Description
This article describes how to configure multiple FortiGates as IPsec VPN Dial-Up clients when the FortiGates are not behind a NAT unit.
Topology.
Solution
VPN Server Configuration.
Configure Interfaces.
- This configuration may not be required in the environment if a default route to the internet is received dynamically.
- The IPsec VPN client will use this account to establish Dial-Up IPsec VPN connection.
- The user group will be configured on the IPsec VPN Phase1 interface configuration.
FortiGate will dynamically add or remove appropriate routes to each Dial-up peer, each time the peer's VPN is trying to connect.
IPSec Dial-Up VPN Client1 Configuration.
Configure Interfaces.
- This configuration may not be required in the environment if a default route to the internet is received dynamically.
Create IPsec VPN Phase2 interface.
Configure Interfaces.
- This configuration may not be required in the environment if a default route to the internet is received dynamically.
- From PC_B ping a host on the server LAN subnet. The ping is successful.
This article describes how to configure multiple FortiGates as IPsec VPN Dial-Up clients when the FortiGates are not behind a NAT unit.
Topology.
Solution
VPN Server Configuration.
Configure Interfaces.
# config system interfaceConfigure a static default route to the internet.
edit "port1"
set vdom "root"
set ip 10.56.241.43 255.255.252.0
set allowaccess ping https ssh http
set alias "WAN"
set role wan
next
edit "port5"
set vdom "root"
set ip 10.91.1.43 255.255.240.0
set allowaccess ping https ssh http
set alias "LAN_Port5"
set role lan
next
end
- This configuration may not be required in the environment if a default route to the internet is received dynamically.
# config router staticCreate user accounts for the Dial-Up VPN Clients and add users accounts into a user group.
edit 1
set gateway 10.56.243.254
set device "port1"
next
end
- The IPsec VPN client will use this account to establish Dial-Up IPsec VPN connection.
- The user group will be configured on the IPsec VPN Phase1 interface configuration.
# config user localCreate an address object for LAN subnet.
edit "client1"
set type password
set passwd fortinet
next
edit "client2"
set type password
set passwd password
next
end
# config user group
edit "Dial-Up-VPN_FortiGates"
set member "client1" "client2"
next
end
# config firewall addressCreate IPsec VPN Phase1 interface.
edit "LAN_Port5"
set subnet 10.91.0.0 255.255.240.0
next
end
# config vpn ipsec phase1-interfaceCreate IPsec VPN Phase2 interface.
edit "FGT_Dial-Up"
set type dynamic
set interface "port1"
set mode aggressive
set peertype dialup
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "VPN_Server"
set dpd on-idle
set usrgrp "Dial-Up-VPN_FortiGates"
set dpd-retryinterval 60
next
end
# config vpn ipsec phase2-interfaceCreate IPv4 outbound and inbound policies for IPsec VPN.
edit "FGT_Dial-Up-VPN"
set phase1name "FGT_Dial-Up"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set keepalive enable
set src-subnet 10.91.0.0 255.255.240.0 <----- Local subnet.
set dst-subnet 0.0.0.0 0.0.0.0 <----- Remote subnet (any).
next
end
# config firewall policy- Although a route-based IPsec tunnel has been created, it is not necessary to add a static route because it is a dialup VPN.
edit 1
set name "to_FGT_Dial-Up_clients"
set srcintf "port5"
set dstintf "FGT_Dial-Up"
set srcaddr "LAN_Port5"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "from_FGT_Dial-Up_clients"
set srcintf "FGT_Dial-Up"
set dstintf "port5"
set srcaddr "all"
set dstaddr "LAN_Port5"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
FortiGate will dynamically add or remove appropriate routes to each Dial-up peer, each time the peer's VPN is trying to connect.
IPSec Dial-Up VPN Client1 Configuration.
Configure Interfaces.
# config system interfaceConfigure a static route to the internet.
edit "port1"
set vdom "root"
set ip 10.56.245.44 255.255.252.0
set allowaccess ping https ssh http
set alias "WAN"
set role wan
next
edit "port6"
set vdom "root"
set ip 10.92.1.43 255.255.240.0
set allowaccess ping https ssh http
set alias "LAN_Port6"
set role lan
next
end
- This configuration may not be required in the environment if a default route to the internet is received dynamically.
# config router staticCreate an address object for LAN subnet and VPN server LAN subnet.
edit 1
set gateway 10.56.247.254
set device "port1"
next
end
# config firewall addressCreate IPsec VPN Phase1 interface.
edit "LAN_Port6"
set subnet 10.92.0.0 255.255.240.0
next
edit "VPN_Server_LAN"
set subnet 10.91.0.0 255.255.240.0
next
end
# config vpn ipsec phase1-interface
edit "VPN_Server"
set interface "port1"
set mode aggressive
set peertype one
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "client1" <----- This is the username defined on the VPN Server.
set remote-gw 10.56.241.43
set peerid "VPN_Server" <----- This is the localid of the VPN Server.
set psksecret fortinet
next
end
Create IPsec VPN Phase2 interface.
# config vpn ipsec phase2-interfaceCreate IPv4 outbound and inbound policies for IPsec VPN.
edit "VPN_Server"
set phase1name "VPN_Server"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
set src-subnet 10.92.0.0 255.255.240.0 <----- Local subnet.
set dst-subnet 10.91.0.0 255.255.240.0 <----- Remote subnet (VPN server LAN subnet).
next
end
# config firewall policyCreate a static route to VPN server LAN subnet.
edit 1
set name "to_VPN_Server"
set srcintf "port6"
set dstintf "VPN_Server"
set srcaddr "LAN_Port6"
set dstaddr "VPN_Server_LAN"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "from_VPN_Server"
set srcintf "VPN_Server"
set dstintf "port6"
set srcaddr "VPN_Server_LAN"
set dstaddr "LAN_Port6"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
# config router staticIPSec Dial-Up VPN Client2 Configuration.
edit 2
set dst 10.91.0.0 255.255.240.0
set device "VPN_Server"
next
end
Configure Interfaces.
# config system interfaceConfigure a static route to the internet.
edit "port1"
set vdom "root"
set ip 10.57.245.44 255.255.252.0
set allowaccess ping https ssh http
set alias "WAN"
set role wan
next
edit "port7"
set vdom "root"
set ip 10.93.1.43 255.255.240.0
set allowaccess ping https ssh http
set alias "LAN_Port7"
set role lan
next
end
- This configuration may not be required in the environment if a default route to the internet is received dynamically.
# config router staticCreate an address object for LAN subnet and VPN server LAN subnet.
edit 1
set gateway 10.57.247.254
set device "port1"
next
end
# config firewall addressCreate IPsec VPN Phase1 interface.
edit "LAN_Port7"
set subnet 10.93.0.0 255.255.240.0
next
edit "VPN_Server_LAN"
set subnet 10.91.0.0 255.255.240.0
next
end
# config vpn ipsec phase1-interfaceCreate IPsec VPN Phase2 interface.
edit "VPN_Server"
set interface "port1"
set mode aggressive
set peertype one
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "client2" <----- This is the username defined on the VPN Server.
set remote-gw 10.56.241.43
set peerid "VPN_Server" <----- This is the localid of the VPN Server.
set psksecret password
next
end
# config vpn ipsec phase2-interfaceCreate IPv4 outbound and inbound policies for IPsec VPN.
edit "VPN_Server"
set phase1name "VPN_Server"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
set src-subnet 10.93.0.0 255.255.240.0 <----- Local subnet.
set dst-subnet 10.91.0.0 255.255.240.0 <----- Remote subnet (VPN server LAN subnet).
next
end
# config firewall policyCreate a static route to VPN server LAN subnet.
edit 1
set name "to_VPN_Server"
set srcintf "port7"
set dstintf "VPN_Server"
set srcaddr "LAN_Port7"
set dstaddr "VPN_Server_LAN"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "from_VPN_Server"
set srcintf "VPN_Server"
set dstintf "port7"
set srcaddr "VPN_Server_LAN"
set dstaddr "LAN_Port7"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
# config router staticVerification.
edit 2
set dst 10.91.0.0 255.255.240.0
set device "VPN_Server"
next
end
- From PC_B ping a host on the server LAN subnet. The ping is successful.
- On 'FortiGate-Dial-up_Client1' go to Monitor -> IPsec Monitor to view the IPsec tunnel status.
-On 'FortiGate-Dial-up_Client1' CLI use the command '# diagnose vpn tunnel list' to view IPsec tunnel details.
- From PC_C ping a host on the server LAN subnet. The ping is successful.
- On 'FortiGate-Dial-up_Client2' go to Monitor -> IPsec Monitor to view the IPsec tunnel status.
- On 'FortiGate-Dial-up_Client2' CLI use the command '# diagnose vpn tunnel list' to view IPsec tunnel details.
- From PC_A ping hosts on the Dial-Up client’s LAN subnet. The pings are successful.
- On 'FortiGate_VPN_Server' go to Monitor -> IPsec Monitor to view the IPsec VPN Dial-Up clients status.
- On 'FortiGate_VPN_Server' CLI use the command '# diagnose vpn tunnel list' to view IPsec tunnel details.
