Setting up multiple incoming VPN's of the same type on the same external interface
- July 24, 2015
- 4 replies
- 23798 views
Hello,
To preface this, I am using a Fortigate 100D on the 5.2.x firmware.
I am trying to set up multiple IPSEC VPN tunnel interfaces in my Fortigate to allow for different organizations to VPN in to the system, with different accesses. This would allow me to let organization A have access to certain IP's/ports, while organization B would get access to different IP's/ports.
I've tried doing this two ways. Using the "Dialup - Cisco Firewall" wizard in the Fortigate, I set up two separate VPN tunnel interface connections (both on the same incoming interface/IP), but each with different user groups, and each with their own policy.
This did not work-- nobody could connect. So next, I made one "Dialup - Cisco Firewall" tunnel interface, with both groups of users included, thinking I could enforce access control through policies in the firewall-- and then finally people could connect (but couldn't access any resources!). This leads me to my first question. Can you not have multiple seperate tunnels all coming in on the same interface using the same "method?" (which in this case is the "Dialup - Cisco Firewall" version?) Logically I'm guessing it won't work because the firewall doesn't know which one to use before it gets to the XAUTH stage, given the user credentials, which by that point means we've already gotten past picking which tunnel. But I'm not sure.
So, I thought I could try this a different way, by setting up policies based on certain users coming in over that VPN interface. (For example, you put everybody on the same VPN connection, but then do policy routing based on username.) Once again, this didn't work-- while the users could connect to the VPN, they could not access any of the resources on the internal network.
I tried to do this by using the "Source User(s)" selector under Source Address feature in the IPv4 policy for the VPN interface (please see attachment), though I'm wondering since I'm using aggressive VPN mode and then XAUTH if this feature won't work correctly.
Anyways-- that is the crux of my problem. What is the most efficient way to set this up? Am I on the right track? We host computing resources and need to let certain people have access to certain resources, but I'd like as fine grain a control as I can on that from the VPN side rather than having to implement server-side security to enforce the same rules. But I can't seem how to figure out how to do that.
Thanks in advance for your help. I've tried searching for this extensively and given the search terms I am using, I can never seem to dig up a reasonable answer for the exact question I'm posing.