Technical Tip: Dial-up IPsec traffic forwarding to site to site IPsec tunnel
| Description | This article describes how to configure dial-up IPsec VPN over IPSec site-to-site VPN connection. |
| Scope | FortiGate v6.0 or above. |
| Solution |
This is a configuration of site-to-site IPsec VPN that allows access to the remote endpoint via IPsec dial-up VPN. Here a site-to-site VPN connection will be configured between the head office (HO) and the branch office. And end user will connect to the branch office via an IPsec dial-up connection and after that user will access the remote server which is in HO LAN. Configure the IPSec site-to-site VPN where considering the dial-up network subnet/ range as 10.10.10.0/24 for the branch office side:
HO Firewall:
Branch Firewall: Now configure the site-to-site VPN.
Now configure the IPsec dial-up connection for the branch user.
Now configure a special policy to allow traffic from the dial-up tunnel to the site-to-site tunnel.
Now move to the client's computer and configure the FortiClient.
After a successful connection, the user should be able to reach the 192.168.1.0/24 network which is behind the HO firewall.
Let's verify the same configuration from CLI:
***********************************HO Firewall************************************** HO-FW # show full-configuration | grep -f "To-Branch" config system interface edit "To-Branch" <----- set vdom "root" set type tunnel set snmp-index 15 set interface "port3" next end
config firewall address edit "To-Branch_local_subnet_1" <----- set uuid 927e48e0-5473-51ed-4e8e-dbd1c3c97d17 set allow-routing enable set subnet 192.168.1.0 255.255.255.0 next edit "To-Branch_remote_subnet_1" <----- set uuid 92896392-5473-51ed-1aa9-aa8ea0c27f81 set allow-routing enable set subnet 192.168.2.0 255.255.255.0 next edit "To-Branch_remote_subnet_2" <----- set uuid 928efbae-5473-51ed-59c5-921e3b809bdf set allow-routing enable set subnet 10.10.10.0 255.255.255.0 next end
config firewall addrgrp edit "To-Branch_local" <----- set uuid 9283ab00-5473-51ed-d27f-a450aed98e3d set member "To-Branch_local_subnet_1" <----- set comment "VPN: To-Branch (Created by VPN wizard)" <----- set allow-routing enable next edit "To-Branch_remote" <----- set uuid 9294903c-5473-51ed-388c-585fdf647eb4 set member "To-Branch_remote_subnet_1" "To-Branch_remote_subnet_2" <----- set comment "VPN: To-Branch (Created by VPN wizard)" <----- set allow-routing enable next end
config vpn ipsec phase1-interface edit "To-Branch" <----- set interface "port3" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: To-Branch (Created by VPN wizard)" <----- set wizard-type static-fortigate set remote-gw 172.16.1.2 set psksecret ENC DRtAUEChBpiKZvQ0FxIgP8eSw8Zj2ZghjE1 YJj1JiPfn6LtHoLLNcbYPPeNrHlph4wGEZTNyBQ8E3Jgd0Of YPZClWr4GCTLExH3LJc3MsNRT4DHqQZPsW4pRu8T5iu3ZJgcdA0Q50wcER Y1cBjgRGqJ6rXzSEWDjlLxvJWUxuuYjMAkg8GRXTj+syH3EnKy9Ites/w== next end
config vpn ipsec phase2-interface edit "To-Branch" <----- set phase1name "To-Branch" <----- set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: To-Branch (Created by VPN wizard)" <----- set src-addr-type name set dst-addr-type name set src-name "To-Branch_local" <----- set dst-name "To-Branch_remote" <----- next end
config firewall policy edit 2 set name "vpn_To-Branch_local_0" <----- set uuid 92ab822e-5473-51ed-514b-e46aa198cd3e set srcintf "port2" set dstintf "To-Branch" <----- set action accept set srcaddr "To-Branch_local" <----- set dstaddr "To-Branch_remote" <----- set schedule "always" set service "ALL" set comments "VPN: To-Branch (Created by VPN wizard)" <----- next edit 3 set name "vpn_To-Branch_remote_0" <----- set uuid 92bc5072-5473-51ed-9787-03aa6d45305b set srcintf "To-Branch" <----- set dstintf "port2" set action accept set srcaddr "To-Branch_remote" <----- set dstaddr "To-Branch_local" <----- set schedule "always" set service "ALL" set comments "VPN: To-Branch (Created by VPN wizard)" <----- next end
config router static edit 2 set device "To-Branch" <--- set comment "VPN: To-Branch (Created by VPN wizard)" <----- set dstaddr "To-Branch_remote" <---- next edit 3 set distance 254 set comment "VPN: To-Branch (Created by VPN wizard)" <----- set blackhole enable set dstaddr "To-Branch_remote" <----- next end
HO-FW #
**********************************Branch Firewall*************************** config system interface edit "To-HO" <--- set vdom "root" set type tunnel set snmp-index 15 set interface "port3" next end
config firewall address edit "To-HO_local_subnet_1" <----- set uuid 0c6420fa-547c-51ed-2ea9-ec6c14a37679 set allow-routing enable set subnet 192.168.2.0 255.255.255.0 next edit "To-HO_local_subnet_2" <----- set uuid 0c6990b2-547c-51ed-3469-5d282a92059e set allow-routing enable set subnet 10.10.10.0 255.255.255.0 next edit "To-HO_remote_subnet_1" <----- set uuid 0c9c0754-547c-51ed-7da1-3a1944314334 set allow-routing enable set subnet 192.168.1.0 255.255.255.0 next end
config firewall addrgrp edit "To-HO_local" <----- set uuid 0c6f6d98-547c-51ed-e863-e9aec3dc7182 set member "To-HO_local_subnet_1" "To-HO_local_subnet_2" <----- set comment "VPN: To-HO (Created by VPN wizard)" <----- set allow-routing enable next edit "To-HO_remote" <----- set uuid 0ca1b190-547c-51ed-f62e-d296247a9edc set member "To-HO_remote_subnet_1" <----- set comment "VPN: To-HO (Created by VPN wizard)" <----- set allow-routing enable next edit "IPSec-Dailup_split" set uuid 26b64874-54a0-51ed-9c6f-bb6c2c8d2de9 set member "To-HO_local_subnet_1" "To-HO_remote_subnet_1" <----- set comment "VPN: IPSec-Dailup (Created by VPN wizard)" next end
config vpn ipsec phase1-interface edit "To-HO" <----- set interface "port3" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: To-HO (Created by VPN wizard)" <----- set wizard-type static-fortigate set remote-gw 172.16.1.1 set psksecret ENC A3Ww0ZaJ6uc1Z7Qt2xhQOqmEOKpig4y/mKBGQNFRHAa0n5UMfHnz3bzAS4vp9naTCRt3Hj9R042XEvYmkXEDWfOLZSwo3kwVH6+ kn9RfnolauTTcQXc80TXk7sYGFUvAkPuc9GHNOW/XG O5MWeWAXnEEcTZ14cV7mNojsdfNrwOQhxgCV3uDWUUB6fspRN1aOwlyLA== next end
config vpn ipsec phase2-interface edit "To-HO" <----- set phase1name "To-HO" <----- set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: To-HO (Created by VPN wizard)" <----- set src-addr-type name set dst-addr-type name set src-name "To-HO_local" <----- set dst-name "To-HO_remote" <----- next end
config firewall policy edit 2 set name "vpn_To-HO_local_0" <----- set uuid 0cb9ed8c-547c-51ed-fc8f-266ec53018c0 set srcintf "port2" set dstintf "To-HO" <----- set action accept set srcaddr "To-HO_local" <----- set dstaddr "To-HO_remote" <----- set schedule "always" set service "ALL" set comments "VPN: To-HO (Created by VPN wizard)" <----- next edit 3 set name "vpn_To-HO_remote_0" <----- set uuid 0cc1921c-547c-51ed-041c-db5cc294f879 set srcintf "To-HO" <----- set dstintf "port2" set action accept set srcaddr "To-HO_remote" <----- set dstaddr "To-HO_local" <----- set schedule "always" set service "ALL" set comments "VPN: To-HO (Created by VPN wizard)" <----- next edit 4 set name "vpn_IPSec-Dailup_TO-Branch" set uuid 26d1f452-54a0-51ed-50c6-0561c12b094e set srcintf "IPSec-Dailup" set dstintf "port2" set action accept set srcaddr "IPSec-Dailup_range" set dstaddr "To-HO_local_subnet_1" "To-HO_remote_subnet_1" <----- set schedule "always" set service "ALL" set nat enable set groups "IPSecUser" set comments "VPN: IPSec-Dailup (Created by VPN wizard)" next edit 5 set name "vpn_IPSec-Dailup_TO-HO" set uuid 13924fb2-54a1-51ed-7022-bf38b9b0a543 set srcintf "IPSec-Dailup" set dstintf "To-HO" <----- set action accept set srcaddr "IPSec-Dailup_range" set dstaddr "To-HO_remote_subnet_1" <----- set schedule "always" set service "ALL" set comments "VPN: IPSec-Dailup (Created by VPN wizard) (Copy of vpn_IPSec-Dailup_remote_0)" next end
config router static edit 2 set device "To-HO" <----- set comment "VPN: To-HO (Created by VPN wizard)" <----- set dstaddr "To-HO_remote" <----- next edit 3 set distance 254 set comment "VPN: To-HO (Created by VPN wizard)" <----- set blackhole enable set dstaddr "To-HO_remote" <----- next end
Branch-FW #
******************************Branch Dial-up connection*****************************
Branch-FW # show full-configuration | grep -f "IPSec-Dailup" config system interface edit "IPSec-Dailup" <----- set vdom "root" set allowaccess fabric set type tunnel set snmp-index 16 set interface "port4" next end
config firewall address edit "IPSec-Dailup_range" <----- set uuid 26cb9d00-54a0-51ed-d404-1b1760c06cac set type iprange set comment "VPN: IPSec-Dailup (Created by VPN wizard)" <----- set start-ip 10.10.10.1 set end-ip 10.10.10.254 next end
config firewall addrgrp edit "IPSec-Dailup_split" <--- set uuid 26b64874-54a0-51ed-9c6f-bb6c2c8d2de9 set member "To-HO_local_subnet_1" "To-HO_remote_subnet_1" set comment "VPN: IPSec-Dailup (Created by VPN wizard)" <----- next end
config vpn ipsec phase1-interface edit "IPSec-Dailup" <--- set type dynamic set interface "port4" set mode aggressive set peertype any set net-device disable set mode-cfg enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: IPSec-Dailup (Created by VPN wizard)" <----- set wizard-type dialup-forticlient set xauthtype auto set ipv4-start-ip 10.10.10.1 set ipv4-end-ip 10.10.10.254 set dns-mode auto set ipv4-split-include "IPSec-Dailup_split" <----- set save-password enable set psksecret ENC mDIumK7IXxGoRjau5rAG1ZiirwntyAusnKSvhxStyYU2f9pRJmlFUfIQVT6vpKcRw1iBCHYIj/5UjssS/B1GmCD1bk/hN5iE0B0pOusZvIlmBcQEHmnIrqlGL2baamw7yiVJfCEgcUTjy uPovkTIo6Q2KuYY8NcsjwvDVupAgNhoBqNOnrNqMCoohzkUfI2zTuCV+Q== next end
config vpn ipsec phase2-interface edit "IPSec-Dailup" <----- set phase1name "IPSec-Dailup" <----- set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: IPSec-Dailup (Created by VPN wizard)" <----- next end
config firewall policy edit 4 set name "vpn_IPSec-Dailup_TO-Branch" <----- set uuid 26d1f452-54a0-51ed-50c6-0561c12b094e set srcintf "IPSec-Dailup" <----- set dstintf "port2" set action accept set srcaddr "IPSec-Dailup_range" <----- set dstaddr "To-HO_local_subnet_1" "To-HO_remote_subnet_1" set schedule "always" set service "ALL" set nat enable set groups "IPSecUser" set comments "VPN: IPSec-Dailup (Created by VPN wizard)" <----- next edit 5 set name "vpn_IPSec-Dailup_TO-HO" <----- set uuid 13924fb2-54a1-51ed-7022-bf38b9b0a543 set srcintf "IPSec-Dailup" <----- set dstintf "To-HO" set action accept set srcaddr "IPSec-Dailup_range" <----- set dstaddr "To-HO_remote_subnet_1" set schedule "always" set service "ALL" set comments "VPN: IPSec-Dailup (Created by VPN wizard) (Copy of vpn_IPSec-Dailup_remote_0)" <----- next end
Branch-FW #
Verification from firewall by capturing packets:
HO-FW # diagnose sniffer packet any 'host 192.168.1.2 and icmp' 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[host 192.168.1.2 and icmp] 2022-11-01 13:24:10.656066 To-Branch in 10.10.10.1 -> 192.168.1.2: icmp: echo request 2022-11-01 13:24:10.656091 port2 out 10.10.10.1 -> 192.168.1.2: icmp: echo request 2022-11-01 13:24:10.656865 port2 in 192.168.1.2 -> 10.10.10.1: icmp: echo reply 2022-11-01 13:24:10.656878 To-Branch out 192.168.1.2 -> 10.10.10.1: icmp: echo reply 2022-11-01 13:24:11.667286 To-Branch in 10.10.10.1 -> 192.168.1.2: icmp: echo request 2022-11-01 13:24:11.667307 port2 out 10.10.10.1 -> 192.168.1.2: icmp: echo request 2022-11-01 13:24:11.667658 port2 in 192.168.1.2 -> 10.10.10.1: icmp: echo reply 2022-11-01 13:24:11.667665 To-Branch out 192.168.1.2 -> 10.10.10.1: icmp: echo reply
Branch-FW # diagnose sniffer packet any 'host 192.168.1.2 and icmp' 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[host 192.168.1.2 and icmp] 2022-11-01 13:24:10.627641 IPSec-Dailup in 10.10.10.1 -> 192.168.1.2: icmp: echo request 2022-11-01 13:24:10.627665 To-HO out 10.10.10.1 -> 192.168.1.2: icmp: echo request 2022-11-01 13:24:10.628787 To-HO in 192.168.1.2 -> 10.10.10.1: icmp: echo reply 2022-11-01 13:24:10.628796 IPSec-Dailup out 192.168.1.2 -> 10.10.10.1: icmp: echo reply 2022-11-01 13:24:11.638929 IPSec-Dailup in 10.10.10.1 -> 192.168.1.2: icmp: echo request 2022-11-01 13:24:11.638954 To-HO out 10.10.10.1 -> 192.168.1.2: icmp: echo request 2022-11-01 13:24:11.639510 To-HO in 192.168.1.2 -> 10.10.10.1: icmp: echo reply 2022-11-01 13:24:11.639516 IPSec-Dailup out 192.168.1.2 -> 10.10.10.1: icmp: echo reply
Verification from firewall by running Debug commands:
diagnose debug flow filter addr 192.168.1.2---IP on the other side of site to site tunnel(Destination) diagnose debug flow filter proto 1 diagnose debug flow show function-name enable diagnose debug flow trace start 999 diagnose debug enable
This can provide more information about traffic flow, as well as which policy it is hitting.
Note: If the site-to-site tunnel is established between a FortiGate and a third-party firewall (such as Cisco, SonicWall, etc.), then multiple Phase 2 selectors must be created on the FortiGate, and not multiple subnets within a single Phase 2 selector. This is necessary because FortiGate uses the same SPI value for all subnets in the address group in the Phase 2 configuration, while other firewalls may require different SPI values for each subnet they are configured with.
Related articles: Technical Tip: Dial-up IPsec traffic forwarding to site to site IPsec tunnel |
