Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmarcuccetti
Staff
Staff

Created on ‎04-02-2019 12:52 AM

Article Id 193516

Technical Tip: Configure FortiClient IPSEC dialup VPN with static IP and DHCP for different users

Description
This article describes scenarios where there dialup IPSec VPN is a requirement to manually assign a static IP to a specific set of users and at the same time dynamic lease should also work for the rest of the users.

This article describes how to configure FortiClient IPSec dialup VPN with manual static IP assignment and dynamic IP lease simultaneously on the same WAN interface.

Solution
    To achieve the requirement, configure two IPSec dialup VPN tunnels :
    - One for dynamic IP lease users.
    - One for static IP assignment users.

    CLI Configuration on FortiGate for Dynamic Lease.

        # config firewall address
        edit "Diaup_VPN_Dynamic_Range"
                set type iprange
                set start-ip 10.10.10.10
                set end-ip 10.10.10.20
            next
        end

        # config user local
          edit "user2_dynamic"
                set type password
                set email-to "<email>"
                set passwd <password>
            next
        end

        # config user group
            edit "vpn_dynamic"
                set member "user2_dynamic"
            next
        end

        # config vpn ipsec phase1-interface
            edit "Dynamic_Lease"
                set type dynamic
                set interface "port1"
                set mode aggressive
                set peertype any
                set mode-cfg enable                         <----- 'mode-cfg' should be enabled.
                set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
                set dpd on-idle
                set xauthtype auto
                set authusrgrp "vpn_dynamic"
                set assign-ip-from name
                set ipv4-netmask 255.255.255.0
                set dns-mode auto
                set ipv4-split-include "Internal_Lan"
                set ipv4-name "Diaup_VPN_Dynamic_Range"     <----- Dynamic IP range.
                set psksecret <psk>
                set dpd-retryinterval 60
            next
        end

        # config vpn ipsec phase2-interface
            edit "Dynamic_Lease"
                set phase1name "Dynamic_Lease"
                set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
            next
        end

        # config firewall policy
            edit <id>
                set name "Dialup_Dynamic_VPN"
                set srcintf "Dynamic_Lease"
                set dstintf "port2"
                set srcaddr "Diaup_VPN_Dynamic_Range"
                set dstaddr "Internal_Lan"
                set action accept
                set schedule "always"
                set service "ALL"
                set logtraffic all
                next
        end

    FortiClient configuration for dynamic lease.



 CLI Configuration on FortiGate for Static Lease.

    Note.

    Manually setting is not fully supported by FortiClient 6.0.9 or above.

        # config firewall address
        edit "Dialup_Static_Assignment_Range"
                set type iprange
                set start-ip 10.10.10.30
                set end-ip 10.10.10.40
            next
        end

        # config user local
            edit "user1_static"
                set type password
                set email-to "<email>"
                set passwd <password>
            next
        end

        # config user group
            edit "vpn_static"
                set member "user1_static"
            next
        end


        # config vpn ipsec phase1-interface   
        edit "Static_Lease"
                set type dynamic
                set interface "port1"
                set mode aggressive
                set peertype one                   <----- Need to set peertype to one for specific peer ID.
                set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
                set localid "static.lease"
                set xauthtype auto
                set authusrgrp "vpn_static"
                set peerid "static.lease"          <-----  Need to define peerid for static IP client.
                set psksecret <psk>
                set dpd-retryinterval 60
            next
        end

        # config vpn ipsec phase2-interface
        edit "Static_Lease"
                set phase1name "Static_Lease"
                set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
            next
        end

        edit <id>
                set name "Dialup_Static_VPN"
                set srcintf "Static_Lease"
                set dstintf "port2"
                set srcaddr "Dialup_Static_Assignment_Range"
                set dstaddr "Internal_Lan"
                set action accept
                set schedule "always"
                set service "ALL"
                set logtraffic all
             next
        end

    FortiClient configuration for static lease.

Note.

'mode-cfg' has to be disabled in static lease phase-1 configuration.


19665
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.