Description
The “normal” Cisco VPN configuration for FortiGate appliances is documented elsewhere and applies where all users of the Cisco VPN have the same access rights.
This article explains how to alter the configuration to allow different groups to be provided access to different resources.
Solution
Requirements
- FortiGate appliance
- Wan1 is connected to the WAN.
- Port2 is connected to the LAN.
- Authentication already configured (LDAP, Active Directory, or Local).
- Two user groups already created (“vpn-group1” and “vpn-group2”).
Configuration
In this configuration, each group will get assigned an IP address from a distinct IP pool. If the user is in vpn-group1 they will be assigned an IP address from 10.100.0.[11-19], and if the user is in vpn-group2 they will be assigned an IP address from 10.100.0.[21-29].
Ensure that a secondary IP address is created on wan1 of 10.100.0.1/24 – this will be used as the default gateway for all VPN clients.
The first step is to configure the Phase1 IPSec VPN tunnel. Then repeat for other groups.
|
config vpn ipsec phase1-interface
edit “vpn-group1-int”
set type dynamic
set interface “wan1”
set dhgrp 2
set proposal 3des-sha1 aes128-sha1
set peertype one
set xauthtype auto
set mode aggressive
set mode-cfg enable
set peerid “RESOURCE-1”
set authusrgrp “vpn-group1”
set ipv4-start-ip 10.100.0.11
set ipv4-end-ip 10.100.0.19
set psksecret “mypass1”
next
end
|
Note the specific variables here:
| Variable |
Usage |
| vpn-group1-int |
Unique Interface Name for this group |
| wan1 |
Physical Interface used for VPN connections |
| peerid |
The “Group Name” in the Cisco VPN configuration |
| authusrgrp |
The User group that is allowed to use this VPN configuration |
| ipv4-start-ip |
Start of the IP address range to be assigned |
| ipv4-end-ip |
End of the IP address range to be assigned |
| psksecret |
Pre-shared Key for this VPN configuration |
The users will need to be given:
- The Peer ID (Cisco VPN Group Name).
- The Pre-shared Key.
- Their username and password (if appropriate).
The Phase 2 configuration follows:
config vpn ipsec phase2-interface
edit “vpn-group1-phase2”
set phase1name “vpn-group1-int”
set proposal 3des-sha1 aes128-sha1
set dhgrp 2
set dst-subnet 10.100.0.0/24
next
end |
Finally, to activate the VPN configuration, there must be a firewall rule. This can be one rule or many. An example rule may be:
config firewall policy
edit 2
set srcintf “vpn-group1-int”
set dstintf “port2”
set srcaddr “all”
set dstaddr “Resource-Addrgroup-1”
set action accept
set schedule “always”
set service “ANY”
set logtraffic enable
set nat enable
next
end |
Here, “Resource-Addrgroup-1” is an address object (or group of addresses objects) that has been defined previously as being the list of resources to which this VPN group has been provided access.
Cisco VPN Configuration
Cisco VPN Clients include the iPhone, iPad and Android VPN configuration. Use the built-in VPN client (or, for Android, download the Cisco VPN configuration from the App Market). Set the IP address (or DNS name), Pre-shared key and Group Name appropriately for the group.
Limitations
A user may not belong to more than one group and use a single VPN configuration. If a user belongs to more than one group, they must use one VPN configuration to connect to one set of resources, and another VPN configuration to connect to another set of resources.
Debugging
As with the standard IPSec VPN, usage of “diag debug app ike -1” will provide much meaningful information on the IPSec VPN negotiation – including which phase1 and phase2 configuration are being negotiated.
Related Articles
Technical Note : Setup a dialup IPSec VPN between Cisco Unity client and FortiGate
