0 255.255.255.0 set blackhole enable set distance 254

next

end

  1. Configure the firewall policy to allow the branch office to HQ network flow over the IPsec tunnel. This configuration only supports traffic from the branch office FortiGate to the HQ FortiGate. Traffic is dropped from the HQ FortiGate to the branch office FortiGate:
  2. Configure the HQ FortiGate:

config firewall policy edit 1 set name “inbound” set srcintf “for_Branch” set dstintf “dmz” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure the branch office FortiGate:

config firewall policy edit 1 set name “outbound”

set srcintf “port9” set dstintf “to_HQ” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next

end

  1. Run diagnose commands. These diagnose commands are useful to check the IPsec phase1/phase2 interface status. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish.
  2. Run the diagnose vpn ike gateway list command on the HQ FortiGate. The system should return the following:

vd: root/0 name: for_Branch_0 version: 1 interface: wan1 5 addr: 11.101.1.1:500 -> 173.1.1.1:500 created: 1972s ago xauth-user: vpnuser1 assigned IPv4 address: 10.10.10.1/255.255.255.252

IKE SA: created 1/1 established 1/1 time 10/10/10 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 184 5b1c59fab2029e43/bf517e686d3943d2 direction: responder status: established 1972-1972s ago = 10ms proposal: aes128-sha256 key: 8046488e92499247-fbbb4f6dfa4952d0 lifetime/rekey: 86400/84157

DPD sent/recv: 00000020/00000000

  1. Run the diagnose vpn tunnel list command on the HQ FortiGate. The system should return the following:

list all ipsec tunnel in vd 0

name=for_Branch_0 ver=1 serial=9 11.101.1.1:0->173.1.1.1:0

bound_if=5 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/208 options

[00d0]=create_dev no-sysctlrgwy-chg parent=for_Branch index=0 proxyid_num=1 child_num=0 refcnt=12 ilast=8 olast=8 ad=/0 stat: rxp=8 txp=8 rxb=1216 txb=672 dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=31 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=for_Branch_p2 proto=0 sa=1 ref=2 serial=1 src: 0:0.0.0.0-255.255.255.255:0 dst: 0:0.0.0.0-255.255.255.255:0

SA: ref=3 options=226 type=00 soft=0 mtu=1438 expire=41297/0B replaywin=2048 seqno=9 esn=0 replaywin_lastseq=00000009 itn=0 life: type=01 bytes=0/0 timeout=43190/43200 dec: spi=747c10c6 esp=aes key=16 278c2430e09e74f1e229108f906603b0 ah=sha1 key=20 21dad76b008d1e8b8e53148a2fcbd013a277974a enc: spi=ca646448 esp=aes key=16 b7801d125804e3610a556da7caefd765 ah=sha1 key=20 a70164c3094327058bd84c1a0c954ca439709206 dec:pkts/bytes=8/672, enc:pkts/bytes=8/1216

name=for_Branchver=1 serial=6 11.101.1.1:0->0.0.0.0:0

bound_if=5 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/16 options[0010]=create_ dev proxyid_num=0 child_num=1 refcnt=14 ilast=8523 olast=8523 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 run_tally=0

  1. Run the diagnose vpn ike gateway list command on the branch office FortiGate. The system should return the following: vd: root/0 name: to_HQ

version: 1 interface: port13 42 addr: 173.1.1.1:500 -> 11.101.1.1:500 created: 2016s ago assigned IPv4 address: 10.10.10.1/255.255.255.252 IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 93 5b1c59fab2029e43/bf517e686d3943d2 direction: initiator status: established 2016-2016s ago = 0ms proposal: aes128-sha256 key: 8046488e92499247-fbbb4f6dfa4952d0 lifetime/rekey: 86400/84083

DPD sent/recv: 00000000/00000020

  1. Run the diagnose vpn tunnel list command on the branch office FortiGate. The system should return the following:

list all ipsec tunnel in vd 0

name=to_HQver=1 serial=7 173.1.1.1:0->11.101.1.1:0 bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=13 ilast=18 olast=58 ad=/0 stat: rxp=1 txp=2 rxb=152 txb=168 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ proto=0 sa=1 ref=2 serial=1 src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=41015/0B replaywin=2048 seqno=3 esn=0 replaywin_lastseq=00000002 itn=0 life: type=01 bytes=0/0 timeout=42898/43200

dec: spi=ca646448 esp=aes key=16 b7801d125804e3610a556da7caefd765 ah=sha1 key=20 a70164c3094327058bd84c1a0c954ca439709206 enc: spi=747c10c6 esp=aes key=16 278c2430e09e74f1e229108f906603b0 ah=sha1 key=20 21dad76b008d1e8b8e53148a2fcbd013a277974a dec:pkts/bytes=1/84, enc:pkts/bytes=2/304 npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=5 dec_npuid=2 enc_npuid=2

FortiClient as dialup client

This recipe provides sample configuration of dialup IPsec VPN with FortiClient as the dialup client.

The following shows the sample network topology for this recipe:

You can configure dialup IPsec VPN with FortiClient as the dialup client using the FortiOS GUI or CLI.

To configure IPsec VPN with FortiClient as the dialup client on the GUI:

  1. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a proper VPN name.
    2. For Template Type, choose Remote Access.
    3. For Remote Device Type, select Client-based > FortiClient.
    4. Click Next.
  2. Configure the following settings for Authentication:
    1. For Incoming Interface, select wan1.
    2. For Authentication Method, select Pre-shared Key.
    3. In the Pre-shared Key field, enter your-psk as the key.
    4. From the UserGroup dropdown list, select vpngroup.
    5. Click Next.
  3. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select lan.
    2. Configure the Local Address as local_network.
    3. Configure the Client Address Range as 10.2.1-10.10.2.200.
    4. Keep the default values for the Subnet Mask, DNS Server, Enable IPv4 Split tunnel, and Allow Endpoint Registration
    5. Click Create.

To configure IPsec VPN with FortiClient as the dialup client using the CLI:

  1. In the FortiOS CLI, configure the user and group by running the following commands:

config user local edit “vpnuser1” set type password set passwd your-password

next

end config user group edit “vpngroup” set member “vpnuser1”

next

end

  1. Configure the internal interface. The LAN interface connects to the corporate internal network. Traffic from this interface will route out the IPsec VPN tunnel. Creating an address group for the protected network behind this FortiGate will cause traffic to this network group to go through the IPsec tunnel:

config system interface edit “lan” set vdom “root”

set ip 10.10.111.1 255.255.255.0

next

end

config firewall address edit “local_subnet_1” set ip 10.10.111.0 255.255.255.0

next

end

config firewall address edit “local_subnet_2” set ip 10.10.112.0 255.255.255.0

next

end

config firewall addrgrp edit “local_network” set member “local_subnet_1” “local_subnet_2”

next

end

  1. Configure the WAN interface. The WAN interface is the interface connected to the ISP. It can work in static mode (as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next end

  1. Configure the client address pool. You must create a firewall address to assign an IP address to a client from the address pool.

config firewall address edit “client_range” set type iprange set comment “VPN client range” set start-ip 10.10.2.1 set end-ip 10.10.2.200

next

end

  1. Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature authentication is also an option.

config vpn ipsec phase1-interface edit “for_client” set type dynamic set interface “wan1” set mode aggressive set peertype any set net-device enable set mode-cfg enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set xauthtype auto set authusrgrp “vpngroup” set assign-ip-from name set ipv4-name “client_range” set dns-mode auto

set ipv4-split-include “local_network” set save-password enable set psksecret your-psk set dpd-retryinterval 60

next

end

  1. Configure the IPsec phase2-interface:

config vpn ipsec phase2-interface edit “for_client” set phase1name “for_client”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Configure the firewall policy to allow client traffic flow over the IPsec VPN tunnel:

config firewall policy edit 1 set name “inbound” set srcintf “for_client” set dstintf “lan” set srcaddr “client_range” set dstaddr “local_network” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure FortiClient. In this example, FortiClient (Windows) 6.0.3 build 0155 is used:
    1. In FortiClient, go to Remote Access and select Add a new connection.
    2. Set the Type to IPsec VPN and the Remote Gateway to the FortiGate IP address.
    3. Set the Authentication Method to Pre-Shared Key and enter the key. Click Save.
    4. Select the VPN, enter the username and password, then select Connect.
  2. Run diagnose These diagnose commands are useful to check the IPsec phase1/phase2 interface status. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish.
    1. Run the diagnose vpn ike gateway list The system should return the following:

vd: root/0 name: for_client_0 version: 1 interface: port1 15 addr: 172.20.120.123:4500 ->172.20.120.254:64916 created: 37s ago xauth-user: vpnuser1 assigned IPv4 address: 10.10.1.1/255.255.255.255 nat: me peer

IKE SA: created 1/1 established 1/1 time 10/10/10 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 1 b40a32d878d5e262/8bba553563a498f4 direction: responder status: established 37-37s ago = 10ms proposal: aes256-sha256 key: f4ad7ec3a4fcfd09-787e2e9b7bceb9a7-0dfa183240d838ba-41539863e5378381 lifetime/rekey: 86400/86092

DPD sent/recv: 00000000/00000a0e

  1. Run the diagnose vpn tunnel list The system should return the following:

list all ipsec tunnel in vd 0

=

= name=for_client_0 ver=1 serial=3 172.20.120.123:4500->172.20.120.254:64916

bound_if=15 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/984 options [03d8]=npucreate_dev no-sysctlrgwy-chgrport-chg frag-rfcaccept_traffic=1 parent=for_client index=0 proxyid_num=1 child_num=0 refcnt=12 ilast=3 olast=3 ad=/0 stat: rxp=1 txp=0 rxb=16402 txb=0 dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=keepalive draft=32 interval=10 remote_port=64916 proxyid=for_client proto=0 sa=1 ref=2 serial=1 add-route src: 0:0.0.0.0-255.255.255.255:0 dst: 0:10.10.1.1-10.10.1.1:0

SA: ref=4 options=2a6 type=00 soft=0 mtu=1422 expire=42867/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000001 itn=0 life: type=01 bytes=0/0 timeout=43189/43200 dec: spi=36274d14 esp=aes key=16 e518b84b3c3b667b79f2e61c64a225a6 ah=sha1 key=20 9cceaa544ed042fda800c4fe5d3fd9d8b811984a enc: spi=8b154deb esp=aes key=16 9d50f004b45c122e4e9fb7af085c457c ah=sha1 key=20 f1d90b2a311049e23be34967008239637b50a328 dec:pkts/bytes=1/16330, enc:pkts/bytes=0/0

npu_flag=02 npu_rgwy=172.20.120.254 npu_lgwy=172.20.120.123npu_selid=0 dec_npuid=2 enc_ npuid=0 name=for_clientver=1 serial=2 172.20.120.123:0->0.0.0.0:0

bound_if=15 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/536 options

[0218]=npucreate_dev frag-rfcaccept_traffic=1 proxyid_num=0 child_num=1 refcnt=11 ilast=350 olast=350 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

iOS device as dialup client

This recipe provides sample configuration of dialup IPsec VPN with an iPhone or iPad as the dialup client.

The following shows the sample network topology for this recipe:

You can configure dialup IPsec VPN with an iOS device as the dialup client using the FortiOS GUI or CLI.

To configure IPsec VPN with an iOS device as the dialup client on the GUI:

  1. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a proper VPN name.
    2. For Template Type, choose Remote Access.
    3. For Remote Device Type, select Native > iOS Native.
    4. For NAT Configuration, set No NAT Between Sites.
    5. Click Next.
  2. Configure the following settings for Authentication:
    1. For Incoming Interface, select wan1.
    2. For Authentication Method, select Pre-shared Key.
    3. In the Pre-shared Key field, enter your-psk as the key.
    4. From the UserGroup dropdown list, select vpngroup.
    5. Deselect Require ‘Group Name’ on VPN client.
    6. Click Next.
  3. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select lan.
    2. Configure the Local Address as local_network.
    3. Configure the Client Address Range as 10.2.1-10.10.2.200.
    4. Keep the default values for the Subnet Mask, DNS Server, and Enable IPv4 Split tunnel e. Click Create.

To configure IPsec VPN with an iOS device as the dialup client using the CLI:

  1. In the FortiOS CLI, configure the user and group by running the following commands:

config user local edit “vpnuser1” set type password set passwd your-password

next

end config user group edit “vpngroup”

set member “vpnuser1”

next

end

  1. Configure the internal interface. The LAN interface connects to the corporate internal network. Traffic from this interface will route out the IPsec VPN tunnel. Creating an address group for the protected network behind this FortiGate will cause traffic to this network group to go through the IPsec tunnel:

config system interface edit “lan” set vdom “root”

set ip 10.10.111.1 255.255.255.0

next

end

config firewall address edit “local_subnet_1” set ip 10.10.111.0 255.255.255.0

next

end

config firewall address edit “local_subnet_2” set ip 10.10.112.0 255.255.255.0

next

end

config firewall addrgrp edit “local_network” set member “local_subnet_1” “local_subnet_2”

next

end

  1. Configure the WAN interface. The WAN interface is the interface connected to the ISP. It can work in static mode (as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

  1. Configure the client address pool. You must create a firewall address to assign an IP address to a client from the address pool.

config firewall address edit “client_range” set type iprange set comment “VPN client range” set start-ip 10.10.2.1 set end-ip 10.10.2.200

next

end

  1. Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature authentication is also an option.

config vpn ipsec phase1-interface edit “for_ios_p1” set type dynamic set interface “wan1” set peertype any set net-device enable set mode-cfg enable

set proposal aes256-sha256 aes256-md5 aes256-sha1 set dpd on-idle set dhgrp 14 5 2 set xauthtype auto set authusrgrp “vpngroup” set assign-ip-from name set ipv4-name “client_range” set dns-mode auto

set ipv4-split-include “local_network” set psksecret your-psk set dpd-retryinterval 60

next

end

  1. Configure the IPsec phase2-interface:

config vpn ipsec phase2-interface edit “for_ios_p2” set phase1name “for_ios_p1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set pfs disable set keepalive enable

next

end

  1. Configure the firewall policy to allow client traffic flow over the IPsec VPN tunnel:

config firewall policy edit 1 set name “ios_vpn” set srcintf “for_ios_p1” set dstintf “lan” set srcaddr “ios_range” set dstaddr “local_network” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure the iOS device:
    1. In the iOS device, go to Settings > General > VPN and select Add VPN Configuration.
    2. Set the Type to IPsec and enter a Description. Set the Server to the FortiGate’s Internet-facing interface, and enter the username in Account. Enter the user password, the preshared IPsec VPN secret, then select Done.
    3. Ensure that the IPsec VPN configuration is highlighted (indicated by a checkmark), and select the Not Connected The IPsec VPN connects with the user’s credentials and secret. The status changes to Connected, and a VPN icon appears at the top of the screen.
  2. Run diagnose These diagnose commands are useful to check the IPsec phase1/phase2 interface status. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish.
    1. Run the diagnose vpn ike gateway list The system should return the following:

vd: root/0 name: for_ios_p1_0 version: 1 interface: port1 15 addr: 172.20.120.123:4500 -> 172.20.120.254:64916 created: 17s ago xauth-user: u1 assigned IPv4 address: 10.10.2.1/255.255.255.255 nat: me peer

IKE SA: created 1/1 established 1/1 time 150/150/150 ms IPsec SA: created 1/1 established 1/1 time 10/10/10 ms

id/spi: 2 3c844e13c75591bf/80c2db92c8d3f602 direction: responder status: established 17-17s ago = 150ms proposal: aes256-sha256 key: 0032ea5ee160d775-51f3bf1f9909101bb89c7b5a77a07784-2c92cf9c921801ac lifetime/rekey: 3600/3312 DPD sent/recv: 00000000/00000000

  1. Run the diagnose vpn tunnel list The system should return the following:

list all ipsec tunnel in vd 0

= = name=for_ios_p1_0 ver=1 serial=172.20.120.123:4500->172.20.120.254:64916

bound_if=15 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/984 options[03d8]=npu create_dev no-sysctl rgwy-chg rport-chg frag-rfc accept_traffic=1 parent=for_ios_p1 index=0 proxyid_num=1 child_num=0 refcnt=12 ilast=23 olast=23 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0 natt: mode=keepalive draft=32 interval=10 remote_port=64916 proxyid=for_ios_p1 proto=0 sa=1 ref=2 serial=1 add-route

src: 0:10.10.111.0-10.10.111.255:0 dst: 0:10.10.2.1-10.10.2.1:0 SA: ref=3 options=a7 type=00 soft=0 mtu=1422 expire=3564/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=3587/3600 dec: spi=36274d15 esp=aes key=32

5a599d796f8114c83d6589284f036fc33bdf4456541e2154b4ac2217b6aec869 ah=sha1 key=20 f1efdeb77d6f856a8dd3a30cbc23cb0f8a3e0340 enc: spi=00b0d9ab esp=aes key=32

e9232d7a1c4f390fd09f8409c2d85f80362d940c08c73f245908ab1ac3af322f ah=sha1 key=20 a3890d6c5320756291cad85026d3a78fd42a1b42

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=172.20.120.254 npu_ lgwy=172.20.120.123 npu_selid=1 dec_npuid=0 enc_npuid=0

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Dialup VPN Options

  1. Allen Unrau

    I really dislike Fortinet’s use of the term “dialup” to refer to mobile clients. It’s confusing. To me, the term “dialup” refers to using a modem over Plain-Old-Telephone-Service. I can’t even read the term without hearing the screech of audible modem negotiations in my head!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.