Skip to main content
Red_and_blue
Red_and_blue
Explorer
December 4, 2024
Question

IPSEC Dial-up VPN two scenarios

  • December 4, 2024
  • 4 replies
  • 3117 views

ok trying to have secure VPN connections for two different type of users.  


We currently have a Fgate 60F V7.2.1; Windows AD environment; Fclient 7.2.5; EMS on Windows server

 

We can't use the SSL VPN.

 

I have two sets of users

1/ home PCs using the fclient free version; IPSEC VPN (IKE V1) then they RDP to their desktops; only RDP allowed in the firewall policy

2/ work supplied laptops using fclient with EMS; to have full normal access; currently using SSL however we have to move away from SSL. 

 

Questions are

A: is 1. a silly thing to do.  Should we just bite the bullet and buy bad laptops that are locked down to only allow the VPN and nothing else. Can we have a home PC connect securely, only allow them to RDP to their desktop; is this a massive security risk.  

B: can I have two IPSEC dialups set up on the Fgate? Can anyone share a decent doc that actually explains what all the options do or even better says choose these ones.  I've created a second IPSEC dialup using IKE2 and can't get it to work.  Before I go down the debug or raising a job I just thought I should check that what I'm trying is sensible. 

 

thanks in advance.

Red

 

 

4 replies

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
December 4, 2024

Hi @Red_and_blue ,

 

1) It should be fine to use the free version of the FortiClient for VPN only.

 

2) My guess is that you are using main mode in IPSec VPN phase1 settings, are you?

 

Please check this KB article for the differences between Main mode and Aggressive mode:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Differences-between-Aggressive-and-Main-mode-in/ta-p/196313

 

In your scenario, it's better to use Aggressive mode.

 

If you still want to use Main mode, please check this KB article:

https://community.fortinet.com/t5/FortiGate/Technical-Note-Configuring-more-than-one-Main-Mode-Pre-Shared/ta-p/194213

 

And if you want to use remote authentication, i.e. LDAP, for IPSec VPN user authentication, please check this KB article:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remote-Access-IPSEC-VPN-with-LDAP-authentication/ta-p/343237

    Red_and_blue
    Red_and_blueAuthor
    Explorer
    December 5, 2024

    Thanks yes already using aggressive and already using LDAP successfully.   Thanks for your response.  I'll add further comments below...

    sw2090
    SuperUser
    sw2090
    SuperUser
    December 4, 2024

    of course you can create more than one dial up on a fgt. They seperate by psk authentication and/or peer id or even proposals.

    However I never used ike v2 on a dial up because I need user authentification on those and I never got eap to work in v2 while xauth in ike v1 works fine.

      Red_and_blue
      Red_and_blueAuthor
      Explorer
      December 5, 2024

      ok I figured out the two dial up using Peer ID.  Thanks for your response.  I'll add further comments below...

      sjoshi
      Staff
      sjoshi
      Staff
      December 4, 2024

      For home PCs using FortiClient free version for IPsec VPN and RDP access to their desktops, it is a feasible solution as long as proper firewall policies are in place to restrict access to only RDP. However, for work-supplied laptops using FortiClient with EMS for full access, transitioning from SSL to IPsec VPN might require careful consideration and testing to ensure all necessary access is maintained securely. b: Yes, you can set up two IPsec dial-up VPN connections on the FortiGate 60F. Ensure the configurations for each connection, including IKE version and settings, are correctly set up. For detailed guidance on IPsec VPN setup, refer to Fortinet's official documentation or reach out to Fortinet support for assistance if needed.

      Thanks, Salon
        Red_and_blue
        Red_and_blueAuthor
        Explorer
        December 5, 2024

        Thanks for your response.  I'll add further comments below...

        Red_and_blue
        Red_and_blueAuthor
        Explorer
        December 5, 2024

        so I spoke to a security advisor and explained our situation. He's recommended removing the at home user PCs which is fine. He told me to use Ike2.

         

        I was able to get two IPSEC dial ups working when I found the Peer ID reference. 

         

        So now I've been trying to get Ike2 to work with no success.  I already have a tunnel set up between two sites using Ike 1  Reading various articles has led me to believe that all IPSEC connections need to be Ike V2 for it to work.  Can anyone confirm this please. 

        sjoshi
        Staff
        sjoshi
        Staff
        December 5, 2024

        you can use both ikev1 and ikev2..and can have different peer id setup

        Thanks, Salon
        Terms & ConditionsAccessibility statement