IPv6 IPsec VPNs

This chapter describes how to configure your FortiGate unit’s IPv6 IPsec VPN functionality.

By default IPv6 configurations to not appear on the Web-based Manager. You need to enable the feature first.

                                    To enable IPv6

1. Go to System > Feature Visibility.
2. Enable IPv6.
3. Select Apply.

The following topics are included in this section: Configuration examples

IPv6 IPsec support

FortiOS supports route-based IPv6 IPsec, but not policy-based. This section describes how IPv6 IPsec support differs from IPv4 IPsec support. FortiOS 4.0 MR3 is IPv6 Ready Logo Program Phase 2 certified.

Where both the gateways and the protected networks use IPv6 addresses, sometimes called IPv6 over IPv6, you can create either an auto-keyed or manually-keyed VPN. You can combine IPv6 and IPv4 addressing in an autokeyed VPN in the following ways:

IPv4 over IPv6	The VPN gateways have IPv6 addresses. The protected networks have IPv4 addresses. The Phase 2 configurations at either end use IPv4 selectors.
IPv6 over IPv4	The VPN gateways have IPv4 addresses. The protected networks use IPv6 addresses. The Phase 2 configurations at either end use IPv6 selectors.

Compared with IPv4 IPsec VPN functionality, there are some limitations:

• Except for IPv6 over IPv4, remote gateways with Dynamic DNS are not supported.
• Selectors cannot be firewall address names. Only IP address, address range and subnet are supported.
• Redundant IPv6 tunnels are not supported.

Certificates

On a VPN with IPv6 Phase 1 configuration, you can authenticate using VPN certificates in which the common name (cn) is an IPv6 address. The cn-type keyword of the user peer command has an option, ipv6, to support this.

Configuration examples

This section consists of the following configuration examples:

• Site-to-site IPv6 over IPv6 VPN example
• Site-to-site IPv6 over IPv4 VPN example
• Site-to-site IPv4 over IPv6 VPN example

Site-to-site IPv6 over IPv6 VPN example

In this example, computers on IPv6-addressed private networks communicate securely over public IPv6 infrastructure.

By default IPv6 configurations to not appear on the Web-based Manager. You need to enable the feature first.

                                    To enable IPv6

1. Go to System > Feature Visibility.
2. Enable IPv6.
3. Select Apply.

Example IPv6-over-IPv6 VPN topology

Configure FortiGate A interfaces

Port 2 connects to the public network and port 3 connects to the local network.

config system interface edit port2 config ipv6 set ip6-address fec0::0001:209:0fff:fe83:25f2/64

end

next edit port3 config ipv6 set ip6-address fec0::0000:209:0fff:fe83:25f3/64

end

next

end

 

Configure FortiGate A IPsec settings

The Phase 1 configuration creates a virtual IPsec interface on port 2 and sets the remote gateway to the public IP address FortiGate B. This configuration is the same as for an IPv4 route-based VPN, except that ip-version is set to 6 and the remote-gw6 keyword is used to specify an IPv6 remote gateway address.

config vpn ipsec phase1-interface edit toB set ip-version 6 set interface port2

set remote-gw6 fec0:0000:0000:0003:209:0fff:fe83:25c7 set dpd [disable | on-idle | on-demand] set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

By default, Phase 2 selectors are set to accept all subnet addresses for source and destination. The default setting for src-addr-type and dst-addr-type is subnet. The IPv6 equivalent is subnet6. The default subnet addresses are 0.0.0.0/0 for IPv4, ::/0 for IPv6.

config vpn ipsec phase2-interface edit toB2 set phase1name toB set proposal 3des-md5 3des-sha1 set pfs enable set replay enable set src-addr-type subnet6 set dst-addr-type subnet6

end

Configure FortiGate A security policies

Security policies are required to allow traffic between port3 and the IPsec interface toB in each direction. The address all6 must be defined using the firewall address6 command as ::/0.

config firewall policy6 edit 1 set srcintf port3 set dstintf toB set srcaddr all6 set dstaddr all6

set action accept set service ANY set schedule always

next edit 2 set srcintf toB set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

end

Configure FortiGate A routing

This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPsec interface toB. A default route sends all IPv6 traffic out on port2.

config router static6 edit 1 set device port2 set dst 0::/0

next edit 2 set device toB

set dst fec0:0000:0000:0004::/64

end

Configure FortiGate B

The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec interface toA is configured on port2 and its remote gateway is the public IP address of FortiGate A. Security policies enable traffic to pass between the private network and the IPsec interface. Routing ensures traffic for the private network behind FortiGate A goes through the VPN and that all IPv6 packets are routed to the public network.

config system interface edit port2 config ipv6 set ip6-address fec0::0003:209:0fff:fe83:25c7/64

end

next edit port3 config ipv6 set ip6-address fec0::0004:209:0fff:fe83:2569/64

end

end

config vpn ipsec phase1-interface edit toA set ip-version 6 set interface port2

set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2 set dpd [disable | on-idle | on-demand] set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

config vpn ipsec phase2-interface edit toA2

set phase1name toA set proposal 3des-md5 3des-sha1 set pfs enable set replay enable set src-addr-type subnet6 set dst-addr-type subnet6

end

config firewall policy6 edit 1 set srcintf port3 set dstintf toA set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

next edit 2 set srcintf toA set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

end

config router static6 edit 1 set device port2 set dst 0::/0

next edit 2 set device toA

set dst fec0:0000:0000:0000::/64

end

Site-to-site IPv6 over IPv4 VPN example

In this example, IPv6-addressed private networks communicate securely over IPv4 public infrastructure.

Example IPv6-over-IPv4 VPN topology

Configure FortiGate A interfaces

Port 2 connects to the IPv4 public network and port 3 connects to the IPv6 LAN.

config system interface edit port2 set 10.0.0.1/24 next edit port3 config ipv6 set ip6-address fec0::0001:209:0fff:fe83:25f3/64

end

Configure FortiGate A IPsec settings

The Phase 1 configuration uses IPv4 addressing.

config vpn ipsec phase1-interface edit toB set interface port2 set remote-gw 10.0.1.1

set dpd [disable | on-idle | on-demand] set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

 

The Phase 2 configuration uses IPv6 selectors. By default, Phase 2 selectors are set to accept all subnet addresses for source and destination. The default setting for src-addr-type and dst-addr-type is subnet. The IPv6 equivalent is subnet6. The default subnet addresses are 0.0.0.0/0 for IPv4, ::/0 for IPv6.

config vpn ipsec phase2-interface edit toB2 set phase1name toB set proposal 3des-md5 3des-sha1 set pfs enable set replay enable set src-addr-type subnet6 set dst-addr-type subnet6

end

Configure FortiGate A security policies

IPv6 security policies are required to allow traffic between port3 and the IPsec interface toB in each direction. Define the address all6 using the firewall address6 command as ::/0.

config firewall policy6 edit 1 set srcintf port3 set dstintf toB set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

next edit 2 set srcintf toB set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

end

Configure FortiGate A routing

This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPsec interface toB using an IPv6 static route. A default route sends all IPv4 traffic, including the IPv4 IPsec packets, out on port2.

config router static6 edit 1 set device toB

set dst fec0:0000:0000:0004::/64

end

config router static edit 1 set device port2 set dst 0.0.0.0/0 set gateway 10.0.0.254

end

Configure FortiGate B

The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec interface toA is configured on port2 and its remote gateway is the IPv4 public IP address of FortiGate A. The IPsec Phase 2 configuration has IPv6 selectors.

IPv6 security policies enable traffic to pass between the private network and the IPsec interface. An IPv6 static route ensures traffic for the private network behind FortiGate A goes through the VPN and an IPv4 static route ensures that all IPv4 packets are routed to the public network.

config system interface edit port2 set 10.0.1.1/24

next edit port3 config ipv6 set ip6-address fec0::0004:209:0fff:fe83:2569/64

end

config vpn ipsec phase1-interface edit toA set interface port2 set remote-gw 10.0.0.1

set dpd [disable | on-idle | on-demand] set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

config vpn ipsec phase2-interface edit toA2 set phase1name toA set proposal 3des-md5 3des-sha1 set pfs enable set replay enable set src-addr-type subnet6 set dst-addr-type subnet6

end

config firewall policy6 edit 1 set srcintf port3 set dstintf toA set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

next edit 2 set srcintf toA set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

end

config router static6 edit 1 set device toA

set dst fec0:0000:0000:0000::/64

end

config router static edit 1 set device port2

set gateway 10.0.1.254

end

Site-to-site IPv4 over IPv6 VPN example

In this example, two private networks with IPv4 addressing communicate securely over IPv6 infrastructure.

Example IPv4-over-IPv6 VPN topology

Configure FortiGate A interfaces

Port 2 connects to the IPv6 public network and port 3 connects to the IPv4 LAN.

config system interface edit port2 config ipv6 set ip6-address fec0::0001:209:0fff:fe83:25f2/64

end

next edit port3 set 192.168.2.1/24

end

Configure FortiGate A IPsec settings

The Phase 1 configuration is the same as in the IPv6 over IPv6 example.

config vpn ipsec phase1-interface edit toB set ip-version 6 set interface port2

set remote-gw6 fec0:0000:0000:0003:209:0fff:fe83:25c7 set dpd [disable | on-idle | on-demand] set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

The Phase 2 configuration is the same as you would use for an IPv4 VPN. By default, Phase 2 selectors are set to accept all subnet addresses for source and destination.

config vpn ipsec phase2-interface edit toB2 set phase1name toB set proposal 3des-md5 3des-sha1 set pfs enable set replay enable

end

Configure FortiGate A security policies

Security policies are required to allow traffic between port3 and the IPsec interface toB in each direction. These are IPv4 security policies.

config firewall policy edit 1 set srcintf port3 set dstintf toB set srcaddr all set dstaddr all set action accept set service ANY set schedule always

next edit 2 set srcintf toB set dstintf port3 set srcaddr all set dstaddr all set action accept set service ANY set schedule always

end

Configure FortiGate A routing

This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPsec interface toB using an IPv4 static route. A default route sends all IPv6 traffic, including the IPv6 IPsec packets, out on port2.

config router static6 edit 1 set device port2 set dst 0::/0

next edit 2 set device toB set dst 192.168.3.0/24 end

Configure FortiGate B

The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec interface toA is configured on port2 and its remote gateway is the public IP address of FortiGate A. The IPsec Phase 2 configuration has IPv4 selectors.

IPv4 security policies enable traffic to pass between the private network and the IPsec interface. An IPv4 static route ensures traffic for the private network behind FortiGate A goes through the VPN and an IPv6 static route ensures that all IPv6 packets are routed to the public network.

config system interface edit port2 config ipv6 set ip6-address fec0::0003:fe83:25c7/64

end

next edit port3 set 192.168.3.1/24

end

config vpn ipsec phase1-interface edit toA set ip-version 6 set interface port2

set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2 set dpd [disable | on-idle | on-demand] set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

config vpn ipsec phase2-interface edit toA2 set phase1name toA set proposal 3des-md5 3des-sha1 set pfs enable set replay enable

end

config firewall policy edit 1 set srcintf port3 set dstintf toA set srcaddr all set dstaddr all set action accept set service ANY set schedule always

next edit 2 set srcintf toA set dstintf port3 set srcaddr all set dstaddr all set action accept set service ANY set schedule always

end

config router static6 edit 1 set device port2

set dst 0::/0

next edit 2

set device toA set dst 192.168.2.0/24 end

 

Transparent mode VPNs

This section describes transparent VPN configurations, in which two FortiGate units create a VPN tunnel between two separate private networks transparently.

The following topics are included in this section: Configuration overview

Configuration overview

In transparent mode, all interfaces of the FortiGate unit except the management interface (which by default is assigned IP address 10.10.10.1/255.255.255.0) are invisible at the network layer. Typically, when a FortiGate unit runs in transparent mode, different network segments are connected to the FortiGate interfaces. The figure below shows the management station on the same subnet. The management station can connect to the FortiGate unit directly through the web-based manager.

Management station on internal network

An edge router typically provides a public connection to the Internet and one interface of the FortiGate unit is connected to the router. If the FortiGate unit is managed from an external address (see the figure below), the router must translate (NAT) a routable address to direct management traffic to the FortiGate management interface.

Management station on external network

Transparent mode VPNs

In a transparent VPN configuration, two FortiGate units create a VPN tunnel between two separate private networks transparently. All traffic between the two networks is encrypted and protected by FortiGate security policies.

Both FortiGate units may be running in transparent mode, or one could be running in transparent mode and the other running in NAT mode. If the remote peer is running in NAT mode, it must have a static public IP address.

VPNs between two FortiGate units running in transparent mode do not support inbound/outbound NAT (supported through CLI commands) within the tunnel. In addition, a FortiGate unit running in transparent mode cannot be used in a hub-andspoke configuration.

Encrypted packets from the remote VPN peer are addressed to the management interface of the local FortiGate unit. If the local FortiGate unit can reach the VPN peer locally, a static route to the VPN peer must be added to the routing table on the local FortiGate unit. If the VPN peer connects through the Internet, encrypted packets from the local FortiGate unit must be routed to the edge router instead. For information about how to add a static route to the FortiGate routing table, see the Advanced Routing Guide.

In the example configuration shown above, Network Address Translation (NAT) is enabled on the router. When an encrypted packet from the remote VPN peer arrives at the router through the Internet, the router performs inbound NAT and forwards the packet to the FortiGate unit. Refer to the software supplier’s documentation to configure the router.

If you want to configure a VPN between two FortiGate units running in transparent mode, each unit must have an independent connection to a router that acts as a gateway to the Internet, and both units must be on separate networks that have a different address space. When the two networks linked by the VPN tunnel have different address spaces (see the figure below), at least one router must separate the two FortiGate units, unless the packets can be redirected using ICMP (as shown in the following figure).

Link between two FortiGate units in transparent mode

In the figure below, interface C behind the router is the default gateway for both FortiGate units. Packets that cannot be delivered on Network_1 are routed to interface C by default. Similarly, packets that cannot be delivered on Network_2 are routed to interface C. In this case, the router must be configured to redirect packets destined for Network_1 to interface A and redirect packets destined for Network_2 to interface B.

Transparent mode VPNs                                                                                                                           overview

ICMP redirecting packets to two FortiGate units in transparent mode

If there are additional routers behind the FortiGate unit (see the figure below) and the destination IP address of an inbound packet is on a network behind one of those routers, the FortiGate routing table must include routes to those networks. For example, in the following figure, the FortiGate unit must be configured with static routes to interfaces A and B in order to forward packets to Network_1 and Network_2 respectively.

Destinations on remote networks behind internal routers

Transparent VPN infrastructure requirements

• The local FortiGate unit must be operating in transparent mode.
• The management IP address of the local FortiGate unit specifies the local VPN gateway. The management IP address is considered a static IP address for the local VPN peer.
• If the local FortiGate unit is managed through the Internet, or if the VPN peer connects through the Internet, the edge router must be configured to perform inbound NAT and forward management traffic and/or encrypted packets to the FortiGate unit.
• If the remote peer is operating in NAT mode, it must have a static public IP address.

Transparent mode VPNs

A FortiGate unit operating in transparent mode requires the following basic configuration to operate as a node on the IP network:

• The unit must have sufficient routing information to reach the management station.
• For any traffic to reach external destinations, a default static route to an edge router that forwards packets to the Internet must be present in the FortiGate routing table.
• When all of the destinations are located on the external network, the FortiGate unit may route packets using a single default static route. If the network topology is more complex, one or more static routes in addition to the default static route may be required in the FortiGate routing table.

Only policy-based VPN configurations are possible in transparent mode.

Before you begin

An IPsec VPN definition links a gateway with a tunnel and an IPsec policy. If your network topology includes more than one virtual domain, you must choose components that were created in the same virtual domain. Therefore, before you define a transparent VPN configuration, choose an appropriate virtual domain in which to create the required interfaces, security policies, and VPN components. For more information, see the Virtual Domains guide.

Configuring the VPN peers

1. The local VPN peer need to operate in transparent mode.

To determine if your FortiGate unit is in transparent mode, go to the Dashboard > System Information widget.

Select [change]. Select transparent for the Operation Mode. Two new fields will appear to enter the

Management IP/Netmask, and the Default Gateway.

In transparent mode, the FortiGate unit is invisible to the network. All of its interfaces are on the same subnet and share the same IP address. You only have to configure a management IP address so that you can make configuration changes.

The remote VPN peer may operate in NAT mode or transparent mode.

2. At the local FortiGate unit, define the Phase 1 parameters needed to establish a secure connection with the remote peer. See Phase 1 parameters on page 52. Select Advanced and enter these settings in particular:

Remote Gateway	Select Static IP Address.
IP Address	Type the IP address of the public interface to the remote peer. If the remote peer is a FortiGate unit running in transparent mode, type the IP address of the remote management interface.
Advanced	Select Nat-traversal, and type a value into the Keepalive Frequency field. These settings protect the headers of encrypted packets from being altered by external NAT devices and ensure that NAT address mappings do not change while the VPN tunnel is open. For more information, see Phase 1 parameters on page 52 and Phase 1 parameters on page 52.

3. Define the Phase 2 parameters needed to create a VPN tunnel with the remote peer. See Phase 2 parameters on page 72. Select the set of Phase 1 parameters that you defined for the remote peer. The name of the remote peer can be selected from the Static IP Address
4. Define the source and destination addresses of the IP packets that are to be transported through the VPN tunnel. See Defining VPN security policies on page 1. Enter these settings in particular:

Transparent mode VPNs                                                                                                                           overview

• For the originating address (source address), enter the IP address and netmask of the private network behind the local peer network. for the management interface, for example, 10.10.0/24. This address needs to be a range to allow traffic from your network through the tunnel. Optionally select any for this address.
• For the remote address (destination address), enter the IP address and netmask of the private network behind the remote peer (for example, 168.10.0/24). If the remote peer is a FortiGate unit running in transparent mode, enter the IP address of the remote management interface instead.

5. Define an IPsec security policy to permit communications between the source and destination addresses. See Defining VPN security policies on page 1. Enter these settings in particular:

Incoming Interface	Select the local interface to the internal (private) network.
Source Address	Select the source address that you defined in Step 4.
Outgoing Interface	Select the interface to the edge router. When you configure the IPsec security policy on a remote peer that operates in NAT mode, you select the public interface to the external (public) network instead.
Destination Address	Select the destination address that you defined in Step 4.
VPN Tunnel	Select Use Existing and select the name of the Phase 2 tunnel configuration that you created in Step 3 from the drop-down list. Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

6. Place the policy in the policy list above any other policies having similar source and destination addresses.
7. Define another IPsec security policy to permit communications between the source and destination addresses in the opposite direction. This security policy and the previous one form a bi-directional policy pair. See Defining VPN security policies on page 1. Enter these settings in particular:

Incoming Interface	Select the interface to the edge router. When you configure the IPsec security policy on a remote peer that operates in NAT mode, you select the public interface to the external (public) network instead.
Source Address	Select the destination address that you defined in Step 4..
Outgoing Interface	Select the local interface to the internal (private) network.
Destination Address	Select the source address that you defined in Step 4.
VPN Tunnel	Select Use Existing and select the name of the Phase 2 tunnel configuration that you created in Step 3 from the drop-down list. Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

8. Repeat this procedure at the remote FortiGate unit to create bidirectional security policies. Use the local interface and address information local to the remote FortiGate unit.

For more information on transparent mode, see the System Administration Guide.

 

Redundant VPN configurations

This section discusses the options for supporting redundant and partially redundant IPsec VPNs, using routebased approaches.

The following topics are included in this section: Configuration overview

Configuration overview

A FortiGate unit with two interfaces connected to the Internet can be configured to support redundant VPNs to the same remote peer. If the primary connection fails, the FortiGate unit can establish a VPN using the other connection.

Redundant tunnels do not support Tunnel Mode or manual keys. You must use Interface Mode.

A fully-redundant configuration requires redundant connections to the Internet on both peers. The figure below shows an example of this. This is useful to create a reliable connection between two FortiGate units with static IP addresses.

When only one peer has redundant connections, the configuration is partially-redundant. For an example of this, see Configuration overview on page 157. This is useful to provide reliable service from a FortiGate unit with static IP addresses that accepts connections from dialup IPsec VPN clients.

In a fully-redundant VPN configuration with two interfaces on each peer, four distinct paths are possible for VPN traffic from end to end. Each interface on a peer can communicate with both interfaces on the other peer. This ensures that a VPN will be available as long as each peer has one working connection to the Internet.

You configure a VPN and an entry in the routing table for each of the four paths. All of these VPNs are ready to carry data. You set different routing distances for each route and only the shortest distance route is used. If this route fails, the route with the next shortest distance is used.

The redundant configurations described in this chapter use route-based VPNs, otherwise known as virtual IPsec interfaces. This means that the FortiGate unit must operate in NAT mode. You must use auto-keying. A VPN that is created using manual keys cannot be included in a redundant-tunnel configuration.

The configuration described here assumes that your redundant VPNs are essentially equal in cost and capability. When the original VPN returns to service, traffic continues to use the replacement VPN until the replacement VPN fails. If your redundant VPN uses more expensive facilities, you want to use it only as a backup while the main VPN is down. For information on how to do this, see Configuration overview on page 157. 157

Redundant VPN configurations                                                                                            Configuration overview

Example redundant-tunnel configuration

A VPN that is created using manual keys cannot be included in a redundant-tunnel configuration.

General configuration steps

A redundant configuration at each VPN peer includes:

• One Phase 1 configuration (virtual IPsec interface) for each path between the two peers. In a fully-meshed redundant configuration, each network interface on one peer can communicate with each network interface on the remote peer. If both peers have two public interfaces, this means that each peer has four paths, for example.
• One Phase 2 definition for each Phase 1 configuration.
• One static route for each IPsec interface, with different distance values to prioritize the routes.
• Two Accept security policies per IPsec interface, one for each direction of traffic. l Dead peer detection enabled in each Phase 1 definition.

The procedures in this section assume that two separate interfaces to the Internet are available on each VPN peer.

 

Redundant VPN configurations

Configuring the VPN peers – route-based VPN

VPN peers are configured using Interface Mode for redundant tunnels.

Configure each VPN peer as follows:

1. Ensure that the interfaces used in the VPN have static IP addresses.
2. Create a Phase 1 configuration for each of the paths between the peers.
3. Enable dead peer detection so that one of the other paths is activated if this path fails.
4. Enter these settings in particular, and any other VPN settings as required:

Path 1

Remote Gateway	Select Static IP Address.
IP Address	Type the IP address of the primary interface of the remote peer.
Local Interface	Select the primary public interface of this peer.
Dead Peer Detection	Enable

Path 2

Remote Gateway	Select Static IP Address.
IP Address	Type the IP address of the secondary interface of the remote peer.
Local Interface	Select the primary public interface of this peer.
Dead Peer Detection	Enable

Path 3

Remote Gateway	Select Static IP Address.
IP Address	Type the IP address of the primary interface of the remote peer.
Local Interface	Select the secondary public interface of this peer.
Dead Peer Detection	Enable

Path 4

Remote Gateway	Select Static IP Address.
IP Address	Type the IP address of the secondary interface of the remote peer.
Local Interface	Select the secondary public interface of this peer.
Dead Peer Detection	Enable

For more information, see Phase 1 parameters on page 52.

Redundant VPN configurations                                                                                             Configuration overview

5. Create a Phase 2 definition for each path. See Phase 2 parameters on page 72. Select the Phase 1 configuration (virtual IPsec interface) that you defined for this path. You can select the name from the Static IP Address part of the list.
6. Create a route for each path to the other peer. If there are two ports on each peer, there are four possible paths between the peer devices.

Destination IP/Mask	The IP address and netmask of the private network behind the remote peer.
Device	One of the virtual IPsec interfaces on the local peer.
Distance	For each path, enter a different value to prioritize the paths.

7. Define the security policy for the local primary interface. See Defining VPN security policies on page 1. You need to create two policies for each path to enable communication in both directions. Enter these settings in particular:

Incoming Interface	Select the local interface to the internal (private) network.
Source Address	All
Outgoing Interface	Select one of the virtual IPsec interfaces you created in Step 2.
Destination Address	All
Schedule	Always
Service	Any
Action	ACCEPT

8. Select Create New, leave the Policy Type as Firewall and leave the Policy Subtype as Address, and enter these settings:

Incoming Interface	Select one of the virtual IPsec interfaces you created in Step 2.
Source Address	All
Outgoing Interface	Select the local interface to the internal (private) network.
Destination Address	All
Schedule	Always
Service	Any
Action	ACCEPT

9. Place the policy in the policy list above any other policies having similar source and destination addresses.
10. Repeat this procedure at the remote FortiGate unit.

Redundant VPN configurations

Creating a backup IPsec interface

You can configure a route-based VPN that acts as a backup facility to another VPN. It is used only while your main VPN is out of service. This is desirable when the redundant VPN uses a more expensive facility.

You can configure a backup IPsec interface only in the CLI. The backup feature works only on interfaces with static addresses that have dead peer detection enabled. The monitor option creates a backup VPN for the specified Phase 1 configuration.

In the following example, backup_vpn is a backup for main_vpn.

config vpn ipsec phase1-interface edit main_vpn set dpd on set interface port1 set nattraversal enable set psksecret “hard-to-guess” set remote-gw 192.168.10.8 set type static

end edit backup_vpn set dpd on set interface port2 set monitor main_vpn set nattraversal enable set psksecret “hard-to-guess” set remote-gw 192.168.10.8 set type static end

 

Internet-browsing configuration

This section explains how to support secure web browsing performed by dialup VPN clients, and/or hosts behind a remote VPN peer. Remote users can access the private network behind the local FortiGate unit and browse the Internet securely. All traffic generated remotely is subject to the security policy that controls traffic on the private network behind the local FortiGate unit.

The following topics are included in this section:

Configuration overview

Routing all remote traffic through the VPN tunnel

Configuration overview

A VPN provides secure access to a private network behind the FortiGate unit. You can also enable VPN clients to access the Internet securely. The FortiGate unit inspects and processes all traffic between the VPN clients and hosts on the Internet according to the Internet browsing policy. This is accomplished even though the same FortiGate interface is used for both encrypted VPN client traffic and unencrypted Internet traffic.

In the figure below, FortiGate_1 enables secure Internet browsing for FortiClient Endpoint Security users such as Dialup_1 and users on the Site_2 network behind FortiGate_2, which could be a VPN peer or a dialup client.

Example Internet-browsing configuration

Internet-browsing configuration                                                                                              Configuration overview

You can adapt any of the following configurations to provide secure Internet browsing:

• A gateway-to-gateway configuration (see Gateway-to-gateway configurations on page 1)
• A FortiClient dialup-client configuration (see FortiClient dialup-client configurations on page 1)
• A FortiGate dialup-client configuration (see FortiGate dialup-client configurations on page 1)

The procedures in this section assume that one of these configurations is in place, and that it is operating properly.

To create an internet-browsing configuration based on an existing gateway-to-gateway configuration, you must edit the gateway-to-gateway configuration as follows:

• On the FortiGate unit that will provide Internet access, create an Internet browsing security policy. See Configuration overview on page 153, below.
• Configure the remote peer or client to route all traffic through the VPN tunnel. You can do this on a FortiGate unit or on a FortiClient Endpoint Security application. See Configuration overview on page 153.

Creating an Internet browsing security policy

On the FortiGate unit that acts as a VPN server and will provide secure access to the Internet, you must create an Internet browsing security policy. This policy differs depending on whether your gateway-to-gateway configuration is policy-based or route-based.

Creating an Internet browsing policy – policy-based VPN

1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Enter the following information and then select OK:

Name	Enter an appropriate name for the policy.
Incoming Interface	The interface to which the VPN tunnel is bound.
Outgoing Interface	The interface to which the VPN tunnel is bound.
Source	The internal range address of the remote spoke site.
Destination Address	all
Action	Select IPsec. Under VPN Tunnel, select the tunnel that provides access to the private network behind the FortiGate unit. Select Allow traffic to be initiated from the remote site.
NAT	Enable NAT.

Creating an Internet browsing policy – route-based VPN

1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Enter the following information and then select OK:

Name

Enter an appropriate name for the policy.

Routing all remote traffic through the VPN tunnel                                                          Internet-browsing configuration

Incoming Interface	The IPsec VPN interface.
Outgoing Interface	The interface that connects to the Internet. The virtual IPsec interface is configured on this physical interface.
Source	The internal range address of the remote spoke site.
Destination Address	all
Action	ACCEPT
NAT	Enable NAT.

The VPN clients must be configured to route all Internet traffic through the VPN tunnel.

Routing all remote traffic through the VPN tunnel

To make use of the Internet browsing configuration on the VPN server, the VPN peer or client must route all traffic through the VPN tunnel. Usually, only the traffic destined for the private network behind the FortiGate VPN server is sent through the tunnel.

The remote end of the VPN can be a FortiGate unit that acts as a peer in a gateway-to-gateway configuration, or a FortiClient application that protects an individual client PC.

• To configure a remote peer FortiGate unit for Internet browsing via VPN, see Configuring a FortiGate remote peer to support Internet browsing on page 155.
• To configure a FortiClient Endpoint Security application for Internet browsing via VPN, see Configuring a FortiClient application to support Internet browsing on page 156.

These procedures assume that your VPN connection to the protected private network is working and that you have configured the FortiGate VPN server for Internet browsing as described in Configuration overview  on page 153.

Configuring a FortiGate remote peer to support Internet browsing

The configuration changes to send all traffic through the VPN differ for policy-based and route-based VPNs.

Routing all traffic through a policy-based VPN

1. At the FortiGate dialup client, go to Policy & Objects > IPv4 Policy.
2. Select the IPsec security policy and then select Edit.
3. From the Destination Address list, select all.
4. Select OK.

Packets are routed through the VPN tunnel, not just those destined for the protected private network.

Routing all traffic through a route-based VPN

1. At the FortiGate dialup client, go to Network > Static Routes.
2. Select the default route (destination IP 0.0.0.0) and then select Edit. If there is no default route, select Create New. Enter the following information and select OK:

155

 

Internet-browsing configuration                                                        Routing all remote traffic through the VPN tunnel

Destination IP/Mask	Set to Subnet and enter 0.0.0.0/0.0.0.0 in the field provided.
Device	Select the IPsec virtual interface.
Administrative Distance	Leave at default.

All packets are routed through the VPN tunnel, not just packets destined for the protected private network.

Configuring a FortiClient application to support Internet browsing

By default, the FortiClient application configures the PC so that traffic destined for the remote protected network passes through the VPN tunnel but all other traffic is sent to the default gateway. You need to modify the FortiClient settings so that it configures the PC to route all outbound traffic through the VPN.

Routing all traffic through VPN – FortiClient application

1. At the remote host, start FortiClient.
2. Go to Remote Access.
3. Select the definition that connects FortiClient to the FortiGate dialup server, select the Settings icon, and select Edit the selected connection.
4. In the Edit VPN Connection dialog box, select Advanced Settings.
5. In the Remote Network group, select Add.
6. In the IP and Subnet Mask fields, type 0.0.0/0.0.0.0 and select OK.

The address is added to the Remote Network list. The first destination IP address in the list establishes a VPN tunnel. The second destination address (0.0.0.0/0.0.0.0 in this case) forces all other traffic through the VPN tunnel.

7. Select OK.

Supporting IKE Mode Config clients

IKE Mode Config is an alternative to DHCP over IPsec. A FortiGate unit can be configured as either an IKE Mode Config server or client. This chapter contains the following sections:

IKE Mode Config overview

Automatic configuration overview

IKE Mode Config method

IKE Mode Config overview

Dialup VPN clients connect to a FortiGate unit that acts as a VPN server, providing the client the necessary configuration information to establish a VPN tunnel. The configuration information typically includes a virtual IP address, netmask, and DNS server address.

IKE Mode Config is available only for VPNs that are route-based, also known as interface-based. A FortiGate unit can function as either an IKE Configuration Method server or client. IKE Mode Config is configurable only in the CLI.

Automatic configuration overview

VPN configuration for remote clients is simpler if it is automated. Several protocols support automatic configuration:

• The Fortinet FortiClient Endpoint Security application can completely configure a VPN connection with a suitably configured FortiGate unit given only the FortiGate unit’s address. This protocol is exclusive to Fortinet. For more information, see FortiClient dialup-client configurations on page 1.
• DHCP over IPsec can assign an IP address, Domain, DNS and WINS addresses. The user must first configure IPsec parameters such as gateway address, encryption and authentication algorithms.
• IKE Mode Config can configure host IP address, Domain, DNS and WINS addresses. The user must first configure IPsec parameters such as gateway address, encryption and authentication algorithms. Several network equipment vendors support IKE Mode Config, which is described in the ISAKMP Configuration Method document draft-dukesike-mode-cfg-02.txt.

This chapter describes how to configure a FortiGate unit as either an IKE Mode Config server or client.

IKE Mode Config method

IKE Mode Config is configured with the CLI command config vpn ipsec phase1-interface. The mode-cfg variable enables IKE Mode Config. The type field determines whether you are creating an IKE Mode Config server or a client. Setting type to dynamic creates a server configuration, otherwise the configuration is a client.

Creating an IKE Mode Config client

If the FortiGate unit will connect as a dialup client to a remote gateway that supports IKE Mode Config, the relevant vpn ipsec phase1-interface variables are as follows:

Variable	Description
ike-version 1	IKE v1 is the default for FortiGate IPsec VPNs. IKE Mode Config is also compatible with IKE v2 (RFC 4306). Use syntax ike-version 2.
mode-cfg enable	Enable IKE Mode Config.
type {ddns | static}	If you set type to dynamic, an IKE Mode Config server is created.
assign-ip {enable | disable}	Enable to request an IP address from the server.
interface <interface_ name>	This is a regular IPsec VPN field. Specify the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound.
proposal <encryption_ combination>	This is a regular IPsec VPN field that determines the encryption and authentication settings that the client will accept. For more information, see Phase 1 parameters on page 52.
ip-version <4 | 6>	This is a regular IPsec VPN field. By default, IPsec VPNs use IPv4 addressing. You can set ip-version to 6 to create a VPN with IPv6 addressing.

For a complete list of available variables, see the CLI Reference.

IKE Mode Config client example – CLI

In this example, the FortiGate unit connects to a VPN gateway with a static IP address that can be reached through Port 1. Only the port, gateway and proposal information needs to be configured. All other configuration information will come from the IKE Mode Config server.

config vpn ipsec phase1-interface edit vpn1 set ip-version 4 set type static set remote-gw <gw_address> set interface port 1

set proposal 3des-sha1 aes128-sha1 set mode-cfg enable set assign-ip enable end

IKE Mode Config method                                                                                   Supporting IKE Mode Config clients

Creating an IKE Mode Config server

If the FortiGate unit will accept connection requests from dialup clients that support IKE Mode Config, the following vpn ipsec phase1-interface settings are required before any other configuration is attempted:

Variable	Description
ike-version 1	IKE v1 is the default for FortiGate IPsec VPNs. IKE Mode Config is also compatible with IKE v2 (RFC 4306). Use syntax ike-version 2.
mode-cfg enable	Enable IKE Mode Config.
type dynamic	Any other setting creates an IKE Mode Config client.
interface <interface_ name>	This is a regular IPsec VPN field. Specify the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound.
proposal <encryption_ combination>	This is a regular IPsec VPN field that determines the encryption and authentication settings that the server will accept. For more information, see Phase 1 parameters on page 52.
ip-version <4 | 6>	This is a regular IPsec VPN field. By default, IPsec VPNs use IPv4 addressing. You can set ip-version to 6 to create a VPN with IPv6 addressing.

IKE Mode Config server example – CLI

In this example, the FortiGate unit assigns IKE Mode Config clients addresses in the range of 10.11.101.160 through 10.11.101.180. DNS and WINS server addresses are also provided. The public interface of the FortiGate unit is Port 1.

When IKE Mode-Configuration is enabled, multiple server IPs can be defined in IPsec Phase 1.

The ipv4-split-include  variable specifies a firewall address that represents the networks to which the clients will have access. This destination IP address information is sent to the clients.

Only the CLI fields required for IKE Mode Config are shown here. For detailed information about these variables, see the FortiGate CLI Reference.

config vpn ipsec phase1-interface edit “vpn-p1” set type dynamic set interface “wan1” set xauthtype auto set mode aggressive set mode-cfg enable

set proposal 3des-sha1 aes128-sha1 set dpd disable set dhgrp 2

set xauthexpire on-rekey set authusrgrp “FG-Group1” set ipv4-start-ip 10.10.10.10 set ipv4-end-ip 10.10.10.20 set ipv4-dns-server1 1.1.1.1 set ipv4-dns-server2 2.2.2.2 set ipv4-dns-server3 3.3.3.3 set ipv4-wins-server1 4.4.4.4 set ipv4-wins-server2 5.5.5.5 set domain “fgt1c-domain” set banner “fgt111C-banner”

set backup-gateway “100.100.100.1” “host1.com” “host2” set ipv4-split-include OfficeLAN

end

 

IP address assignment

After you have enabled the basic configuration, you can configure IP address assignment for clients, as well as DNS and WINS server assignment. Usually you will want to assign IP addresses to clients.

The simplest method to assign IP addresses to clients is to assign addresses from a specific range, similar to a DHCP server.

If your clients are authenticated by a RADIUS server, you can obtain the user’s IP address assignment from the Framed-IP-Address attribute. The user must be authenticated using XAuth.

IKE Mode Config can also use a remote DHCP server to assign the client IP addresses. Up to eight addresses can be selected for either IPv4 or IPv6. After the DHCP proxy has been configured, the assign-ip-from command is used to assign IP addresses via DHCP.

Assigning IP addresses from an address range – CLI

If your VPN uses IPv4 addresses,

config vpn ipsec phase1-interface edit vpn1 set mode-cfg-ipversion 4 set assign-ip enable set assign-ip-type ip set assign-ip-from range set ipv4-start-ip <range_start> set ipv4-end-ip <range_end> set ipv4-netmask <netmask>

end

 

If your VPN uses IPv6 addresses,

config vpn ipsec phase1-interface edit vpn1 set mode-cfg-ipversion 6 set assign-ip enable set assign-ip-type ip set assign-ip-from range set ipv6-start-ip <range_start> set ipv6-end-ip <range_end> end

IKE Mode Config method                                                                                   Supporting IKE Mode Config clients

Assigning IP addresses from a RADIUS server – CLI

The users must be authenticated by a RADIUS server and assigned to the FortiGate user group <grpname>.

Since the IP address will not be static, type is set to dynamic, and mode-cfg is enabled. This is IKE

Configuration Method so that compatible clients can configure themselves with settings that the FortiGate unit provides.

config vpn ipsec phase1-interface edit vpn1 set type dynamic set mode-cfg enable set assign-ip enable set assign-ip-from usrgrp set xauthtype auto set authusrgrp <grpname>

end

Assigning IP address from DHCP – CLI

The DHCP proxy must first be enabled for IKE Mode Config to use DHCP to assign the VPN client IP address(es).

config system settings set dhcp-proxy enable set dhcp-server-ip [ipv4 address] set dhcp6-server-ip [ipv6-address]

 

(Up to eight server addresses can be configured)

end

config vpn ipsec phase1-interface edit vpn1 set mode-cfg enable set assign-ip-from dhcp

next

end

Assigning IP address from a named firewall address/group – CLI

config vpn ipsec phase1-interface edit <name>vpn1 set type dynamic set assign-ip-from name set ipv4-name <name> set ipv6-name <name>

next

end

Certificate groups

IKE certificate groups consisting of up to four RSA certificates can be used in IKE Phase 1. Since CA and local certificates are global, the IKE daemon loads them once for all VDOMs and indexes them into trees based on subject and public key hash (for CA certificates), or certificate name (for local certicates). Certifcates are linked together based on the issuer, and certificate chains are built by traversing these links. This reduces the need to keep multiple copies of certificates that could exist in multiple chains.

IKE certificate groups can be configured through the CLI.

Configuring the IKE local ID – CLI

config vpn certificate local edit <name>

set ike-localid <string> set ike-localid-type {asnldn | fqdn} end

 

FortiGate dialup-client configurations

This section explains how to set up a FortiGate dialup-client IPsec VPN. In a FortiGate dialup-client configuration, a FortiGate unit with a static IP address acts as a dialup server and a FortiGate unit having a dynamic IP address initiates a VPN tunnel with the FortiGate dialup server.

The following topics are included in this section: Configuration overview

Configuration overview

A dialup client can be a FortiGate unit. The FortiGate dialup client typically obtains a dynamic IP address from an ISP through the Dynamic Host Configuration Protocol (DHCP) or Point-to-Point Protocol over Ethernet (PPPoE) before initiating a connection to a FortiGate dialup server.

Example FortiGate dialup-client configuration

In a dialup-client configuration, the FortiGate dialup server does not rely on a Phase 1 remote gateway address to establish an IPsec VPN connection with dialup clients. As long as authentication is successful and the IPsec security policy associated with the tunnel permits access, the tunnel is established.

Several different ways to authenticate dialup clients and restrict access to private networks based on client credentials are available. To authenticate FortiGate dialup clients and help to distinguish them from FortiClient dialup clients when multiple clients will be connecting to the VPN through the same tunnel, best practices dictate that you assign a unique identifier (local ID or peer ID) to each FortiGate dialup client. For more information, see Phase 1 parameters on page 52.

 

Whenever you add a unique identifier (local ID) to a FortiGate dialup client for identification purposes, you must select Aggressive mode on the FortiGate dialup server and also specify the identifier as a peer ID on the FortiGate dialup server. For more information, see Phase 1 parameters on page 52.

Users behind the FortiGate dialup server cannot initiate the tunnel because the FortiGate dialup client does not have a static IP address. After the tunnel is initiated by users behind the FortiGate dialup client, traffic from the private network behind the FortiGate dialup server can be sent to the private network behind the FortiGate dialup client.

Encrypted packets from the FortiGate dialup client are addressed to the public interface of the dialup server. Encrypted packets from the dialup server are addressed either to the public IP address of the FortiGate dialup client (if the dialup client connects to the Internet directly), or if the FortiGate dialup client is behind a NAT device, encrypted packets from the dialup server are addressed to the public IP address of the NAT device.

If a router with NAT capabilities is in front of the FortiGate dialup client, the router must be NAT-T compatible for encrypted traffic to pass through the NAT device. For more information, see Phase 1 parameters on page 52.

When the FortiGate dialup server decrypts a packet from the FortiGate dialup client, the source address in the IP header may be one of the following values, depending on the configuration of the network at the far end of the tunnel:

• If the FortiGate dialup client connects to the Internet directly, the source address will be the private IP address of a host or server on the network behind the FortiGate dialup client.
• If the FortiGate dialup client is behind a NAT device, the source address will be the public IP address of the NAT device.

In some cases, computers on the private network behind the FortiGate dialup client may (by co-incidence) have IP addresses that are already used by computers on the network behind the FortiGate dialup server. In this type of situation (ambiguous routing), conflicts may occur in one or both of the FortiGate routing tables and traffic destined for the remote network through the tunnel may not be sent.

In many cases, computers on the private network behind the FortiGate dialup client will most likely obtain IP addresses from a local DHCP server behind the FortiGate dialup client. However, unless the local and remote networks use different private network address spaces, unintended ambiguous routing and IP-address overlap issues may arise.

To avoid these issues, you can configure FortiGate DHCP relay on the dialup client instead of using a DHCP server on the network behind the dialup client. The FortiGate dialup client can be configured to relay DHCP requests from the local private network to a DHCP server that resides on the network behind the FortiGate dialup server. You configure the FortiGate dialup client to pass traffic from the local private network to the remote network by enabling FortiGate DHCP relay on the FortiGate dialup client interface that is connected to the local private network.

Afterward, when a computer on the network behind the dialup client broadcasts a DHCP request, the dialup client relays the message through the tunnel to the remote DHCP server. The remote DHCP server responds with a private IP address for the computer. To avoid ambiguous routing and network overlap issues, the IP addresses assigned to computers behind the dialup client cannot match the network address space used by the private network behind the FortiGate dialup server.

Preventing network overlap in a FortiGate dialup-client configuration

When the DHCP server resides on the private network behind the FortiGate dialup server, the IP destination address specified in the IPsec security policy on the FortiGate dialup client must refer to that network.

You must add a static route to the DHCP server FortiGate unit if it is not directly connected to the private network behind the FortiGate dialup server; its IP address does not match the IP address of the private network. Also, the destination address in the IPsec security policy on the FortiGate dialup client must refer to the DHCP server address. The DHCP server must be configured to assign a range of IP addresses different from the DHCP server’s local network, and also different from the private network addresses behind the FortiGate dialup server. See Routing on page 1.

FortiGate dialup-client infrastructure requirements

The requirements are:

• The FortiGate dialup server must have a static public IP address.
• NAT mode is required if you want to create a route-based VPN.
• The FortiGate dialup server may operate in either NAT mode or transparent mode to support a policy-based VPN.
• Computers on the private network behind the FortiGate dialup client can obtain IP addresses either from a DHCP server behind the FortiGate dialup client, or a DHCP server behind the FortiGate dialup server.
• If the DHCP server resides on the network behind the dialup client, the DHCP server must be configured to assign IP addresses that do not match the private network behind the FortiGate dialup server.
• If the DHCP server resides on the network behind the FortiGate dialup server, the DHCP server must be configured to assign IP addresses that do not match the private network behind the FortiGate dialup client.

Configuring the server to accept FortiGate dialup-client connections

The procedures in this section assume that computers on the private network behind the FortiGate dialup client obtain IP addresses from a local DHCP server. The assigned IP addresses do not match the private network behind the FortiGate dialup server.

In situations where IP-address overlap between the local and remote private networks is likely to occur, FortiGate DHCP relay can be configured on the FortiGate dialup client to relay DHCP requests to a DHCP server behind the FortiGate dialup server. For more information, see To configure DHCP relay on a FortiGate interface on page 1.

Configuring dialup client capability for FortiGate dialup clients involves the following general configuration steps:

• Determine which IP addresses to assign to the private network behind the FortiGate dialup client, and add the IP addresses to the DHCP server behind the FortiGate dialup client. Refer to the software supplier’s documentation to configure the DHCP server.
• Configure the FortiGate dialup server. See Configuration overview on page 139.  l Configure the FortiGate dialup client. See Configuration overview  on page 139.

Before you begin, optionally reserve a unique identifier (peer ID) for the FortiGate dialup client. The dialup client will supply this value to the FortiGate dialup server for authentication purposes during the IPsec Phase 1 exchange. In addition, the value will enable you to distinguish FortiGate dialup-client connections from FortiClient dialup-client connections. The same value must be specified on the dialup server and on the dialup client.

At the FortiGate dialup server, define the Phase 1 parameters needed to authenticate the FortiGate dialup client and establish a secure connection. See Phase 1 parameters on page 52.

1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
2. Edit Network (full configuration options are only available once you click the Convert To Custom Tunnel button).
3. Enter these settings in particular:

Remote Gateway	Select Dialup User.
Interface	Select the interface through which clients connect to the FortiGate unit.

4. Edit Authentication and enter the following information:

Mode	If you will be assigning an ID to the FortiGate dialup client, select Aggressive.
Peer Options	If you will be assigning an ID to the FortiGate dialup client, set Accept Types to This peer ID and type the identifier that you reserved for the FortiGate dialup client into the adjacent field.

5. Define the Phase 2 parameters needed to create a VPN tunnel with the FortiGate dialup client. See Phase 2 parameters on page 72. Enter these settings in particular:

Name	Enter a name to identify this Phase 2 configuration.
Phase 1	Select the name of the Phase 1 configuration that you defined.

6. Define names for the addresses or address ranges of the private networks that the VPN links. See Defining policy addresses on page 1. Enter these settings in particular:

l Define an address name for the server, host, or network behind the FortiGate dialup server.  l Define an address name for the private network behind the FortiGate dialup client.

4. Define the security policies to permit communications between the private networks through the VPN tunnel. Route-based and policy-based VPNs require different security policies. For detailed information about creating security policies, see Defining VPN security policies on page 1.

Route-based VPN security policy

Define an ACCEPT security policy to permit communications between hosts on the private network behind the FortiGate dialup client and the private network behind this FortiGate dialup server. Because communication cannot be initiated in the opposite direction, there is only one policy.

1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Enter these settings in particular:

Name	Enter an appropriate name for the policy.
Incoming Interface	Select the VPN tunnel (IPsec interface) created in Step 1.
Outgoing Interface	Select the interface that connects to the private network behind this FortiGate unit.
Source	Select all.
Destination Address	Select all.
Action	Select ACCEPT.
NAT	Disable NAT.

Policy-based VPN security policy

1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Enter these settings in particular:

Name		Enter an appropriate name for the policy.
Incoming Interface		Select the interface that connects to the private network behind this FortiGate unit.
Outgoing Interface		Select the FortiGate unit’s public interface.
Source		Select the address name that you defined for the private network behind this FortiGate unit.
	Destination Address		Select the address name that you defined.
	Action		Select IPsec. Under VPN Tunnel, select the name of the Phase 1 configuration that you created in Step “Configuration overview ” on page 139 from the drop-down list. Select Allow traffic to be initiated from the remote site.

3. To prevent traffic from the local network from initiating the tunnel after the tunnel has been established, you need to disable the outbound VPN traffic in the CLI config firewall policy edit <policy_number> set outbound disable

end

Place the policy in the policy list above any other policies having similar source and destination addresses.

If configuring a route-based policy, configure a default route for VPN traffic on this interface.

Configuring the FortiGate dialup client

At the FortiGate dialup client, define the Phase 1 parameters needed to authenticate the dialup server and establish a secure connection. See Phase 1 parameters on page 52.

1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
2. Edit Network (full configuration options are only available once you click the Convert To Custom Tunnel button).
3. Enter these settings in particular:

Remote Gateway	Select Static IP Address.
IP Address	Type the IP address of the dialup server’s public interface.
Interface	Select the interface that connects to the public network.
Mode	The FortiGate dialup client has a dynamic IP address, select Aggressive.
Advanced	Select to view the following options.
Local ID	If you defined a peer ID for the dialup client in the FortiGate dialup server configuration, enter the identifier of the dialup client. The value must be identical to the peer ID that you specified previously in the FortiGate dialup server configuration.

4. Edit Authentication and enter the following information:

Mode	The FortiGate dialup client has a dynamic IP address, select Aggressive.

5. Edit Phase 1 Proposal and enter the following information:

Local ID

If you defined a peer ID for the dialup client in the FortiGate dialup server configuration, enter the identifier of the dialup client. The value must be identical to the peer ID that you specified previously in the FortiGate dialup server configuration.

6. Define the Phase 2 parameters needed to create a VPN tunnel with the dialup server. See Phase 2 parameters on page 72. Enter these settings in particular:

Name	Enter a name to identify this Phase 2 configuration.
Phase 1	Select the name of the Phase 1 configuration that you defined.

7. Define names for the addresses or address ranges of the private networks that the VPN links. See Defining policy addresses on page 1. Enter these settings in particular:

l Define an address name for the server, host, or network behind the FortiGate dialup server.  l Define an address name for the private network behind the FortiGate dialup client.

4. Define security policies to permit communication between the private networks through the VPN tunnel. Routebased and policy-based VPNs require different security policies. For detailed information about creating security policies, see Defining VPN security policies on page 1.

Route-based VPN security policy

Define an ACCEPT security policy to permit communications between hosts on the private network behind this FortiGate dialup client and the private network behind the FortiGate dialup server. Because communication cannot be initiated in the opposite direction, there is only one policy.

1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Enter these settings in particular:

Name	Enter an appropriate name for the policy.
Incoming Interface	Select the interface that connects to the private network behind this FortiGate unit.
Outgoing Interface	Select the VPN tunnel (IPsec interface) created in Step 1.
Source	Select all.
Destination Address	Select all.
Action	Select ACCEPT.
NAT	Disable NAT.

Policy-based VPN security policy

Define an IPsec security policy to permit communications between the source and destination addresses.

1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Enter these settings in particular:

Incoming Interface	Select the interface that connects to the private network behind this FortiGate unit.
Outgoing Interface	Select the FortiGate unit’s public interface.
Source	Select the address name that you defined  for the private network behind this FortiGate unit.
Destination Address	Select the address name that you defined for the private network behind the dialup server.
Action	Select IPsec. Under VPN Tunnel, select the name of the Phase 1 configuration that you created in Step “Configuration overview ” on page 139 from the drop-down list. Clear Allow traffic to be initiated from the remote site to prevent traffic from the remote network from initiating the tunnel after the tunnel has been established.

Place the policy in the policy list above any other policies having similar source and destination addresses.

 

FortiClient dialup-client configuration

The FortiClient Endpoint Security application is an IPsec VPN client with antivirus, antispam and firewall capabilities. This section explains how to configure dialup VPN connections between a FortiGate unit and one or more FortiClient Endpoint Security applications.

FortiClient users are usually mobile or remote users who need to connect to a private network behind a FortiGate unit. For example, the users might be employees who connect to the office network while traveling or from their homes.

For greatest ease of use, the FortiClient application can download the VPN settings from the FortiGate unit to configure itself automatically.

The following topics are included in this section:

Configuration overview

 

Configuration overview

Dialup users typically obtain dynamic IP addresses from an ISP through Dynamic Host Configuration Protocol (DHCP) or Point-to-Point Protocol over Ethernet (PPPoE). Then, the FortiClient Endpoint Security application initiates a connection to a FortiGate dialup server.

By default the FortiClient dialup client has the same IP address as the host PC on which it runs. If the host connects directly to the Internet, this is a public IP address. If the host is behind a NAT device, such as a router, the IP address is a private IP address. The NAT device must be NAT traversal (NAT-T) compatible to pass encrypted packets (see Phase 1 parameters on page 52). The FortiClient application also can be configured to use a virtual IP address (VIP). For the duration of the connection, the FortiClient application and the FortiGate unit both use the VIP address as the IP address of the FortiClient dialup client.

The FortiClient application sends its encrypted packets to the VPN remote gateway, which is usually the public interface of the FortiGate unit. It also uses this interface to download VPN settings from the FortiGate unit. See Automatic configuration of FortiClient dialup clients on page 131.

Example FortiClient dialup-client configuration

Peer identification

The FortiClient application can establish an IPsec tunnel with a FortiGate unit configured to act as a dialup server. When the FortiGate unit acts as a dialup server, it does not identify the client using the Phase 1 remote gateway address. The IPsec tunnel is established if authentication is successful and the IPsec security policy associated with the tunnel permits access. If configured, the FortiGate unit could also require FortiClient registration, that is, the remote user would be required to have FortiClient installed before connection is completed.

Automatic configuration of FortiClient dialup clients

The FortiClient application can obtain its VPN settings from the FortiGate VPN server. FortiClient users need to know only the FortiGate VPN server IP address and their username and password on the FortiGate unit.

The FortiGate unit listens for VPN policy requests from clients on TCP port 8900. When the dialup client connects:

• The client initiates a Secure Sockets Layer (SSL) connection to the FortiGate unit.
• The FortiGate unit requests a user name and password from the FortiClient user. Using these credentials, it authenticates the client and determines which VPN policy applies to the client.
• Provided that authentication is successful, the FortiGate unit downloads a VPN policy to the client over the SSL connection. The information includes IPsec Phase 1 and Phase 2 settings, and the IP addresses of the private networks that the client is authorized to access.
• The client uses the VPN policy settings to establish an IPsec Phase 1 connection and Phase 2 tunnel with the FortiGate unit.

FortiClient-to-FortiGate VPN configuration steps

Configuring dialup client capability for FortiClient dialup clients involves the following general configuration steps:

1. If you will be using VIP addresses to identify dialup clients, determine which VIP addresses to use. As a precaution, consider using VIP addresses that are not commonly used.
2. Configure the FortiGate unit to act as a dialup server. See Configure the FortiGate unit on page 1.
3. If the dialup clients will be configured to obtain VIP addresses through DHCP over IPsec, configure the FortiGate unit to act as a DHCP server or to relay DHCP requests to an external DHCP server.
4. Configure the dialup clients. See Configure the FortiClient Endpoint Security application on page 1.

Using virtual IP addresses

When the FortiClient host PC is located behind a NAT device, unintended IP address overlap issues may arise between the private networks at the two ends of the tunnel. For example, the client’s host might receive a private IP address from a DHCP server on its network that by co-incidence is the same as a private IP address on the network behind the FortiGate unit. A conflict will occur in the host’s routing table and the FortiClient Endpoint Security application will be unable to send traffic through the tunnel. Configuring virtual IP (VIP) addresses for FortiClient applications prevents this problem.

Using VIPs ensures that client IP addresses are in a predictable range. You can then define security policies that allow access only to that source address range. If you do not use VIPs, the security policies must allow all source addresses because you cannot predict the IP address for a remote mobile user.

The FortiClient application must not have the same IP address as any host on the private network behind the FortiGate unit or any other connected FortiClient application. You can ensure this by reserving a range of IP addresses on the private network for FortiClient users. Or, you can assign FortiClient VIPs from an uncommonly used subnet such as 10.254.254.0/24 or 192.168.254.0/24.

You can reserve a VIP address for a particular client according to its device MAC address and type of connection. The DHCP server then always assigns the reserved VIP address to the client. For more information about this feature, see the “dhcp reserved-address” section in the “system” chapter of the FortiGate CLI Reference.

On the host computer, you can find out the VIP address that the FortiClient Endpoint Security application is using. For example, in Windows command prompt, type

ipconfig /all

On Linux or Mac OS X, type ifconfig in a terminal window. The output will also show the IP address that has been assigned to the host Network Interface Card (NIC).

It is best to assign VIPs using DHCP over IPsec. The FortiGate dialup server can act as a DHCP server or relay requests to an external DHCP server. You can also configure VIPs manually on FortiClient applications, but it is more difficult to ensure that all clients use unique addresses.

If you assign a VIP on the private network behind the FortiGate unit and enable DHCPIPsec (a Phase 2 advanced option), the FortiGate unit acts as a proxy on the local private network for the FortiClient dialup client. Whenever a host on the network behind the dialup server issues an ARP request for the device MAC address of the FortiClient host, the FortiGate unit answers the ARP request on behalf of the FortiClient host and forwards the associated traffic to the FortiClient host through the tunnel. For more information, see Phase 2 parameters on page 72.

FortiGate units fully support RFC 3456. The FortiGate DHCP over IPsec feature can be enabled to allocate VIP addresses to FortiClient dialup clients using a FortiGate DHCP server.

The figure below shows an example of a FortiClient-to-FortiGate VPN where the FortiClient application is assigned a VIP on an uncommonly used subnet. The diagram also shows that while the destination for the information in the encrypted packets is the private network behind the FortiGate unit, the destination of the IPsec packets themselves is the public interface of the FortiGate unit that acts as the end of the VPN tunnel.

IP address assignments in a FortiClient dialup-client configuration

Assigning VIPs by RADIUS user group

If you use XAuth authentication, you can assign users the virtual IP address stored in the Framed-IP-Address field of their record on the RADIUS server. (See RFC 2865 and RFC 2866 for more information about RADIUS fields.) To do this:

• Set the DHCP server IP Assignment Mode to User-group defined method. This is an Advanced setting. See Configuring a DHCP server on a FortiGate interface on page 137.
• Create a new firewall user group and add the RADIUS server to it.
• In your Phase 1 settings, configure the FortiGate unit as an XAuth server and select from User Group the new user group that you created. For more information, see Phase 1 parameters on page 52.
• Configure the FortiClient application to use XAuth. See Configuration overview on page 130.

FortiClient dialup-client infrastructure requirements

• To support policy-based VPNs, the FortiGate dialup server may operate in either NAT mode or transparent mode. NAT mode is required if you want to create a route-based VPN.
• If the FortiClient dialup clients will be configured to obtain VIP addresses through FortiGate DHCP relay, a DHCP server must be available on the network behind the FortiGate unit and the DHCP server must have a direct route to the FortiGate unit.
• If the FortiGate interface to the private network is not the default gateway, the private network behind the FortiGate unit must be configured to route IP traffic destined for dialup clients back (through an appropriate gateway) to the FortiGate interface to the private network. As an alternative, you can configure the IPsec security policy on the FortiGate unit to perform inbound NAT on IP packets. Inbound NAT translates the source addresses of inbound decrypted packets into the IP address of the FortiGate interface to the local private network.

Configuring the FortiGate unit

Configuring the FortiGate unit to establish VPN connections with FortiClient Endpoint Security users involves the following steps:

• Configure the VPN settings
• If the dialup clients use automatic configuration, configure the FortiGate unit as a VPN policy server
• If the dialup clients obtain VIP addresses by DHCP over IPsec, configure an IPsec DHCP server or relay

The procedures in this section cover basic setup of policy-based and route-based VPNs compatible with FortiClient Endpoint Security. A route-based VPN is simpler to configure.

To configure FortiGate unit VPN settings to support FortiClient users, you need to:

• Configure the FortiGate Phase 1 VPN settings
• Configure the FortiGate Phase 2 VPN settings
• Add the security policy

On the local FortiGate unit, define the Phase 1 configuration needed to establish a secure connection with the FortiClient peer. See Phase 1 parameters on page 52.

1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
2. Edit Network (full configuration options are only available once you click the Convert To Custom Tunnel button).
3. Enter these settings in particular:

Remote Gateway	Select Dialup User.
IP Address	Enter the IP address of the remote peer.
Interface	Select the interface through which clients connect to the FortiGate unit.
Mode Config	When enabled, further options become available: l    Client Address Range l    Subnet Mask l    Use System DNS l    DNS Server l    Enable IPv4 Split Tunnel
Authentication Method	Select Pre-shared Key.
Pre-shared Key	Enter the pre-shared key. This must be the same preshared key provided to the FortiClient users.
Peer option	Select Any peer ID.

4. Edit Authentication and enter the following information:

	Method		Select Pre-shared Key.
Pre-shared Key				Enter the pre-shared key. This must be the same preshared key provided to the FortiClient users.
Peer Options				Set Accept Types to Any peer ID.

5. Define the Phase 2 parameters needed to create a VPN tunnel with the FortiClient peer. See Phase 2 parameters on page 72. Enter these settings in particular:

Name		Enter a name to identify this Phase 2 configuration.
Phase 1		Select the name of the Phase 1 configuration that you defined.
Advanced		Select to configure the following optional setting.
DHCP-IPsec		Select if you provide virtual IP addresses to clients using DHCP.

6. Define names for the addresses or address ranges of the private networks that the VPN links. These addresses are used in the security policies that permit communication between the networks. For more information, see Defining policy addresses on page 1.

Enter these settings in particular:

• Define an address name for the individual address or the subnet address that the dialup users access through the VPN.
• If FortiClient users are assigned VIP addresses, define an address name for the subnet to which these VIPs belong.

4. Define security policies to permit communication between the private networks through the VPN tunnel. Routebased and policy-based VPNs require different security policies. For detailed information about creating security policies, see Defining VPN security policies on page 1.

If the security policy, which grants the VPN Connection is limited to certain services, DHCP must be included, otherwise the client won’t be able to retrieve a lease from the FortiGate’s (IPsec) DHCP server, because the DHCP Request (coming out of the tunnel) will be blocked.

Route-based VPN security policies

Define an ACCEPT security policy to permit communications between the source and destination addresses.

1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Enter these settings in particular:

Name	Enter an appropriate name for the policy.
Incoming Interface	Select the VPN Tunnel (IPsec Interface) you configured in Step “Configuration overview” on page 130.
Outgoing Interface	Select the interface that connects to the private network behind this FortiGate unit.
Source	Select all.
Destination Address	Select all.
Action	Select ACCEPT.
NAT	Disable NAT.

If you want to allow hosts on the private network to initiate communications with the FortiClient users after the tunnel is established, you need to define a security policy for communication in that direction.

1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Enter these settings in particular:

Incoming Interface	Select the interface that connects to the private network behind this FortiGate unit.
Outgoing Interface	Select the interface that connects to the private network behind this FortiGate unit.
Source	Select all.
Destination Address	Select all.
Action	Select ACCEPT.
NAT	Disable NAT.

Policy-based VPN security policy

Define an IPsec security policy to permit communications between the source and destination addresses.

1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Enter these settings in particular:

Incoming Interface	Select the interface that connects to the private network behind this FortiGate unit.
Outgoing Interface	Select the FortiGate unit’s public interface.
Source	Select the address name that you defined in Step “Configuration overview” on page 130 for the private network behind this FortiGate unit.
Destination Address	If FortiClient users are assigned VIPs, select the address name that you defined for the VIP subnet. Otherwise, select all.
Action	Select IPsec. Under VPN Tunnel, select the name of the Phase 1 configuration that you created in Step “Configuration overview” on page 130 from the drop-down list. Select Allow traffic to be initiated from the remote site.

Place VPN policies in the policy list above any other policies having similar source and destination addresses.

Configuring the FortiGate unit as a VPN policy server

When a FortiClient application set to automatic configuration connects to the FortiGate unit, the FortiGate unit requests a user name and password. If the user supplies valid credentials, the FortiGate unit downloads the VPN

 

settings to the FortiClient application.

You must do the following to configure the FortiGate unit to work as a VPN policy server for FortiClient automatic configuration:

1. Create user accounts for FortiClient users.
2. Create a user group for FortiClient users and the user accounts that you created in step 1.
3. Connect to the FortiGate unit CLI and configure VPN policy distribution as follows:

config vpn ipsec forticlient edit <policy_name> set phase2name <tunnel_name> set usergroupname <group_name> set status enable

end

<tunnel_name> must be the Name you specified in the step 2 of Configuration overview on page 130. <group_name> must be the name of the user group your created for FortiClient users.

Configuring DHCP services on a FortiGate interface

If the FortiClient dialup clients are configured to obtain a VIP address using DHCP, configure the FortiGate dialup server to either:

• Relay DHCP requests to a DHCP server behind the FortiGate unit (see Configuring DHCP relay on a FortiGate interface on page 137 below).
• Act as a DHCP server (see Configuring a DHCP server on a FortiGate interface on page 137).

Note that DHCP services are typically configured during the interface creation stage, but you can return to an interface to modify DHCP settings if need be.

Configuring  DHCP relay on a FortiGate interface

1. Go to Network > Interfaces and select the interface that you want to relay DHCP.
2. Enable DHCP Server, and create a new DHCP Address Range and Netmask.
3. Open the .. menu and set Mode to Relay.
4. Enter the DHCP Server IP.
5. Select OK.

Configuring a DHCP server on a FortiGate interface

1. Go to Network > Interfaces and select the interface that you want to act as a DHCP server.
2. Enable DHCP Server, and create a new DHCP Address Range and Netmask.
3. Set Default Gateway to Specify, and enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.
4. Set DNS Server to Same as System DNS. If you want to use a different DNS server for VPN clients, select Specify and enter an IP address in the available field.
5. Open the .. menu and set Mode to Server. 6. Select OK.

137

Configure the FortiClient Endpoint Security application

The following procedure explains how to configure the FortiClient Endpoint Security application to communicate with a remote FortiGate dialup server using the VIP address that you specify manually. These procedures are based on FortiClient 5.4.1.

Configuring FortiClient

This procedure explains how to configure the FortiClient application manually using the default IKE and IPsec settings. For more information, refer to the FortiClient Administration Guide.

1. Go to Remote Access and select the Settings
2. Select Add a new connection, set the new VPN connection to IPsec VPN, and complete following information:

Connection Name	Enter a descriptive name for the connection.
Remote Gateway	Enter the IP address or the fully qualified domain name (FQDN) of the remote gateway.
Authentication Method	Select Pre-shared Key and enter the pre-shared key in the field provided.
Authentication (XAuth)	Extended Authentication (XAuth) increases security by requiring additional user authentication in a separate exchange at the end of the VPN Phase 1 negotiation. The FortiGate unit challenges the user for a user name and password. It then forwards the user’s credentials to an external RADIUS or LDAP server for verification. Implementation of XAuth requires configuration at both the FortiGate unit and the FortiClient application.

3. Select OK.

Adding XAuth authentication

For information about configuring a FortiGate unit as an XAuth server, see Phase 1 parameters on page 52. The following procedure explains how to configure the FortiClient application.

Note that XAuth is not compatible with IKE version 2.

For more information on configuring XAuth authentication, see the FortiClient Administration Guide.