Description
This KB article describes a scenario, when a Security Administrator wants to restrict network access for certain FortiClient users, once they have established an IPsec tunnel to a FortiGate unit.
This may be accomplished by using an Identity-based policy, instead of a regular (address-based) policy, which is required for establishing IKE tunnels. However, the conditions listed hereafter are important.
Note, that the IP addressing and the command “set listen-forticlient-connection enable” is important for tunnel interfaces, when identity-based firewall policies are used. Any IP address will be acceptable, as long as it does not conflict with an existing IP address plan. This IP setting is important, because the FortiGate authentication page is a re-direct, sent to the client browser with specified IP addresses.
config system interface
edit "port3"
set vdom "root"
set ip 172.31.16.190 255.255.252.0
set type physical
next
end
config system interface
edit "remote-users"
set vdom "root"
set ip 169.254.1.1 255.255.255.255
set type tunnel
set remote-ip 169.254.1.1
set listen-forticlient-connection enable
set interface "port3"
next
end
config vpn ipsec phase1-interface
edit "remote-users"
set type dynamic
set interface "port3"
set xauthtype auto
set mode aggressive
set mode-cfg enable
set proposal 3des-sha1 aes128-sha1
set authusrgrp "IPSec-users"
set ipv4-start-ip 10.75.0.1
set ipv4-end-ip 10.75.0.200
set ipv4-netmask 255.255.255.0
set dns-mode auto
set ipv4-split-include "10.74.0.0/16"
set psksecret ENC
next
end
config firewall policy
edit 1
set srcintf "remote-users"
set dstintf "port4"
set srcaddr "all"
set action accept
set identity-based enable
set nat enable
config identity-based-policy
edit 1
set schedule "always"
set users "fortinet-1074"
set dstaddr "10.74.1.36"
set service "ALL"
next
edit 2
set schedule "always"
set users "fortinet-1075"
set dstaddr "10.74.1.54"
set service "ALL"
next
end
next
end
