Category Archives: FortiOS 5.4 Handbook

The complete handbook for FortiOS 5.4

Partially-redundant route-based VPN example

4 Replies

Partiallyredundant route-based VPN example

This example demonstrates how to set up a partially redundant IPsec VPN between a local FortiGate unit and a remote VPN peer that receives a dynamic IP address from an ISP before it connects to the FortiGate unit. For more information about FortiGate dialup-client configurations, see FortiGate dialup-client configurations on page 1716.

When a FortiGate unit has more than one interface to the Internet (see FortiGate_1), you can configure redundant routes. If the primary connection fails, the FortiGate unit can establish a VPN using the redundant connection.

In this case, FortiGate_2 has only one connection to the Internet. If the link to the ISP were to go down, the connection to FortiGate_1 would be lost, and the tunnel would be taken down. The tunnel is said to be partially redundant because FortiGate_2 does not support a redundant connection.

In the configuration example:

  • Both FortiGate units operate in NAT mode.
  • Two separate interfaces to the Internet (192.168.10.2 and 172.16.20.2) are available on FortiGate_1. Each interface has a static public IP address.
  • FortiGate_2 has a single connection to the Internet and obtains a dynamic public IP address (for example, 172.16.30.1) when it connects to the Internet.
  • FortiGate_2 forwards IP packets from the SOHO network (10.31.101.0/24) to the corporate network (10.21.101.0/24) behind FortiGate_1 through a partially redundant IPsec VPN. Encrypted packets from FortiGate_2 are addressed to the public interface of FortiGate_1. Encrypted packets from FortiGate_1 are addressed to the public IP address of FortiGate_2.

 

There are two possible paths for communication between the two units. In this example, these paths, listed in descending priority, are:

  • FortiGate_1 WAN 1 to FortiGate_2 WAN 1
  • FortiGate_1 WAN 2 to FortiGate_2 WAN 1

For each path, VPN configuration, security policies and routing are defined. By specifying a different routing distance for each path, the paths are prioritized. A VPN tunnel is established on each path, but only the highest priority one is used. If the highest priority path goes down, the traffic is automatically routed over the next highest priority path. You could use dynamic routing, but to keep this example simple, static routing is used.

 

Example partially redundant route-based configuration

 

Configuring FortiGate_1

Whenconfiguring FortiGate_1, you must:

  • Configure the interfaces involved in the VPN.
  • Define the Phase 1 configuration for each of the two possible paths, creating a virtual IPsec interface for each one.
  • Define the Phase 2 configuration for each of the two possible paths.
  • Configure incoming and outgoing security policies between the internal interface and each of the virtual IPsec interfaces.

To configure the network interfaces

1. Go to Network > Interfaces.

2. Select the Internal interface and select Edit. Enter the following information and select OK:

Addressing mode                     Manual

IP/Netmask                                 10.21.101.2/255.255.255.0

3. Select the WAN1 interface and select Edit. Enter the following information and select OK:

Addressing mode                     Manual

IP/Netmask                                 192.168.10.2/255.255.255.0

4. Select the WAN2 interface and select Edit. Enter the following information and select OK:

Addressing mode                     Manual

IP/Netmask                                 172.16.20.2/255.255.255.0

 

To configure the IPsec interfaces (Phase 1 configurations)

1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.

2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).

3. Enter the following information, and select OK:

Name                                           Site_1_A

Remote Gateway                       Dialup User

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

4. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_1_B

Remote Gateway                       Dialup User

Local Interface                          WAN2

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

 

To define the Phase 2 configurations for the two VPNs

1. Open the Phase 2 Selectors panel.

2. Enter the following information and select OK:

Name                                           Route_A

Phase 1                                       Site_1_A

3. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_B

Phase 1                                       Site_1_B

 

To configure routes

1. Go to Network > Static Routes.

2. Select Create New, enter the following default gateway information and select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         WAN1

Gateway                                     192.168.10.1

Distance (Advanced)                10

 

To configure security policies

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_1_A

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

3. Select Create New.

4. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_1_B

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

 

Configuring FortiGate_2

The configuration for FortiGate_2 is similar to that of FortiGate_1. You must

  • configure the interface involved in the VPN
  • define the Phase 1 configuration for the primary and redundant paths, creating a virtual IPsec interface for each one
  • define the Phase 2 configurations for the primary and redundant paths, defining the internal network as the source address so that FortiGate_1 can automatically configure routing
  • configure the routes for the two IPsec interfaces, assigning the appropriate priorities
  • configure security policies between the internal interface and each of the virtual IPsec interfaces

 

To configure the network interfaces

1. Go to Network > Interfaces.

2. Select the Internal interface and select Edit. Enter the following information and select OK:

Addressing mode                     Manual

IP/Netmask                                 10.31.101.2/255.255.255.0

3. Select the WAN1 interface and select Edit. Set the Addressing mode to DHCP.

 

To configure the two IPsec interfaces (Phase 1 configurations)

1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.

2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).

3. Enter the following information, and select OK:

Name                                           Site_2_A

Remote Gateway                       Static IP Address

IP Address                                 192.168.10.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

4. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_2_B

Remote Gateway                       Static IP Address

IP Address                                 172.16.20.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

 

To define the Phase 2 configurations for the two VPNs

1. Open the Phase 2 Selectors panel.

2. Enter the following information and select OK:

Name                                           Route_A

Phase 1                                       Site_2_A

Advanced

Source Address                        10.31.101.0/24

3. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_B

Phase 1                                       Site_2_B

Advanced

Source Address                        10.31.101.0/24

 

To configure routes

1. Go to Network > Static Routes.

2. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.21.101.0/255.255.255.0

Device                                        Site_2_A

Distance (Advanced)                1

3. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.21.101.0/255.255.255.0

Device                                        Site_2_B

Distance (Advanced)                2

 

To configure security policies

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_2_A

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

3. Select Create New.

4. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_2_B

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

 

Creating a backup IPsec interface

You can configure a route-based VPN that acts as a backup facility to another VPN. It is used only while your main VPN is out of service. This is desirable when the redundant VPN uses a more expensive facility.

You can configure a backup IPsec interface only in the CLI. The backup feature works only on interfaces with static addresses that have dead peer detection enabled. The monitor option creates a backup VPN for the specified Phase 1 configuration.

In the following example, backup_vpn is a backup for main_vpn.

 

config vpn ipsec phase1-interface edit main_vpn

set dpd on

set interface port1

set nattraversal enable

set psksecret “hard-to-guess” set remote-gw 192.168.10.8

set type static end

edit backup_vpn set dpd on

set interface port2 set monitor main_vpn

set nattraversal enable

set psksecret “hard-to-guess” set remote-gw 192.168.10.8

set type static end

Redundant route-based VPN configuration example

Leave a reply

Redundant route-based VPN configuration example

This example demonstrates a fully redundant site-to-site VPN configuration using route-based VPNs. At each site, the FortiGate unit has two interfaces connected to the Internet through different ISPs. This means that there are four possible paths for communication between the two units. In this example, these paths, listed in descending priority, are:

  • FortiGate_1 WAN 1 to FortiGate_2 WAN 1
  • FortiGate_1 WAN 1 to FortiGate_2 WAN 2
  • FortiGate_1 WAN 2 to FortiGate_2 WAN 1
  • FortiGate_1 WAN 2 to FortiGate_2 WAN 2

 

Example redundant route-based VPN configuration

For each path, VPN configuration, security policies and routing are defined. By specifying a different routing distance for each path, the paths are prioritized. A VPN tunnel is established on each path, but only the highest priority one is used. If the highest priority path goes down, the traffic is automatically routed over the next highest priority path. You could use dynamic routing, but to keep this example simple, static routing is used.

 

Configuring FortiGate_1

When configuring FortiGate_1, you must:

  • Configure the interfaces involved in the VPN.
  • Define the Phase 1 configuration for each of the four possible paths, creating a virtual IPsec interface for each one.
  • Define the Phase 2 configuration for each of the four possible paths.
  • Configure routes for the four IPsec interfaces, assigning the appropriate priorities.
  • Configure incoming and outgoing security policies between the internal interface and each of the virtual IPsec interfaces.

 

To configure the network interfaces

1. Go to Network > Interfaces.

2. Select the Internal interface and select Edit.

3. Enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 10.21.101.0/255.255.255.0

4. Select the WAN1 interface and select Edit, enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 192.168.10.2/255.255.255.0

5. Select the WAN2 interface and select Edit, enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 172.16.20.2/255.255.255.0

 

To configure the IPsec interfaces (Phase 1 configurations)

1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.

2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).

3. Enter the following information, and select OK:

Name                                           Site_1_A

Remote Gateway                       Static IP Address

IP Address                                 192.168.20.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

4. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_1_B

Remote Gateway                       Static IP Address

IP Address                                 172.16.30.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

5. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_1_C

Remote Gateway                       Static IP Address

IP Address                                 192.168.20.2

Local Interface                          WAN2

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

6. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_1_D

Remote Gateway                       Static IP Address

IP Address                                 172.16.30.2

Local Interface                          WAN2

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

 

To define the Phase 2 configurations for the four VPNs

1. Open the Phase 2 Selectors panel.

2. Enter the following information and select OK:

Name                                           Route_A

Phase 1                                       Site_1_A

3. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_B

Phase 1                                       Site_1_B

4. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_C

Phase 1                                       Site_1_C

5. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_D

Phase 1                                       Site_1_D

 

To configure routes

1. Go to Network > Static Routes.

2. Select Create New, enter the following default gateway information and then select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         WAN1

Gateway                                     192.168.10.1

Distance (Advanced)                10

3. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.31.101.0/255.255.255.0

Device                                        Site_1_A

Distance (Advanced)                1

4. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.31.101.0/255.255.255.0

Device                                        Site_1_B

Distance (Advanced)                2

5. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.31.101.0/255.255.255.0

Device                                        Site_1_C

Distance (Advanced)                3

6. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.31.101.0/255.255.255.0

Device                                        Site_1_D

Distance (Advanced)                4

 

To configure security policies

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information, and then select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_1_A

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

3. Select Create New.

4. Enter the following information, and select OK:

Incoming Interface                   Site_1_A

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

5. Select Create New.

6. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_1_B

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

7. Select Create New.

8. Enter the following information, and select OK:

Incoming Interface                   Site_1_B

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

9. Select Create New.

10. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_1_C

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

11. Select Create New.

12. Enter the following information, and select OK:

Incoming Interface                   Site_1_C

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

13. Select Create New.

14. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_1_D

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

5. Select Create New.

16. Enter the following information, and select OK:

Incoming Interface                   Site_1_D

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

 

Configuring FortiGate_2

The configuration for FortiGate_2 is very similar to that of FortiGate_1. You must:

  • Configure the interfaces involved in the VPN.
  • Define the Phase 1 configuration for each of the four possible paths, creating a virtual IPsec interface for each one.
  • Define the Phase 2 configuration for each of the four possible paths.
  • Configure routes for the four IPsec interfaces, assigning the appropriate priorities.
  • Configure incoming and outgoing security policies between the internal interface and each of the virtual IPsec interfaces.

 

To configure the network interfaces

1. Go to Network > Interfaces.

2. Select the Internal interface and then select Edit. Enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 10.31.101.0/255.255.255.0

3. Select the WAN1 interface and then select Edit. Enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 192.168.20.2/255.255.255.0

4. Select the WAN2 interface and then select Edit. Enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 172.16.30.2/255.255.255.0

 

To configure the IPsec interfaces (Phase 1 configurations)

1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.

2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).

3. Enter the following information, and select OK:

Name                                           Site_2_A

Remote Gateway                       Static IP Address

IP Address                                 192.168.10.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

4. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_2_B

Remote Gateway                       Static IP Address

IP Address                                 172.16.20.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

5. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_2_C

Remote Gateway                       Static IP Address

IP Address                                 192.168.10.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

6. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_2_D

Remote Gateway                       Static IP Address

IP Address                                 172.16.20.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Preshared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

 

To define the Phase 2 configurations for the four VPNs

1. On the first VPN route, open the Phase 2 Selectors panel.

2. Enter the following information and select OK:

Name                                           Route_A

Phase 1                                       Site_2_A

3. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_B

Phase 1                                       Site_2_B

4. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_C

Phase 1                                       Site_2_C

5. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_D

Phase 1                                       Site_2_D

 

To configure routes

1. Go to Network > Static Routes.

2. Select Create New, enter the following default gateway information and then select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         WAN1

Gateway                                     192.168.10.1

Distance (Advanced)                10

3. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.21.101.0/255.255.255.0

Device                                        Site_2_A

Distance (Advanced)                1

4. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.21.101.0/255.255.255.0

Device                                        Site_2_B

Distance (Advanced)                2

5. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.21.101.0/255.255.255.0

Device                                        Site_2_C

Distance (Advanced)                3

6. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.21.101.0/255.255.255.0

Device                                        Site_2_D

Distance (Advanced)                4

 

To configure security policies

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_2_A

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

3. Select Create New.

4. Enter the following information, and select OK:

Incoming Interface                   Site_2_A

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

5. Select Create New.

6. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_2_B

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

7. Select Create New.

8. Enter the following information, and select OK:

Incoming Interface                   Site_2_B

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

9. Select Create New.

10. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_2_C

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

11. Select Create New.

12. Enter the following information, and select OK:

Incoming Interface                   Site_2_C

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

13. Select Create New.

14. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_2_D

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

15. Select Create New.

16. Enter the following information, and select OK:

Incoming Interface                   Site_2_D

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

Configure the VPN peers – route-based VPN

Leave a reply

Configure the VPN peers – route-based VPN

VPN peers are configured using Interface Mode for redundant tunnels. Configure each VPN peer as follows:

1. Ensure that the interfaces used in the VPN have static IP addresses.

2. Create a Phase 1 configuration for each of the paths between the peers.

3. Enable dead peer detection so that one of the other paths is activated if this path fails.

4. Enter these settings in particular, and any other VPN settings as required:

Path 1

Remote Gateway                       Select Static IP Address.

IP Address                                 Type the IP address of the primary interface of the remote peer.

Local Interface                          Select the primary public interface of this peer.

Dead Peer Detection                 Enable

 

Path 2

Remote Gateway                       Select Static IP Address.

IP Address                                 Type the IP address of the secondary interface of the remote peer.

Local Interface                          Select the primary public interface of this peer.

Dead Peer Detection                 Enable

 

Path 3

Remote Gateway                       Select Static IP Address.

IP Address                                 Type the IP address of the primary interface of the remote peer.

Local Interface                          Select the secondary public interface of this peer.

Dead Peer Detection                 Enable

 

Path 4

Remote Gateway                       Select Static IP Address.

IP Address                                 Type the IP address of the secondary interface of the remote peer.

Local Interface                          Select the secondary public interface of this peer.

Dead Peer Detection                 Enable

For more information, see Phase 1 parameters on page 1624.

5. Create a Phase 2 definition for each path. See Phase 2 parameters on page 1642. Select the Phase 1 configuration (virtual IPsec interface) that you defined for this path. You can select the name from the Static IP Address part of the list.

6. Create a route for each path to the other peer. If there are two ports on each peer, there are four possible paths between the peer devices.

Destination IP/Mask                 The IP address and netmask of the private network behind the remote peer.

Device                                         One of the virtual IPsec interfaces on the local peer.

Distance                                     For each path, enter a different value to prioritize the paths.

7. Define the security policy for the local primary interface. See Defining VPN security policies on page 1648. You need to create two policies for each path to enable communication in both directions. Enter these settings in particular:

Incoming Interface                   Select the local interface to the internal (private) network.

Source Address                        All

Outgoing Interface                   Select one of the virtual IPsec interfaces you created in Step 2.

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

8. Select Create New, leave the Policy Type as Firewall and leave the Policy Subtype as Address, and enter these settings:

Incoming Interface                   Select one of the virtual IPsec interfaces you created in Step 2.

Source Address                        All

Outgoing Interface                   Select the local interface to the internal (private) network.

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

9. Place the policy in the policy list above any other policies having similar source and destination addresses.

10. Repeat this procedure at the remote FortiGate unit.

Redundant VPN configurations

Leave a reply

Redundant VPN configurations

This section discusses the options for supporting redundant and partially redundant IPsec VPNs, using route- based approaches.

The following topics are included in this section: Configuration overview

General configuration steps

Configure the VPN peers – route-based VPN Redundant route-based VPN configuration example Partially-redundant route-based VPN example Creating a backup IPsec interface

 

Configuration overview

A FortiGate unit with two interfaces connected to the Internet can be configured to support redundant VPNs to the same remote peer. If the primary connection fails, the FortiGate unit can establish a VPN using the other connection.

Redundant tunnels do not support Tunnel Mode or manual keys. You must use Interface Mode.

A fully-redundant configuration requires redundant connections to the Internet on both peers. The figure below shows an example of this. This is useful to create a reliable connection between two FortiGate units with static IP addresses.

When only one peer has redundant connections, the configuration is partially-redundant. For an example of this, see Configuration overview on page 1734. This is useful to provide reliable service from a FortiGate unit with static IP addresses that accepts connections from dialup IPsec VPN clients.

In a fully-redundant VPN configuration with two interfaces on each peer, four distinct paths are possible for VPN traffic from end to end. Each interface on a peer can communicate with both interfaces on the other peer. This ensures that a VPN will be available as long as each peer has one working connection to the Internet.

You configure a VPN and an entry in the routing table for each of the four paths. All of these VPNs are ready to carry data. You set different routing distances for each route and only the shortest distance route is used. If this route fails, the route with the next shortest distance is used.

The redundant configurations described in this chapter use route-based VPNs, otherwise known as virtual IPsec interfaces. This means that the FortiGate unit must operate in NAT mode. You must use auto-keying. A VPN that is created using manual keys cannot be included in a redundant-tunnel configuration.

The configuration described here assumes that your redundant VPNs are essentially equal in cost and capability. When the original VPN returns to service, traffic continues to use the replacement VPN until the replacement VPN fails. If your redundant VPN uses more expensive facilities, you want to use it only as a backup while the main VPN is down. For information on how to do this, see Configuration overview on page 1734.

 

Example redundant-tunnel configuration

A VPN that is created using manual keys cannot be included in a redundant-tunnel configuration.

 

General configuration steps

A redundant configuration at each VPN peer includes:

  • One Phase 1 configuration (virtual IPsec interface) for each path between the two peers. In a fully-meshed redundant configuration, each network interface on one peer can communicate with each network interface on the remote peer. If both peers have two public interfaces, this means that each peer has four paths, for example.
  • One Phase 2 definition for each Phase 1 configuration.
  • One static route for each IPsec interface, with different distance values to prioritize the routes.
  • Two Accept security policies per IPsec interface, one for each direction of traffic.
  • Dead peer detection enabled in each Phase 1 definition.

The procedures in this section assume that two separate interfaces to the Internet are available on each VPN peer.

Secure VPN Internet-browsing configuration

Leave a reply

Internet-browsing configuration

This section explains how to support secure web browsing performed by dialup VPN clients, and/or hosts behind a remote VPN peer. Remote users can access the private network behind the local FortiGate unit and browse the Internet securely. All traffic generated remotely is subject to the security policy that controls traffic on the private network behind the local FortiGate unit.

The following topics are included in this section:

  • Configuration overview
  • Creating an Internet browsing security policy
  • Routing all remote traffic through the VPN tunnel

 

Configuration overview

A VPN provides secure access to a private network behind the FortiGate unit. You can also enable VPN clients to access the Internet securely. The FortiGate unit inspects and processes all traffic between the VPN clients and hosts on the Internet according to the Internet browsing policy. This is accomplished even though the same FortiGate interface is used for both encrypted VPN client traffic and unencrypted Internet traffic.

In the figure below, FortiGate_1 enables secure Internet browsing for FortiClient Endpoint Security users such as Dialup_1 and users on the Site_2 network behind FortiGate_2, which could be a VPN peer or a dialup client.

 

Example Internet-browsing configuration

internet-browsing-configuration

You can adapt any of the following configurations to provide secure Internet browsing:

  • A gateway-to-gateway configuration (see Gateway-to-gateway configurations on page 1655)
  • A FortiClient dialup-client configuration (see FortiClient dialup-client configurations on page 1702)
  • A FortiGate dialup-client configuration (see FortiGate dialup-client configurations on page 1716)

The procedures in this section assume that one of these configurations is in place, and that it is operating properly.

To create an internet-browsing configuration based on an existing gateway-to-gateway configuration, you must edit the gateway-to-gateway configuration as follows:

  • On the FortiGate unit that will provide Internet access, create an Internet browsing security policy. See Configuration overview on page 1729, below.
  • Configure the remote peer or client to route all traffic through the VPN tunnel. You can do this on a FortiGate unit or on a FortiClient Endpoint Security application. See Configuration overview on page 1729.

 

Creating an Internet browsing security policy

On the FortiGate unit that acts as a VPN server and will provide secure access to the Internet, you must create an Internet browsing security policy. This policy differs depending on whether your gateway-to-gateway configuration is policy-based or route-based.

 

To create an Internet browsing policy – policy-based VPN

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information and then select OK:

Incoming Interface                   The interface to which the VPN tunnel is bound.

Source Address                        All

Outgoing Interface                   The interface to which the VPN tunnel is bound.

Destination Address                 The internal range of address of the remote spoke site.

VPN Tunnel                                Select Use Existing and select the tunnel that provides access to the private network behind the FortiGate unit.

Allow traffic to be initiated from the remote site Enable

Inbound NAT                             Enable

3. Enable inbound NAT in the CLI.

config firewall policy edit <policy_number>

set natinbound enable

end

 

To create an Internet browsing policy – route-based VPN

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter the following information and then select OK:

Incoming Interface                   The IPsec VPN interface.

Source Address                        All

Outgoing Interface                   The interface that connects to the Internet. The virtual IPsec interface is configured on this physical interface.

Destination Address                 The internal range of address of the remote spoke site.

Action                                         ACCEPT

Enable NAT                                Enable

The VPN clients must be configured to route all Internet traffic through the VPN tunnel.

 

Routing all remote traffic through the VPN tunnel

To make use of the Internet browsing configuration on the VPN server, the VPN peer or client must route all traffic through the VPN tunnel. Usually, only the traffic destined for the private network behind the FortiGate VPN server is sent through the tunnel.

The remote end of the VPN can be a FortiGate unit that acts as a peer in a gateway-to-gateway configuration, or a FortiClient application that protects an individual client PC.

  • To configure a remote peer FortiGate unit for Internet browsing via VPN, see Configuring a FortiGate remote peer to support Internet browsing on page 1732.
  • To configure a FortiClient Endpoint Security application for Internet browsing via VPN, see Configuring a FortiClient application to support Internet browsing on page 1732.

These procedures assume that your VPN connection to the protected private network is working and that you have configured the FortiGate VPN server for Internet browsing as described in Routing all remote traffic through the VPN tunnel on page 1731.

 

Configuring a FortiGate remote peer to support Internet browsing

The configuration changes to send all traffic through the VPN differ for policy-based and route-based VPNs.

 

To route all traffic through a policy-based VPN

1. At the FortiGate dialup client, go to Policy & Objects > IPv4 Policy.

2. Select the IPsec security policy and then select Edit.

3. From the Destination Address list, select all.

4. Select OK.

Packets are routed through the VPN tunnel, not just those destined for the protected private network.

 

To route all traffic through a route-based VPN

1. At the FortiGate dialup client, go to Network > Static Routes.

2. Select the default route (destination IP 0.0.0.0) and then select Edit. If there is no default route, select Create

New. Enter the following information and select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         Select the IPsec virtual interface.

Distance                                     Leave at default.

All packets are routed through the VPN tunnel, not just packets destined for the protected private network.

 

Configuring a FortiClient application to support Internet browsing

By default, the FortiClient application configures the PC so that traffic destined for the remote protected network passes through the VPN tunnel but all other traffic is sent to the default gateway. You need to modify the FortiClient settings so that it configures the PC to route all outbound traffic through the VPN.

 

To route all traffic through VPN – FortiClient application

1. At the remote host, start FortiClient.

2. Go to VPN > Connections.

3. Select the definition that connects FortiClient to the FortiGate dialup server.

4. Select Advanced and then select Edit.

5. In the Edit Connection dialog box, select Advanced.

6. In the Remote Network group, select Add.

7. In the IP and Subnet Mask fields, type 0.0.0/0.0.0.0 and select OK.

The address is added to the Remote Network list. The first destination IP address in the list establishes a VPN tunnel. The second destination address (0.0.0.0/0.0.0.0 in this case) forces all other traffic through the VPN tunnel.

8. Select OK.

 

 

Supporting IKE Mode config clients

Leave a reply

Supporting IKE Mode config clients

IKE Mode Config is an alternative to DHCP over IPsec. A FortiGate unit can be configured as either an IKE Mode Config server or client. This chapter contains the following sections:

  • Automatic configuration overview IKE Mode Config overview Configuring IKE Mode Config
  • Example FortiGate unit as IKE Mode Config server
  • Example FortiGate unit as IKE Mode Config client

 

Automatic configuration overview

VPN configuration for remote clients is simpler if it is automated. Several protocols support automatic configuration:

  • The Fortinet FortiClient Endpoint Security application can completely configure a VPN connection with a suitably configured FortiGate unit given only the FortiGate unit’s address. This protocol is exclusive to Fortinet. For more information, see FortiClient dialup-client configurations on page 1702.
  • DHCP over IPsec can assign an IP address, Domain, DNS and WINS addresses. The user must first configure
  • IPsec parameters such as gateway address, encryption and authentication algorithms.
  • IKE Mode Config can configure host IP address, Domain, DNS and WINS addresses. The user must first configure IPsec parameters such as gateway address, encryption and authentication algorithms. Several network equipment vendors support IKE Mode Config, which is described in the ISAKMP Configuration Method document draft-dukes- ike-mode-cfg-02.txt.

This chapter describes how to configure a FortiGate unit as either an IKE Mode Config server or client.

 

IKE Mode Config overview

Dialup VPN clients connect to a FortiGate unit that acts as a VPN server, providing the client the necessary configuration information to establish a VPN tunnel. The configuration information typically includes a virtual IP address, netmask, and DNS server address.

IKE Mode Config is available only for VPNs that are route-based, also known as interface-based. A FortiGate unit can function as either an IKE Configuration Method server or client. IKE Mode Config is configurable only in the CLI.

 

Configuring IKE Mode Config

IKE Mode Config is configured with the CLI command config vpn ipsec phase1-interface. The mode-cfg variable enables IKE Mode Config. The  type field determines whether you are creating an IKE Mode Config server or a client. Setting  type to  dynamic creates a server configuration, otherwise the configuration is a client.

 

Configuring an IKE Mode Config client

If the FortiGate unit will connect as a dialup client to a remote gateway that supports IKE Mode Config, the relevant vpn ipsec phase1-interface variables are as follows:

Variable                                    Description

ike-version 1          IKE v1 is the default for FortiGate IPsec VPNs.

IKE Mode Config is also compatible with IKE v2 (RFC 4306). Use syntax ike-version 2.

mode-cfg enable        Enable IKE Mode Config.

type {ddns | static}   If you set  type to  dynamic, an IKE Mode Config server is created.

assign-ip {enable | disable}

Enable to request an IP address from the server.

interface <interface_

name>

proposal <encryption_

combination>

This is a regular IPsec VPN field. Specify the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound.

This is a regular IPsec VPN field that determines the encryption and authen- tication settings that the client will accept. For more information, see Phase 1 parameters on page 1624.

mode-cfg-ip-version

{4|6}

Select if the Method client receives an IPv4 or IPv6 IP address. The default is  4. the  ip-version setting matches this variable’s value.

ip-version <4 | 6>     This is a regular IPsec VPN field. By default, IPsec VPNs use IPv4 address- ing. You can set  ip-version to  6 to create a VPN with IPv6 address- ing.

For a complete list of available variables, see the CLI Reference.

 

Configuring an IKE Mode Config server

If the FortiGate unit will accept connection requests from dialup clients that support IKE Mode Config, the following  vpn ipsec phase1-interface settings are required before any other configuration is attempted:

 

Variable                                    Description

ike-version 1          IKE v1 is the default for FortiGate IPsec VPNs.

IKE Mode Config is also compatible with IKE v2 (RFC 4306). Use syntax ike-version 2.

mode-cfg enable        Enable IKE Mode Config.

type dynamic           Any other setting creates an IKE Mode Config client.

 

Variable                                    Description

interface <interface_

name>

This is a regular IPsec VPN field. Specify the physical, aggregate, or VLAN

interface to which the IPsec tunnel will be bound.

 

proposal <encryption_

combination>

This is a regular IPsec VPN field that determines the encryption and authen- tication settings that the server will accept. For more information, see Phase 1 parameters on page 1624.

ip-version <4 | 6>     This is a regular IPsec VPN field. By default, IPsec VPNs use IPv4 address- ing. You can set  ip-version to  6 to create a VPN with IPv6 addressing.

 

For a complete list of available variables, see the CLI Reference. After you have enabled the basic configuration, you can configure:

  • IP address assignment for clients
  • DNS and WINS server assignment

 

IP address assignment

Usually you will want to assign IP addresses to clients. The simplest method is to assign addresses from a specific range, similar to a DHCP server.

 

If your clients are authenticated by a RADIUS server, you can obtain the user’s IP address assignment from the Framed-IP-Address attribute. The user must be authenticated using XAuth.

IKE Mode Config can also use a remote DHCP server to assign the client IP addresses. Up to eight addresses can be selected for either IPv4 or IPv6. After the DHCP proxy has been configured, the assign-ip-from command is used to assign IP addresses via DHCP.

 

To assign IP addresses from an address range – CLI

If your VPN uses IPv4 addresses,

 

config vpn ipsec phase1-interface edit vpn1

set mode-cfg-ipversion 4 set assign-ip enable

set assign-ip-type ip

set assign-ip-from range

set ipv4-start-ip <range_start>

set ipv4-end-ip <range_end>

set ipv4-netmask <netmask>

end

 

If your VPN uses IPv6 addresses,

 

config vpn ipsec phase1-interface edit vpn1

set mode-cfg-ipversion 6 set assign-ip enable

set assign-ip-type ip

set assign-ip-from range

set ipv6-start-ip <range_start>

set ipv6-end-ip <range_end>

end

 

To assign IP addresses from a RADIUS server – CLI

The users must be authenticated by a RADIUS server and assigned to the FortiGate user group <grpname>. Since the IP address will not be static, type is set to dynamic, and mode-cfg is enabled. This is IKE Configuration Method so that compatible clients can configure themselves with settings that the FortiGate unit provides.

 

config vpn ipsec phase1-interface edit vpn1

set type dynamic

set mode-cfg enable set assign-ip enable

set assign-ip-from usrgrp set xauthtype auto

set authusrgrp <grpname>

end

 

To assign IP address from DHCP – CLI

The DHCP proxy must first be enabled for IKE Mode Config to use DHCP to assign the VPN client IP address(es).

 

config system settings set dhcp-proxy enable

set dhcp-server-ip [ipv4 address]

set dhcp6-server-ip [ipv6-address]

 

(Up to 8 server addresses can be configured)

 

end

 

config vpn ipsec phase1-interface edit vpn1

set mode-cfg enable

set assign-ip-from dhcp next

end

 

Certificate groups

IKE certificate groups consisting of up to four RSA certificates can be used in IKE Phase 1. Since CA and local certificates are global, the IKE daemon loads them once for all VDOMs and indexes them into trees based on subject and public key hash (for CA certificates), or certificate name (for local certicates). Certifcates are linked together based on the issuer, and certificate chains are built by traversing these links. This reduces the need to keep multiple copies of certificates that could exist in multiple chains.

 

IKE certificate groups can be configured through the CLI.

 

 

Configuring the IKE local ID (CLI):

 

config vpn certificate local edit <name>

set ike-localid <string>

set ike-localid-type {asnldn | fqdn}

end

 

Example FortiGate unit as IKE Mode Config server

In this example, the FortiGate unit assigns IKE Mode Config clients addresses in the range of 10.11.101.160 through 10.11.101.180. DNS and WINS server addresses are also provided. The public interface of the FortiGate unit is Port 1.

When IKE Mode-Configuration is enabled, multiple server IPs can be defined in IPsec Phase 1.

The ipv4-split-include variable specifies a firewall address that represents the networks to which the clients will have access. This destination IP address information is sent to the clients.

Only the CLI fields required for IKE Mode Config are shown here. For detailed information about these variables, see the FortiGate CLI Reference.

 

config vpn ipsec phase1-interface edit “vpn-p1”

set type dynamic

set interface “wan1” set xauthtype auto set mode aggressive set mode-cfg enable

set proposal 3des-sha1 aes128-sha1 set dpd disable

set dhgrp 2

set xauthexpire on-rekey set authusrgrp “FG-Group1”

set ipv4-start-ip 10.10.10.10 set ipv4-end-ip 10.10.10.20 set ipv4-dns-server1 1.1.1.1 set ipv4-dns-server2 2.2.2.2 set ipv4-dns-server3 3.3.3.3 set ipv4-wins-server1 4.4.4.4 set ipv4-wins-server2 5.5.5.5 set domain “fgt1c-domain”

set banner “fgt111C-banner”

set backup-gateway “100.100.100.1” “host1.com” “host2” set ipv4-split-include OfficeLAN

end

 

Example FortiGate unit as IKE Mode Config client

In this example, the FortiGate unit connects to a VPN gateway with a static IP address that can be reached through Port 1. Only the port, gateway and proposal information needs to be configured. All other configuration information will come from the IKE Mode Config server.

 

config vpn ipsec phase1-interface edit vpn1

set ip-version 4 set type static

set remote-gw <gw_address>

set interface port 1

set proposal 3des-sha1 aes128-sha1 set mode-cfg enable

set mode-cfg-ipversion 4 set assign-ip enable

end

 

FortiGate dialup-client configurations

Leave a reply

FortiGate dialup-client configurations

This section explains how to set up a FortiGate dialup-client IPsec VPN. In a FortiGate dialup-client configuration, a FortiGate unit with a static IP address acts as a dialup server and a FortiGate unit having a dynamic IP address initiates a VPN tunnel with the FortiGate dialup server.

  • The following topics are included in this section: Configuration overview
  • FortiGate dialup-client configuration steps
  • Configure the server to accept FortiGate dialup-client connections
  • Configure the FortiGate dialup client

 

Configuration overview

A dialup client can be a FortiGate unit. The FortiGate dialup client typically obtains a dynamic IP address from an ISP through the Dynamic Host Configuration Protocol (DHCP) or Point-to-Point Protocol over Ethernet (PPPoE) before initiating a connection to a FortiGate dialup server.

 

Example FortiGate dialup-client configuration

fortigate-dial-up-configuration

In a dialup-client configuration, the FortiGate dialup server does not rely on a Phase 1 remote gateway address to establish an IPsec VPN connection with dialup clients. As long as authentication is successful and the IPsec security policy associated with the tunnel permits access, the tunnel is established.

Several different ways to authenticate dialup clients and restrict access to private networks based on client credentials are available. To authenticate FortiGate dialup clients and help to distinguish them from FortiClient dialup clients when multiple clients will be connecting to the VPN through the same tunnel, best practices dictate that you assign a unique identifier (local ID or peer ID) to each FortiGate dialup client. For more information, see Phase 1 parameters on page 1624.

Whenever you add a unique identifier (local ID) to a FortiGate dialup client for iden- tification purposes, you must select Aggressive mode on the FortiGate dialup server and also specify the identifier as a peer ID on the FortiGate dialup server. For more information, see Phase 1 parameters on page 1624.

Users behind the FortiGate dialup server cannot initiate the tunnel because the FortiGate dialup client does not have a static IP address. After the tunnel is initiated by users behind the FortiGate dialup client, traffic from the private network behind the FortiGate dialup server can be sent to the private network behind the FortiGate dialup client.

Encrypted packets from the FortiGate dialup client are addressed to the public interface of the dialup server. Encrypted packets from the dialup server are addressed either to the public IP address of the FortiGate dialup client (if the dialup client connects to the Internet directly), or if the FortiGate dialup client is behind a NAT device, encrypted packets from the dialup server are addressed to the public IP address of the NAT device.

If a router with NAT capabilities is in front of the FortiGate dialup client, the router must be NAT-T compatible for encrypted traffic to pass through the NAT device. For more information, see Phase 1 parameters on page 1624.

When the FortiGate dialup server decrypts a packet from the FortiGate dialup client, the source address in the IP header may be one of the following values, depending on the configuration of the network at the far end of the tunnel:

  • If the FortiGate dialup client connects to the Internet directly, the source address will be the private IP address of a host or server on the network behind the FortiGate dialup client.
  • If the FortiGate dialup client is behind a NAT device, the source address will be the public IP address of the NAT device.

In some cases, computers on the private network behind the FortiGate dialup client may (by co-incidence) have IP addresses that are already used by computers on the network behind the FortiGate dialup server. In this type of situation (ambiguous routing), conflicts may occur in one or both of the FortiGate routing tables and traffic destined for the remote network through the tunnel may not be sent.

In many cases, computers on the private network behind the FortiGate dialup client will most likely obtain IP addresses from a local DHCP server behind the FortiGate dialup client. However, unless the local and remote networks use different private network address spaces, unintended ambiguous routing and IP-address overlap issues may arise.

To avoid these issues, you can configure FortiGate DHCP relay on the dialup client instead of using a DHCP server on the network behind the dialup client. The FortiGate dialup client can be configured to relay DHCP requests from the local private network to a DHCP server that resides on the network behind the FortiGate dialup server. You configure the FortiGate dialup client to pass traffic from the local private network to the remote network by enabling FortiGate DHCP relay on the FortiGate dialup client interface that is connected to the local private network.

Afterward, when a computer on the network behind the dialup client broadcasts a DHCP request, the dialup client relays the message through the tunnel to the remote DHCP server. The remote DHCP server responds with a private IP address for the computer. To avoid ambiguous routing and network overlap issues, the IP addresses assigned to computers behind the dialup client cannot match the network address space used by the private network behind the FortiGate dialup server.

 

Preventing network overlap in a FortiGate dialup-client configuration

preventing-network-overlap-in-a-fortigate-dialup-connection

When the DHCP server resides on the private network behind the FortiGate dialup server, the IP destination address specified in the IPsec security policy on the FortiGate dialup client must refer to that network.

You must add a static route to the DHCP server FortiGate unit if it is not directly con- nected to the private network behind the FortiGate dialup server; its IP address does not match the IP address of the private network. Also, the destination address in the IPsec security policy on the FortiGate dialup client must refer to the DHCP server address. The DHCP server must be configured to assign a range of IP addresses dif- ferent from the DHCP server’s local network, and also different from the private net- work addresses behind the FortiGate dialup server. See Dynamic DNS configuration on page 1688.

 

FortiGate dialup-client infrastructure requirements

 

The requirements are:

  • The FortiGate dialup server must have a static public IP address.
  • NAT mode is required if you want to create a route-based VPN.
  • The FortiGate dialup server may operate in either NAT mode or transparent mode to support a policy-based VPN.
  • Computers on the private network behind the FortiGate dialup client can obtain IP addresses either from a DHCP server behind the FortiGate dialup client, or a DHCP server behind the FortiGate dialup server.
  • If the DHCP server resides on the network behind the dialup client, the DHCP server must be configured to assign IP addresses that do not match the private network behind the FortiGate dialup server.
  • If the DHCP server resides on the network behind the FortiGate dialup server, the DHCP server must be configured to assign IP addresses that do not match the private network behind the FortiGate dialup client.

 

FortiGate dialup-client configuration steps

The procedures in this section assume that computers on the private network behind the FortiGate dialup client obtain IP addresses from a local DHCP server. The assigned IP addresses do not match the private network behind the FortiGate dialup server.

In situations where IP-address overlap between the local and remote private networks is likely to occur, FortiGate DHCP relay can be configured on the FortiGate dialup cli- ent to relay DHCP requests to a DHCP server behind the FortiGate dialup server. For more information, see FortiClient dialup-client configurations on page 1702.

 

Configuring dialup client capability for FortiGate dialup clients involves the following general configuration steps:

  • Determine which IP addresses to assign to the private network behind the FortiGate dialup client, and add the IP addresses to the DHCP server behind the FortiGate dialup client. Refer to the software supplier’s documentation to configure the DHCP server.
  • Configure the FortiGate dialup server. See FortiGate dialup-client configuration steps on page 1718.
  • Configure the FortiGate dialup client. See FortiGate dialup-client configuration steps on page 1718.

 

Configure the server to accept FortiGate dialup-client connections

Before you begin, optionally reserve a unique identifier (peer ID) for the FortiGate dialup client. The dialup client will supply this value to the FortiGate dialup server for authentication purposes during the IPsec Phase 1 exchange. In addition, the value will enable you to distinguish FortiGate dialup-client connections from FortiClient dialup-client connections. The same value must be specified on the dialup server and on the dialup client.

1. At the FortiGate dialup server, define the Phase 1 parameters needed to authenticate the FortiGate dialup client and establish a secure connection. See Phase 1 parameters on page 1624. Enter these settings in particular:

Name                                           Enter a name to identify the VPN tunnel. This name appears in Phase 2 configurations, security policies and the VPN monitor.

Remote Gateway                       Select Dialup User.

Local Interface                          Select the interface through which clients connect to the FortiGate unit.

Mode                                           If you will be assigning an ID to the FortiGate dialup client, select Aggress– ive.

Peer Options                             If you will be assigning an ID to the FortiGate dialup client, select This

peer ID and type the identifier that you reserved for the FortiGate dialup cli- ent into the adjacent field.

2. Define the Phase 2 parameters needed to create a VPN tunnel with the FortiGate dialup client. See Phase 2 parameters on page 1642. Enter these settings in particular:

Name                                           Enter a name to identify this Phase 2 configuration.

Phase 1                                       Select the name of the Phase 1 configuration that you defined.

3. Define names for the addresses or address ranges of the private networks that the VPN links. See Defining VPN

security policies on page 1648. Enter these settings in particular:

  • Define an address name for the server, host, or network behind the FortiGate dialup server.
  • Define an address name for the private network behind the FortiGate dialup client.

4. Define the security policies to permit communications between the private networks through the VPN tunnel.

Route-based and policy-based VPNs require different security policies. For detailed information about creating security policies, see Defining VPN security policies on page 1648.

 

Routebased VPN security policy

Define an ACCEPT security policy to permit communications between hosts on the private network behind the FortiGate dialup client and the private network behind this FortiGate dialup server. Because communication cannot be initiated in the opposite direction, there is only one policy.

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter these settings in particular:

Incoming Interface                   Select the VPN tunnel (IPsec interface) created in Step 1.

Source Address                        Select All.

Outgoing Interface                   Select the interface that connects to the private network behind this FortiGate unit.

Destination Address                 Select All.

Action                                         Select ACCEPT.

Enable NAT                                Disable

 

Policybased VPN security policy

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter these settings in particular:

Incoming Interface                   Select the interface that connects to the private network behind this FortiGate unit.

Source Address                        Select the address name that you defined for the private network behind this FortiGate unit.

Outgoing Interface                   Select the FortiGate unit’s public interface.

Destination Address                 Select the address name that you defined.

VPN Tunnel                                Select Use Existing and select the name of the Phase 1 configuration that you created in Step1. from the drop-down list.

Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

Clear Allow outbound to prevent traffic from the local network from ini- tiating the tunnel after the tunnel has been established.

3. To prevent traffic from the local network from initiating the tunnel after the tunnel has been established, you need to disable the outbound VPN traffic in the CLI

config firewall policy edit <policy_number>

set outbound disable

end

 

Place the policy in the policy list above any other policies having similar source and destination addresses. If configuring a route-based policy, configure a default route for VPN traffic on this interface.

 

Configure the FortiGate dialup client

Configure the FortiGate dialup client.

1. At the FortiGate dialup client, define the Phase 1 parameters needed to authenticate the dialup server and establish a secure connection. See Phase 1 parameters on page 1624. Enter these settings in particular:

Name                                           Enter a name to identify the VPN tunnel.

Remote Gateway                       Select Static IP Address.

IP Address                                 Type the IP address of the dialup server’s public interface.

Local Interface                          Select the interface that connects to the public network.

Mode                                           The FortiGate dialup client has a dynamic IP address, select Aggressive.

Advanced                                   Select to view the following options.

Local ID                                      If you defined a peer ID for the dialup client in the FortiGate dialup server configuration, enter the identifier of the dialup client. The value must be identical to the peer ID that you specified previously in the FortiGate dialup server configuration.

2. Define the Phase 2 parameters needed to create a VPN tunnel with the dialup server. See Phase 2 parameters on page 1642. Enter these settings in particular:

Name                                           Enter a name to identify this Phase 2 configuration.

Phase 1                                       Select the name of the Phase 1 configuration that you defined.

3. Define names for the addresses or address ranges of the private networks that the VPN links. See Defining VPN security policies on page 1648. Enter these settings in particular:

  • Define an address name for the server, host, or network behind the FortiGate dialup server.
  • Define an address name for the private network behind the FortiGate dialup client.

4. Define security policies to permit communication between the private networks through the VPN tunnel. Route- based and policy-based VPNs require different security policies. For detailed information about creating security policies, see Defining VPN security policies on page 1648.

 

Routebased VPN security policy

Define an ACCEPT security policy to permit communications between hosts on the private network behind this FortiGate dialup client and the private network behind the FortiGate dialup server. Because communication cannot be initiated in the opposite direction, there is only one policy.

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Leave the Policy Type of Firewall and leave the Policy Subtype as Address.

3. Enter these settings in particular:

Incoming Interface                   Select the interface that connects to the private network behind this FortiGate unit.

Source Address                        Select All.

Outgoing Interface                   Select the VPN tunnel (IPsec interface) created in Step 1.

Destination Address                 Select All.

Action                                         Select ACCEPT.

Enable NAT                                Disable

Policybased VPN security policy

Define an IPsec security policy to permit communications between the source and destination addresses.

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter these settings in particular:

Incoming Interface                   Select the interface that connects to the private network behind this FortiGate unit.

Source Address                        Select the address name that you defined for the private network behind this FortiGate unit.

Outgoing Interface                   Select the FortiGate unit’s public interface.

Destination Address                 Select the address name that you defined for the private network behind the dialup server.

VPN Tunnel                                Select Use Existing and select the name of the Phase 1 configuration that you created in Step 1 from the drop-down list.

Clear Allow traffic to be initiated from the remote site to prevent traffic from the remote network from initiating the tunnel after the tunnel has been established.

Place the policy in the policy list above any other policies having similar source and destination addresses.

 

FortiClient dialup-client configurations

Leave a reply

FortiClient dialup-client configurations

The FortiClient Endpoint Security application is an IPsec VPN client with antivirus, antispam and firewall capabilities. This section explains how to configure dialup VPN connections between a FortiGate unit and one or more FortiClient Endpoint Security applications.

FortiClient users are usually mobile or remote users who need to connect to a private network behind a FortiGate unit. For example, the users might be employees who connect to the office network while traveling or from their homes.

For greatest ease of use, the FortiClient application can download the VPN settings from the FortiGate unit to configure itself automatically.

The following topics are included in this section: Configuration overview

  • FortiClient-to-FortiGate VPN configuration steps
  • Configure the FortiGate unit
  • Configure the FortiClient Endpoint Security application
  • Adding XAuth authentication
  • FortiClient dialup-client configuration example

 

Configuration overview

Dialup users typically obtain dynamic IP addresses from an ISP through Dynamic Host Configuration Protocol (DHCP) or Point-to-Point Protocol over Ethernet (PPPoE). Then, the FortiClient Endpoint Security application initiates a connection to a FortiGate dialup server.

By default the FortiClient dialup client has the same IP address as the host PC on which it runs. If the host connects directly to the Internet, this is a public IP address. If the host is behind a NAT device, such as a router, the IP address is a private IP address. The NAT device must be NAT traversal (NAT-T) compatible to pass encrypted packets (see Phase 1 parameters on page 1624). The FortiClient application also can be configured to use a virtual IP address (VIP). For the duration of the connection, the FortiClient application and the FortiGate unit both use the VIP address as the IP address of the FortiClient dialup client.

The FortiClient application sends its encrypted packets to the VPN remote gateway, which is usually the public interface of the FortiGate unit. It also uses this interface to download VPN settings from the FortiGate unit. See Automatic configuration of FortiClient dialup clients on page 1703.

 

Example FortiClient dialup-client configuration

forticlient-dialup-client

Peer identification

The FortiClient application can establish an IPsec tunnel with a FortiGate unit configured to act as a dialup server. When the FortiGate unit acts as a dialup server, it does not identify the client using the Phase 1 remote gateway address. The IPsec tunnel is established if authentication is successful and the IPsec security policy associated with the tunnel permits access. If configured, the FortiGate unit could also require FortiClient registration, that is, the remote user would be required to have FortiClient installed before connection is completed.

 

Automatic configuration of FortiClient dialup clients

The FortiClient application can obtain its VPN settings from the FortiGate VPN server. FortiClient users need to know only the FortiGate VPN server IP address and their user name and password on the FortiGate unit.

 

The FortiGate unit listens for VPN policy requests from clients on TCP port 8900. When the dialup client connects:

  • The client initiates a Secure Sockets Layer (SSL) connection to the FortiGate unit.
  • The FortiGate unit requests a user name and password from the FortiClient user. Using these credentials, it authenticates the client and determines which VPN policy applies to the client.
  • Provided that authentication is successful, the FortiGate unit downloads a VPN policy to the client over the SSL connection. The information includes IPsec Phase 1 and Phase 2 settings, and the IP addresses of the private networks that the client is authorized to access.
  • The client uses the VPN policy settings to establish an IPsec Phase 1 connection and Phase 2 tunnel with the FortiGate unit.
Pages: 1 2 3 4 5 6 7