Description
This article provides the commands to configure DHCP relay, IPsec tunnel, and firewall policies.
Solution
IPsec VPN client settings:
config system interface
edit "ClientTunnel"
VPN Client setting’s
set vdom "root"
set dhcp-relay-service enable
set ip 10.200.68.196 255.255.255.255 <-- an IP address within the DHCP network.
set type tunnel
set remote-ip 10.200.68.196
set snmp-index 15
set dhcp-relay-ip "10.68.1.117"
set dhcp-relay-type ipsec
set interface "port2"
next
end
config firewall address
edit "dhcpforIPsecClient_range"
set uuid f1904504-aff6-51e6-413f-199821d9d1b2
set type iprange
set comment "VPN: ClientTunnel (Created by VPN wizard)"
set start-ip 10.200.68.233
set end-ip 10.200.68.234
next
config vpn ipsec phase1-interface
edit "ClientTunnel"
set type dynamic
set interface "port2"
set mode aggressive
set comments "VPN: ClientTunnel (Created by VPN wizard)"
set wizard-type dialup-forticlient
set psksecret ENC N98HrU+/Tr0q+Gq6H
next
end
Note: 'set mode-cfg' needs to be disabled in the phase-1 configuration to enable the dhcp-ipsec option in the phase-2 configuration.
config vpn ipsec phase2-interface edit "ClientTunnel" set phase1name "ClientTunnel" set comments "VPN: ClientTunnel (Created by VPN wizard)" set dhcp-ipsec enable nextendconfig firewall policy edit 1 set uuid 5ef30dd2-ada1-51e6-3860-47cc8b9be9da set srcintf "ClientTunnel" <-- Name of the tunnel interface.
set dstintf "port5" set srcaddr "dhcpforIPsecCLient_range" <-- Address range provided by server.
set dstaddr "vlan68" " <-- Address range of internal network.
set action accept set schedule "always" set service "ALL" set logtraffic all set comments "VPN: ClientTunnel (Created by VPN wizard)" next edit 2 set uuid f9d26db4-adb2-51e6-b169-40acf1cd2950 set srcintf "port5" set dstintf "ClientTunnel" set srcaddr "vlan68" set dstaddr "dhcpforIPsecCLient_range" set action accept set schedule "always" set service "ALL_ICMP" set logtraffic all set comments "allow Private network to initiate traffic towards FortiClients" next edit "vlan68" set uuid 1026f39c-ad99-51e6-6035-19f79428c9cf set associated-interface "port5" set subnet 10.68.0.0 255.255.240.0 next
edit "port5"
set vdom "root"
set dhcp-relay-service enable
set ip 192.168.1.x 255.255.255.0
set allowaccess ping https ssh http telnet fgfm
set type physical
set snmp-index 4
set dhcp-relay-ip "192.168.1.y"
set dhcp-relay-type ipsec <-- Must be changed from regular to IPsec.
next
end