Technical Tip: Using group based firewall policy for Dial-Up VPN to restrict network access
Description
This article describes how to configure Dial-UP VPN with group-based firewall policies to restrict network access to the user group defined in firewall policies.
Scope
FortiGate.
Solution
From GUI:
- Once the VPN Dial-up tunnel is created, please change the User Group to 'Inherit from Policy':
- Go to VPN -> IPsec -> Tunnels and edit the tunnel.
- Configure the User group as 'Inherit from Policy'.
- Make sure that the user group is added to the firewall policy configured for the VPN.
From CLI:
- Configure the VPN tunnel and make sure is no user group configured.
When using IKEv1, 'xauthtype' must be set to auto.
config vpn ipsec phase1-interface
edit "Test_vpn"
set type dynamic
set interface "port2"
set xauthtype auto
next
end
When using IKEv2, EAP must be enabled and the 'authusrgrp' parameter must be unset.
config vpn ipsec phase1-interface
edit "Test_vpn"
set interface "port2"
set ike-version 2
next
end
Under the policies configure the user group:
config firewall policy
edit 1
set name "vpn_policy"
set srcintf "Test_vpn"
set dstintf "port1"
set srcaddr "vpn_range"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set groups "vpn-group"
next
end
In this example, the user get recognized as a member of the group 'vpn-group'; the group can be used then in the firewall policies.
Using XAuth authentication