Created on 03-01-2010 03:00 AM Edited on 03-25-2022 10:09 AM By Anonymous
Purpose
This article explains the FortiGate configuration in FortiOS 4.0 MR1 and above, when having multiple remote networks and dynamic IPSec (dialup) setting.
Scope
Diagram
FortiClient -------(dialup)---------FortiGate--------10.106.0.0/23
|
-----------10.168.0.0/23
Expectations, Requirements
The FortiClient must access the 2 remote networks:
Configuration
config vpn ipsec phase1 edit "dialup" set type dynamic set interface "port2" set nattraversal disable set proposal 3des-sha1 aes128-sha1 set mode aggressive set psksecret ENC next end config vpn ipsec phase2 edit "dialup2" set phase1name "dialup" set proposal 3des-sha1 aes128-sha1 set use-natip disable next end |
Phase2 selectors parameters verifications:
FGT (phase2) # edit dialup2 FGT (dialup2) # get [....] dst-subnet : 0.0.0.0 0.0.0.0 <----- selector keylifeseconds : 1800 src-subnet : 0.0.0.0 0.0.0.0 <----- selector |
FGT # config vpn ipsec phase2 FGT (phase2) # edit <phase2-name> FGT (dialup2) # set src-addr-type name <---------- modify the type name FGT (dialup2) # set src-name lanipsec <-------------assign the group name FGT (dialup2) # set dst-addr-type name FGT (dialup2) # set dst-name <string> ? please input string value SSLVPN_TUNNEL_ADDR1 address all address lan104 address lan106 address lan168 address lanipsec addrgrp |
Verification
proxyid=dialup2 proto=0 sa=1 ref=2 auto_negotiate=0 serial=1
src: 0.0.0.0-255.255.255.255:0 <== any network is negotiated
dst: 192.168.182.128-192.168.182.128:0 <-- IP address of FC PC
SA: ref=3 options=00000046 type=00 soft=0 mtu=1436 expire=1766 replaywin=1024 seqno=1
proxyid=dialup2 proto=0 sa=1 ref=2 auto_negotiate=0 serial=1
src: 10.106.0.0-10.106.1.255:0 <==the first remote network is negotiated
dst: 192.168.182.128-192.168.182.128:0
SA: ref=3 options=00000046 type=00 soft=0 mtu=1436 expire=1758 replaywin=1024 seqno=1
Related Articles
How to set up FortiClient IPSec VPN to reach multiple non-sequential remote subnets on a FortiGate
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.