Pushing DNS servers to Dialup IPSec VPN clients

StuaKend · ‎04-22-2020

I'm experimenting with an L2TP / IPSec Telecommuter VPN service. And I am having trouble telling the clients to use my internal DNS servers

config vpn ipsec phase1-interface
   edit "L2TP-TeleVPN"
     set type dynamic
     set interface "port1"
     set local-gw a.b.c.d
    set peertype any
    set net-device enable
    set proposal aes256-sha1 3des-sha1
    set dpd on-idle
    set dhgrp 14
    set psksecret ENC {deleted}
    set dpd-retryinterval 60
   next
end
config vpn ipsec phase2-interface
   edit "L2TP-TeleVPN"
     set phase1name "L2TP-TeleVPN"
    set proposal aes256-md5 3des-sha1 aes192-sha1
    set pfs disable
    set encapsulation transport-mode
    set l2tp enable
next
end
config vpn l2tp
   set eip 10.10.10.1
   set sip 10.10.10.254
   set status enable
   set usrgrp "LDAP-VPN-User"
end

I tried adding the following:
config vpn ipsec phase1-interface
edit "L2TP-TeleVPN"
     set type dynamic
     set interface "port1"
     set local-gw a.b.c.d
    set peertype any
    set net-device enable
    set mode-cfg enable
    set ipv4-dns-server1 10.10.45.90
    set ipv4-dns-server2 10.10.80.90
    set ipv4-dns-server3 10.10.110.90
    set proposal aes256-sha1 3des-sha1
    set dpd on-idle
    set dhgrp 14
    set assign-ip-from name
    set ipv4-netmask 255.255.255.0
    set ipv4-name "L2TP-VPN-Client-Range"
    set domain "company.com"
    set psksecret ENC {deleted}
    set dpd-retryinterval 60
   next

config firewall address
   edit "L2TP-VPN-Client-Range"
   set uuid {deleted}
   set type iprange
   set color 4
   set start-ip 10.10.10.1
   set end-ip 10.10.10.254
next

But then clients don't connect at all ... diag debug app ike -1 shows me:
[...]
ike 0:L2TP-TeleVPN_0:222: peer has not completed Configuration Method
ike 0:L2TP-TeleVPN_0: deleting
[...]

Is it possible to instruct the Fortigate to tell the Clients what to use, in terms of DNS servers and domain name? Or does one have to configure these individually on the Clients?

--sk

StuaKend · ‎04-23-2020

OK, I understand now that 'set mode-cfg enable' applies only if I am using the FortiClient in IPSec mode. At the moment, I want to support native OS L2TP/IPSec clients instead, so have disabled 'mode-cfg'

It seems to me that that I can do this by adding a DHCP Server into the mix, either one built into the Fortigate or an external DHCP server. For the moment, I am attempting to use the Fortigate's built-in DHCP Server

config system dhcp server
    edit 1
       set domain "company.com"
       set default-gateway 10.10.10.1
       set netmask 255.255.255.0
       set interface "L2TP-TeleVPN"
       config ip-range
       edit 1
           set start-ip 10.71.10.2
           set end-ip 10.71.10.254
        next
    end
    set timezone-option default
    set server-type ipsec
    set dns-server1 10.10.45.80
    set dns-server2 10.10.90.80
    set dns-server3 10.10.110.80
    next
end

Clients are connecting fine ...but they receive the Fortinet DNS servers (208.91.112.53 & 208.91.112.52) rather than the 10.10.x.90 ones which I specify

Is anyone else trying this?

--sk

config vpn ipsec phase2-interface
    edit "L2TP-TeleVPN"
        set phase1name "L2TP-TeleVPN"
        set proposal aes256-md5 3des-sha1 aes192-sha1
        set pfs disable
        set encapsulation transport-mode
        set l2tp enable
        set dhcp-ipsec enable
    next
end

--sk