FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jskrivan_FTNT
Article Id 195052

Description
This article includes the steps to set up basic Point-To-Point Tunneling Protocol (PPTP) VPN using the FortiOS firmware version 4.0 and later versions.

Important Note: To configure PPTP using a FortiGate web-based manager, create first a customized screen in the web-based manager. Those steps are described in the FortiGate Administration Guides in the chapter "PPTP VPN".

Requirements

  1. Start of range

The first available IP address in the internal subnet to be assigned to VPN connected hosts

  1. End of range

The last available IP address in the internal subnet to be assigned to VPN connected hosts.

  1. Firewall user group

The name of the firewall user group that will be used to authentication VPN connections.


Scope

FortiOS firmware version 4.0 MR1
FortiOS firmware version 4.0 MR2
FortiOS firmware version 4.0 MR3
FortiOS firmware version 5.0.x
 


Solution

Configuration (CLI)

config vpn pptp
   set eip <address_ipv4>
   set ip-mode {range | usrgrp}
   set local-ip <address_localip>
   set sip <address_ipv4>
   set status {disable | enable}
   set usrgrp <group_name>
end


              
 

Variables
Description and Default values
eip <address_ipv4> The ending address of the PPTP address range. default =  0.0.0.0
ip-mode
{range | usrgrp}
Enable to have the PPTP client retrieve the IP
address from the PPTP user group or select an IP
address from the pre-configured IP address range.
local-ip
<address_localip>
PPTP server IP address from the PPTP user group.
sip <address_ipv4>
The starting address of the PPTP IP address range. default = 0.0.0.0
status
{disable | enable}
Enable or disable PPTP VPN. disable
usrgrp <group_name>
This keyword is available when status is set to
enable.
Enter the name of the user group for authenticating
PPTP clients. The user group must be added to the
FortiGate configuration before it can be specified
here. default =NULL
eip <address_ipv4>
The ending address of the PPTP address range. default = 0.0.0.0
ip-mode {range | usrgrp}
Enable to have the PPTP client retrieve the IP
address from the PPTP user group or select an IP
address from the pre-configured IP address range.



Address and policy configuration:
 
1) Under "Firewall Objects" > "Address" > "Address", create a new IP Range and enter the start-ip and end-ip as chosen in the CLI configuration:
Name: <Choose a name>
Type: IP Range
Subnet/Range: x.x.x.x-x.x.x.y   ----> Here x.x.x.x is the start IP of the PPTP Pool and x.x.x.y is the end  IP of it.
Interface <Your WAN Interface>
Show in Address List: Keep this checked.
 
2) Create a firewall policy as the following:
Source Interface: WAN
Source: address created in step 1.
Destination Interface: LAN
Destination: Choose the destination you wish to allow access to.
Schedule: Choose the schedule you have configured or use "Always"
Service: Choose the services that you wan to allow through PPTP.
NAT: This may or may not be required.

 

Contributors