Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gfranceschi
Staff
Staff

Created on ‎03-01-2010 03:00 AM Edited on ‎03-25-2022 10:09 AM By Anonymous

Article Id 191018

Technical Tip : FortiOS 4.0 MR1 and above - IPSec configuration in presence of multiple remote networks and dynamic IPSec (dialup)

Purpose
This article explains the FortiGate configuration in FortiOS 4.0 MR1 and above, when having multiple remote networks and dynamic IPSec (dialup) setting.
Scope

  • FortiOS 4.0 MR1 and above
  • FortiGate in NAT mode
  • IPSec dialup connection
  • VPN tunnel protects more than one private network


Diagram
FortiClient -------(dialup)---------FortiGate--------10.106.0.0/23
                                            |
                                             -----------10.168.0.0/23
Expectations, Requirements
The FortiClient must access the 2 remote networks:

  • 10.106.0.0/23
  • 10.168.0.0/23


Configuration

FortiGate and FortiClient configuration in v3.0 and v4.0 (before upgrade)
  • FortiClient is configured with at least 2 remote networks
    • First remote network is 10.106.0.0/23
    • Second remote network is 10.168.0.0/23
  • FortiGate is configured with selectors 0.0.0.0/0 ANY by default
config vpn ipsec phase1
edit "dialup"
set type dynamic
set interface "port2"
set nattraversal disable
set proposal 3des-sha1 aes128-sha1
set mode aggressive
set psksecret ENC
next
end
config vpn ipsec phase2
edit "dialup2"
set phase1name "dialup"
set proposal 3des-sha1 aes128-sha1
set use-natip disable
next
end

Phase2 selectors parameters verifications:

FGT (phase2) # edit dialup2
FGT (dialup2) # get
[....]
dst-subnet : 0.0.0.0 0.0.0.0 <----- selector
keylifeseconds : 1800
src-subnet : 0.0.0.0 0.0.0.0 <----- selector

In FortiOS 4.0 MR1, a phase2 with group name instead of IP addresses as selector must be defined:

set src-addr-type = name
set src-name = langroup

For example you can modify the configuration of your FortiGate as follows:
  • Create firewall addresses called lan166 and lan106
  • Create a firewall group called lanipsec
  • Modify the vpn phase2 to use a proposal based on the name and assign lanipsec group to this phase2 as follows:
FGT # config vpn ipsec phase2
FGT (phase2) # edit <phase2-name>
FGT (dialup2) # set src-addr-type name <---------- modify the type name
FGT (dialup2) # set src-name lanipsec <-------------assign the group name
FGT (dialup2) # set dst-addr-type name
FGT (dialup2) # set dst-name <string> ?
please input string value
SSLVPN_TUNNEL_ADDR1 address
all address
lan104 address
lan106 address
lan168 address
lanipsec addrgrp



Verification

The CLI command 'diag vpn tunnel list' shows:

In FortiOS 4.0.3
proxyid=dialup2 proto=0 sa=1 ref=2 auto_negotiate=0 serial=1
src: 0.0.0.0-255.255.255.255:0         <== any network is negotiated
dst: 192.168.182.128-192.168.182.128:0 <-- IP address of FC PC
SA: ref=3 options=00000046 type=00 soft=0 mtu=1436 expire=1766 replaywin=1024 seqno=1
In FortiOS 4.0 MR1
proxyid=dialup2 proto=0 sa=1 ref=2 auto_negotiate=0 serial=1
src: 10.106.0.0-10.106.1.255:0           <==the first remote network is negotiated
dst: 192.168.182.128-192.168.182.128:0
SA: ref=3 options=00000046 type=00 soft=0 mtu=1436 expire=1758 replaywin=1024 seqno=1


Related Articles

How to set up FortiClient IPSec VPN to reach multiple non-sequential remote subnets on a FortiGate

Labels:
3684
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.