Staff

Technical Tip: How to configure IPsec remote access with a full tunnel

Forum|Forum|6 years ago
May 1, 2020
0 replies
88570 views

Description

This article describes how to configure a remote access VPN with a full tunnel when it is required that the remote VPN user's internet traffic go through an IPsec VPN tunnel.

Scope

FortiGate (FortiOS v6.4, v7.0, v7.2, v7.4, v7.6)/FortiClient v7.0/v7.2/v7.4 (Windows/macOS).

Solution

In this example, remote users are allowed to access the corporate network using an IPsec VPN connected using FortiClient. The remote user's internet traffic is also routed through the IPsec tunnel to FortiGate (split tunneling will not be enabled).

To create a new firewall address, go to Policy & Objects -> Addresses and select 'Create New'. Set Category to address and enter a Name. Set type to 'Subnet' under Subnet/IP Range to the local subnet, and Interface to 'lan'.

Configuring the IPsec VPN.
To create the VPN, go to VPN -> IPsec Wizard and create a new tunnel using a pre-existing template.

Name the VPN.

Note:
The tunnel name cannot include any spaces or exceed 13 characters.

Set 'Remote Access' under 'Template Type', and set' FortiClient' under 'Remote Device Type' to FortiClient VPN for OS X, Windows, and Android.

Set the Incoming Interface to 'WAN1' and 'Authentication Method' to 'Pre-shared Key'.

Enter a pre-shared key.

This pre-shared key is a credential for the VPN and differs from the user password.

Select the 'Employees group'.

Set 'Local Interface' to 'lan' and set 'Local Address' to the 'Internal-Network'.
Enter a 'Client Address Range' for VPN users.
The IP range entered here prompts FortiOS to create a new firewall object for the VPN tunnel using the name of the tunnel, followed by the '_range' suffix (in the example, IPsec-FCT_range).

Make sure Enable IPv4 Split Tunnel is not selected, so that all Internet traffic will go through the FortiGate.
If Enable Split Tunneling is selected, traffic not intended for the corporate network will not flow through the FortiGate or be subject to the corporate security profiles.

Select 'Client Options' as desired.

After the tunnel is created, a summary page appears listing the objects that have been added to the FortiGate’s configuration by the wizard.

If multiple dial-up IPsec VPNs are defined for the same dial-up server interface, each phase1 configuration has to define a unique peer ID to distinguish the tunnel that the remote client is connecting to:

Go to VPN -> IPsec Tunnels and edit the just-created tunnel.
Select 'Convert To Custom Tunnel'.
In the Authentication section, select 'Edit'.
Under 'Peer Options', set 'Accept Types' to 'Specific peer ID'.
In the 'Peer ID' field, enter a unique ID, such as 'dialup1'.
Select 'OK'.

To view the VPN interface created by the wizard, go to Network -> Interfaces.

To view the firewall address created by the wizard, go to Policy & Objects -> Addresses.

To view the firewall policy created by the wizard, go to Policy & Objects -> Firewall Policy.

Creating a firewall policy.

The IPsec Wizard automatically created a firewall policy allowing IPsec VPN users to access the internal network.

However, since split tunneling is disabled, another policy has to be created to allow users to access the Internet through the FortiGate.

To create a new policy, go to Policy & Objects -> Firewall Policy and select 'Create New'.

Set a policy name that will identify what this policy is used for (in the example, IPsec-VPN-Internet).
Set the Incoming Interface to the tunnel interface and the Outgoing Interface to WAN1.
Set Source to the IPsec client address range, Destination Address to all, Service to ALL, and enable NAT.

Configure any remaining firewall and security options as desired.

Note:

For IKEv1/IKEv2 - Ensure that the user group is defined either under the VPN configuration or within the firewall policy.
For more details, refer to the FortiGate Administration Guide: Using single or multiple user groups for user authentication.

Note Public Cloud: For FortiGate HA deployments on the cloud, it is required to manually set the same IP on the tunnel interface on the secondary unit. The cluster will be out of sync until this action is performed. This only occurs if the IP on the IPsec tunnel is configured.

Example:

Config through the member 'FGT-A' as stated above.
Copy the interface tunnel settings to the secondary member 'FGT-B'.
The cluster will be in sync again.

Configuring FortiClient.
To add the VPN connection, open FortiClient, go to Remote Access, and select 'Add a new connection'.

Set the VPN to 'IPsec VPN' and 'Remote Gateway' to the 'FortiGate IP address'.
Set 'Authentication Method' to' Pre-Shared Key' and enter the key below.

Expand 'Advanced Settings' to 'Phase 1' and in the Local ID field, enter dialup1. Configure remaining settings as needed, then select 'Save'.

When using full-tunnel, there will be an instance when access to the local network of the remote user is not possible. To avoid this, in the FortiClient, enable the option 'Enable Local LAN':

Expand the 'Phase2' on FortiClient routes to ensure 0.0.0.0/0 from the client goes into the tunnel.

Note:

Make sure there is no VIP configured for port 500 and port 4500 on the WAN interface that is being used for the IPsec dial-up connection. Otherwise, the connection to the IPsec dial-up cannot be established successfully.

Note:

If the DH value in phase1 and phase2 are set to 5, there are chances to get connection failures after upgrading to the 7.6.5 version of FortiOS. Because the default DH value has been changed from 5 and 14 to 14,20, and 21. To not make any disruption for the users, better to update DH groups to 14, 20 or 21.

Debugging:

diagnose debug disable
diagnose debug reset
diagnose vpn ike log-filter dst-addr4 <ip.of.remote.peer>
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

Starting from v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

Note:

By default, the option net-device is enabled. Starting from FortiOS v7.4, the option is disabled by default when creating the IPsec dial-up tunnel on the FortiGate, which can be viewed from the GUI under IPsec Tunnel -> Edit the tunnel name -> Expand Network section -> Select Advanced -> Device creation option or through the CLI command below:

show full-configuration vpn ipsec phase1-interface <tunnel name> | grep "net-device"

Result:

set net-device [disable | enable]

FortiOS created a dynamic interface for each connected VPN client when this option is enabled, which means all packets, bytes, errors, and drops are logged under a separate interface name for each connected dial-up client. When the option is disabled, all this information is logged under a single static interface name representing the IPsec tunnel configured on the FortiGate.

The command below will show the list of IPSEC SAs of the dial-up phase 1:

diagnose vpn tunnel dialup-list <phase1-name>

This is useful in the case of tracking tunnel performance, volume, or errors for specific dial-up connections when the option is enabled. The following command allows the firewall administrator to view this information:

diagnose netlink interface list

Note:

In v7.6 and above, in the IPsec configuration wizard, the option 'EMS SN verification' is enabled by default.

For the free VPN version, FortiClient will not work and will not connect. The below option can be disabled during VPN configuration using VPN Wizard:

If it is already configured, follow the below option to disable the EMS SN verification option:

For more information about this feature, check this document: Enhancing IPsec security and performance 7.2.8. Regarding supported features for free FortiClient, follow this KB article: Technical Tip: FortiClient licensing and support.

Notes:

FortiClient v7.4.4 does not support IPsec VPN IKEv1. Configure IPsec VPN IKEv2 if using FortiClient v7.4.4. To download a different version of FortiClient, log in to the support portal and download the required version. Refer to this article: Technical Tip How to download different or old versions FortiClient.
FortiClient v7.4.4 does not include a free VPN-only agent. Users can continue to use the FortiClient v7.4.3 free VPN-only agent.
FortiClient feature comparison: 7.4.4
SAML-based authentication is now supported for FortiClient remote access dial-up IPsec VPN clients.