Technical Tip: Dialup IPSec server and policy routing

Anthony_E · ‎10-12-2004

Description	This article describes how to configure a firewall-to-firewall dialup IPSec tunnel and enable policy routing for traffic from the VPN tunnel. The sample configuration uses FortiGate-300 as a dialup IPSec VPN server with policy routing and FortiGate-60 for the remote IPSec VPN client. The FortiGate-300 enables policy routing so that all incoming traffic from the VPN tunnel is forwarded to the gateway and then to the Internet.
Products	The sample configuration uses the following releases of the software and hardware: - FortiGate-300 v2.80 b219. - FortiGate-60 v2.80 b219.
Prerequisites	The configuration is based on the following assumptions: - The IP address of the external interface is a public IP address for both firewalls. - The default gateway is pointed to a address on external interface for both firewalls. - Gateway is able to do NAT therefore any traffic going to the gateway can be forwarded to the Internet and back.
Configurations	Gateway. Ip: 192.168.3.11. The gateway has a NATed outgoing policy, permit any traffics to go to Internet. Firewall1 FortiGate-300 configuration. # config system global set asymroute enable end # config system interface edit "internal" set ip 192.168.3.1 255.255.255.0 set allowaccess ping https next edit "external" set ip 64.114.95.238 255.255.255.128 set allowaccess ping https next end # config vpn ipsec phase1 edit "mygw" set dpd enable set nattraversal enable set proposal 3des-sha1 3des-md5 set type dynamic set keepalive 5 set psksecret 123456 next end # config vpn ipsec phase2 edit "mytunnel" set pfs enable set phase1name mygw set proposal 3des-sha1 3des-md5 set replay enable set wildcardid enable next end # config firewall policy edit 2 set srcintf "internal" set dstintf "external" set srcaddr "all" set dstaddr "all" set action encrypt set schedule "always" set service "ANY" set inbound enable set outbound enable set vpntunnel "mytunnel" next end # config router policy edit 1 set gateway 192.168.3.11 set input_device "external" set output_device "internal" set src 192.168.2.0 255.255.255.0 next end Firewall2 configuration. # config system interface edit "internal" set dhcp-server-mode server set ip 192.168.2.1 255.255.255.0 set allowaccess ping https next edit "wan1" set ip 64.114.95.237 255.255.255.128 set allowaccess ping https next end # config vpn ipsec phase1 edit "mygw” set dpd enable set nattraversal enable set proposal 3des-sha1 3des-md5 set keepalive 5 set psksecret 123456P set remotegw 64.114.95.238 next end # config vpn ipsec phase2 edit "mytunnel" set pfs enable set phase1name mygw set proposal 3des-sha1 3des-md5 set replay enable next end # config firewall address edit "local" set subnet 192.168.2.0 255.255.255.0 next end # config firewall policy edit 3 set srcintf "internal" set dstintf "wan1" set srcaddr "local" set dstaddr "all" set action encrypt set schedule "always" set service "ANY" set inbound enable set outbound enable set vpntunnel "mytunnel" next end
Verifying the results	Verifying on the workstation. Workstation is able to conect to the Internet. Traceroute to www.msn.com , gateway list: 1 192.168.2.1 2 64.114.95.238 3 192.168.3.11 ... ... Verifying the Firewall1 FortiGate-300 status. Fortigate-300 # diag vpn t l tunnel[11]:mytunnel_13, gateway:64.114.95.237:500, hub=, option=38 *eroute[2]:{[0.0.0.0-255.255.255.255]}->{[192.168.2.]} channel[2]:64.114.95.238,natt=0,state=2,keepalive=0,oif=3 sa[4]:mtu=1434, cur_bytes=132208, timeout=308 itdb[1]:mtu=1434, cur_bytes=33336, cur_packets=468, spi=67d81675, replay=64 3DES=b12164725b2211c8b4b6e2b37ed4b4b22ee77f13f3200074 iv=0000000000000000 SHA1_HMAC=fe99ce10b52dddeb1a9b6dabbb51c29573d8db82 otdb[1]:mtu=1434, cur_bytes=80000, cur_packets=465, spi=734feaa2, replay=64 3DES=3afc260e72418cb66fc16c5aee750447aa2c65160ffc2ec2 iv=160167f276114574 SHA1_HMAC=5e027ee96469a78fb6832bbef9880cad8b918640 verifying the Firewall2 status FortiWiFi-60 # diag vpn t l tunnel[22]:mytunnel, gateway:64.114.95.238:500, hub=, option=6 eroute[2]:{[192.168.2.]}->{[0.0.0.0-255.255.255.255]}* channel[2]:64.114.95.237,natt=0,state=2,keepalive=0,oif=4 sa[4]:mtu=1434, cur_bytes=149627, timeout=166 itdb[1]:mtu=1434, cur_bytes=88664, cur_packets=527, spi=734feaa2, replay=64 3DES=3afc260e72418cb66fc16c5aee750447aa2c65160ffc2ec2 iv=0000000000000000 SHA1_HMAC=5e027ee96469a78fb6832bbef9880cad8b918640 otdb[1]:mtu=1434, cur_bytes=38592, cur_packets=538, spi=67d81675, replay=64 3DES=b12164725b2211c8b4b6e2b37ed4b4b22ee77f13f3200074 iv=3a1e0b480088ded7 SHA1_HMAC=fe99ce10b52dddeb1a9b6dabbb51c29573d8db82
Troubleshooting	- # diag deb enable<----– Enable output on remote console. - # diag deb app ike 2<----– Display IPsec IKE negotiates. - # diag sniff packets<----– Display packets coming in. and out on interfaces.