Technical Tip: Dialup VPN over wireless network for additional layer of security

Topology:

Wireless client (192.168.1.2)----Tunnel mode SSID-----FortiAP(10.10.10.2)----------(10.10.10.1)Fortigate(wan:10.9.10.242)

For an additional layer of security, the IPSec tunnel is built over a wireless network, FortiGate acts as both a wireless controller as well as a Dialup IPSec Server.

FortiAP is broadcasting the SSID: Dialup-IPSec:

Dialup IPSec server (tunnel) is created on the FortiGate for the wireless clients. It is possible to use a VPN template to create it:

Note:

Split-tunnel must be disabled to send Internet traffic of wireless network over the tunnel.

It is necessary to configure two policies to bring up the tunnel and allow wireless clients to access the Internet.

The first policy will be between the tunnel SSID interface (Dialup-IPSec) and the WAN interface that will bring up the tunnel.

The Second policy will be between the IPSec interface (Wireless-IPSec) and the WAN interface to allow wireless clients to access the Internet.

Now, FortiGate is configured properly. 

On the Wireless client: 

Connect to SSID.

Connect to the VPN:

In this case: host 192.168.2.1 is an external IP.

router # dia sniffer packet any ' host 192.168.2.1 and icmp' 4 20
Using Original Sniffing Mode
interfaces=[any]
filters=[ host 192.168.2.1 and icmp]
2.717551 Wireless-IPSec in 10.1.1.1 -> 192.168.2.1: icmp: echo request <------- Traffic came on tunnel interface
2.717576 Wireless-IPSec out 192.168.2.1 -> 10.1.1.1: icmp: echo reply <---   Traffic leave out the tunnel interface
3.724090 Wireless-IPSec in 10.1.1.1 -> 192.168.2.1: icmp: echo request
3.724109 Wireless-IPSec out 192.168.2.1 -> 10.1.1.1: icmp: echo reply
4.738996 Wireless-IPSec in 10.1.1.1 -> 192.168.2.1: icmp: echo request

Ths sniffer shows that wireless traffic is coming over the IPSec tunnel which gave another layer of security.