FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jmoya
Staff
Staff
Article Id 195171
Purpose
When is required that the Dial-up VPN Clients, get the same IP segment network.

Scope
All FortiOS

Expectations, Requirements
On FortiClient configuration, can be set two IP address to reach a remote destination.

Configuration
- Create a VDOM
config system global
   set vdom-admin enable
end

config vdom
edit tunneling
end

- Create a vdom-link between root and new VDOM
config global
   config system vdom-link
      edit ivdom
      next
   end
   config system interface
      edit ivdom0
         set vdom "root"
         set ip 1.1.1.1 255.255.255.252
         set type vdom-link
      next
      edit ivdom1
         set vdom "tunneling"
         set ip 1.1.1.2 255.255.255.252
         set type vdom-link
      next
   end
end

- Set defaut route to Internet
conf vdom
   edit tunneling
      config router static
         edit 1
            set device ivdom1
            set gateway 1.1.1.1
         next
      end
   end
end

- Create route of VPN IPSec tunnels from vdom root
config vdom
   edit root
      config router static
         edit 0
            set device ivdom1
            set gateway 172.16.1.0 255.255.255.0
         next
      end
   end
end

- Create firewall VIP
config vdom
   edit root
      config firewall vip
         edit tunel1
            set extintf "wan1"
            set extip 187.x.x.x
            set mappedip 1.1.1.2
         next
         edit tunel2
            set extintf "wan2"
            set extip 189.y.y.y
            set mappedip 1.1.1.2
         next
      end
   end
end

- Create firewall policies
config vdom
   edit root
      config firewall policy
         edit 0
            set srcintf "WANs"
            set dstintf "ivdom0"
            set srcaddr "all"
            set dstaddr "tunel1" "tunel2"
            set action accept
            set schedule "always"
            set service "ALL"
         next
         edit 0
            set srcintf "ivdom0"
            set dstintf "LAN"
            set srcaddr "allowed_clients"
            set dstaddr "allowed_servers"
            set action accept
            set schedule "always"
            set service "ALL"
         next
         edit 0
            set srcintf "LAN"
            set dstintf "ivdom0"
            set srcaddr "allowed_servers"
            set dstaddr "allowed_clients"
            set action accept
            set schedule "always"
            set service "ALL"
         next
      end
   end
end

- Create VPN
config vdom
edit tunneling
config vpn ipsec phase1-interface
edit "FClient"
set type dynamic
set interface "ivdom1"
set keylife 800
set xauthtype auto
set mode-cfg disable
set proposal 3des-sha1 aes128-sha1
set dpd disable
set authusrgrp "USERGROUP"
set psksecret secret
next
end
config vpn ipsec phase2-interface
edit fc
set keepalive enable
set phase1name "FClient"
set proposal 3des-sha1 aes128-sha1
set keylifeseconds 120
set dhcp-ipsec enable
next
end
end

- Create DCHCP pool for IPSec
config vdom
edit tunneling
edit 1
set interface "FClient"
config ip-range
edit 1
set end-ip 172.16.0.250
set start-ip 172.16.0.1
next
end
set lease-time 3600
set netmask 255.255.255.0
set server-type ipsec
set dns-server1 a.b.c.d
set ipsec-lease-hold 0
next
end
end

- Create Firewall policies
config vdom
edit tunneling
config firewall policy
    edit 1
        set srcintf "FClient"
        set dstintf "ivdom1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set srcintf "ivdom1"
        set dstintf "FClient"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
end

- Configure your FortiClient with the IP Addresses 187.x.x.x and 189.y.y.y separated by ";".

Contributors