New Member

Question

IPSec policy server forticlient remote networks

Forum|Forum|16 years ago
February 25, 2010
13 replies
11580 views

Is there any way to have the forticlient automatically learn the remote networks from the policy server? i thought this was the point of the policy server that i setup. here are the details of my config: Policy based dialup vpn using xauth DHCP server assigns VIPs to the clients with no default gateway (for split tunneling) forticlient configured for automatic ipsec vpn vpn policy server has been setup with the radius user group and the phase 2 connection of the dialup vpn I want the fortigate to assign the remote networks to the forticlient based on the firewall policy that contains the vpn tunnel (or any method. this just seems the most logical). that way i can add/remove destination subnets from the address group and have the clients automatically update instead of having to touch each client. It seems that the policy server does not assign remote networks though as the only way i can communicate to the remote networks is to change dhcp to assign a default gateway or change the forticlient to a manual ipsec vpn and specify the individual remote networks. The first way is not desirable as i dont want vpn clients consuming twice as much bandwidth to browse the internet. The second is not desirable as each vpn client has to be updated when remote networks are added/removed. Hope that all makes sense. Thanks

Carl_Wallmark

New Member

Hello and Welcome, Yes itÂ´s possible, but you need to make som changes in the CLI, first of all, configure your VPN tunnel for policy server: # config vpn ipsec forticlient # edit <just a name> # set usergroupname <name of authentication group> # set phase2name <name of phase2> # end then you must create an Address Group: Firewall -> Address (you need to change both src-addr-type and dst-addr-type) Then edit your vpn phase2 in cli and change type of address: # config vpn ipsec phase2-interface # edit <phase2 name> # set src-addr-type name # set src-name <name of address> # end then you can add all subnets to that address group, and when policy server is enabled it will push all networks to your forticlients

snowman386Author

New Member

fantastic. i will try that out and let you know. this info should be in the IPSEC guide!!! I triple checked the guide about forticlient dialup vpns.

snowman386Author

New Member

i get this error when i run the command:

cannot use named address for only one selector object set operator error, 5 discard the setting Command fail. Return code 5

I assume it means i have to set the dst-name also. would that be the VIP subnet i created for the forticlients? Thanks

snowman386Author

New Member

ok. i really need help now. i am trying to configure interface mode because it seems easier to manage but i cannot get the forticlient to connect. here are the errors i get on the forticlient:

Feb 26 13:31:49: Initiator: sent x.x.x.x main mode message #1 (OK) Feb 26 13:31:50: Initiator: sent x.x.x.x main mode message #2 (OK) Feb 26 13:31:50: Initiator: sent x.x.x.x main mode message #3 (OK) Feb 26 13:31:50: Initiator: parsed x.x.x.x main mode message #3 (DONE) Feb 26 13:31:50: Initiator: sent x.x.x.x quick mode message #1 (OK)

and

program=ipsec msg=Failed to add vpn gateway x.x.x.x to trusted zone loc_ip=75.246.65.108 loc_port=500 rem_ip=x.x.x.x rem_port=500 out_if=0 vpn_tunnel=manual status=negotiate_error msg=" No response from the peer, retransmit (st=2).... "

i setup the phase one in interface mode (left local gateway default), added two firewall policies for the vpn interface and lan interface, and setup a ipsec dhcp server on the vpn interface. i had this working great on policy mode but there has to be something simple im missing with interface mode.

abelio

SuperUser

i setup the phase one in interface mode (left local gateway default), added two firewall policies for the vpn interface and lan interface, and setup a ipsec dhcp server on the vpn interface. i had this working great on policy mode but there has to be something simple im missing with interface mode.

There' s no support for dhcp over ipsec under fortiOS 3.0 for route/interfase based VPNs You' ve to run fortiOS 4.0 to do that; Could be that an explanation?

snowman386Author

New Member

well i am on 4.0MR1 Patch 3. i tried configuring forticlient with a manual VIP and it still will not even connect. i get " vpn has trouble connecting with the remote gateway. retrying now..." do i need to add a firewall policy to the wan or setup any static routes?

snowman386Author

New Member

here is my phase one and two configs

 edit " LOV_IPSEC_FC_P1"        set type dynamic       set interface " port1"        set ip-version 4       set ike-version 1       set local-gw 0.0.0.0       set localid ' '        set dpd enable       set nattraversal enable       set dhgrp 5       set proposal 3des-sha1 aes128-sha1       set keylife 28800       set authmethod psk       set peertype any       set xauthtype disable       set mode main       set mode-cfg disable       set default-gw 0.0.0.0       set default-gw-priority 0       set dpd-retrycount 3       set dpd-retryinterval 5       set psksecret ENC xxxxxxxxx       set keepalive 10       set distance 1       set priority 0

edit " LOV_IPSEC_FC_P2" set dst-addr-type subnet set dst-port 0 set keepalive disable set keylife-type seconds set pfs enable set phase1name " LOV_IPSEC_FC_P1" set proposal 3des-sha1 aes128-sha1 set protocol 0 set replay enable set route-overlap use-new set single-source disable set src-addr-type subnet set src-port 0 set dhcp-ipsec enable set dhgrp 5 set dst-subnet 0.0.0.0 0.0.0.0 set keylifeseconds 1800 set src-subnet 0.0.0.0 0.0.0.0 next

two firewall rules

set srcintf " LOV_CORP" set dstintf " LOV_IPSEC_FC_P1" set srcaddr " LOV_VPN_DESTINATION_NETWORKS" set dstaddr " LOV_IPSEC_CLIENT_SUBNET" set action accept set status enable set logtraffic disable set per-ip-shaper ' ' set session-ttl 0 set wccp disable set disclaimer disable set natip 0.0.0.0 0.0.0.0 set match-vip disable set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments ' ' set endpoint-check disable set label ' ' set identity-based disable set schedule " always" set service " ANY" set profile-status disable set traffic-shaper ' ' set nat disable

set srcintf " LOV_IPSEC_FC_P1" set dstintf " LOV_CORP" set srcaddr " all" set dstaddr " all" set action accept set status enable set logtraffic disable set per-ip-shaper ' ' set ippool disable set session-ttl 0 set wccp disable set disclaimer disable set natip 0.0.0.0 0.0.0.0 set match-vip disable set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments ' ' set endpoint-check disable set label ' ' set identity-based disable set schedule " always" set service " ANY" set profile-status disable set traffic-shaper ' ' set nat enable set fixedport disable

and dhcp server

 set conflicted-ip-timeout 1800   set default-gateway 0.0.0.0   set dns-server1 0.0.0.0   set dns-server2 0.0.0.0   set dns-server3 0.0.0.0   set domain ' '    set enable enable   set interface " LOV_IPSEC_FC_P1"    set lease-time 86400   set netmask 255.255.255.128   set option1 0   set option2 0   set option3 0   set server-type ipsec   set wins-server1 0.0.0.0   set wins-server2 0.0.0.0   set end-ip 10.0.98.254   set ip-mode range   set ipsec-lease-hold 0   set start-ip 10.0.98.129

abelio

SuperUser

configure your forticlient for " obtain IP from DHCP server over ipsec" , no manual vip and re-check your firewall policy srcaddr/dstaddr settings; not seem very consistent with each other. Replace it for ' all' and retry

snowman386Author

New Member

ORIGINAL: abelio configure your forticlient for " obtain IP from DHCP server over ipsec" , no manual vip and re-check your firewall policy srcaddr/dstaddr settings; not seem very consistent with each other. Replace it for ' all' and retry

well i have tried all/all in both directions and set the client for dhcp and manual. no combination has worked.

Carl_Wallmark

New Member

i get this error when i run the command: quote: cannot use named address for only one selector object set operator error, 5 discard the setting Command fail. Return code 5 I assume it means i have to set the dst-name also. would that be the VIP subnet i created for the forticlients? Thanks

You must select address type for both src and dst, NOT only src: # config vpn ipsec phase2-interface # edit <phase2 name> # set src-addr-type name # set src-name <name of srouce address> # set dst-addr_type name # set dst-name <name of destination address> # end it was my bad, i should have typed it out for you ;)

snowman386Author

New Member

You must select address type for both src and dst, NOT only src: # config vpn ipsec phase2-interface # edit <phase2 name> # set src-addr-type name # set src-name <name of srouce address> # set dst-addr_type name # set dst-name <name of destination address> # end it was my bad, i should have typed it out for you ;) well i did figure that part out. you didnt need to type that out. i was asking what the dst name should be. do you use all or the vip subnet. i used the vip subnet name but am having all kinds of issues getting the vpn to work in interface mode. wanted to make sure that this was not a problem. im thinking about switching back to policy mode. i got that to work the first time with no problems. interface mode is another story!

Carl_Wallmark

New Member

Source should be the subnets/addresses you wish to push to your clients, Destination could be 0.0.0.0/0, if your clients are dialing in.

snowman386Author

New Member

yay. i got it to work. when i put in the policy the first time, it said that i should not use a policy with a name more than 15 characters so i changed it to 15 characters and it did not give the warning anymore. Yesterday, i deleted it and made the new policy with a 7 character name and it worked like a charm the first time. i did set the src to be the LAN resources i wanted to access and the dst to be the ipsec client VIP subnet. The proper routes were added to the clients routing table. thanks for your help.

Carl_Wallmark

New Member

Glad to hear that it worked !

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded