I'm exploring using our Fortigate firewalls to terminate a Telecommuter (aka 'Dialup') remote access service
Right now, I'm trying to develop an L2TP service which would simultaneously support Windows, OS X, and Linux clients. I am running into bumps and am working a ticket with TAC
What I'm looking for here is more of a conceptual overview -- I'm realizing that I don't have a mental model for understanding how FortiOS thinks about this service
For example, what is the difference between an interface-based VPN service and a policy-based VPN service?
* The Dialup Windows wizard creates an interface-based VPN service ... the Handbook tells me to create a policy-based service
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/299180/configuration-overview
* Before I believe one or the other, I would like to understand what the difference is
More broadly
* As I trouble-shoot why the Wizard-created IPSec service doesn't work, I've found that my Win10 client wants a 28800s key lifetime whereas the Wizard has created a service which wants a 86400s key lifetime, with the result being a failed ISKMP SA proposal. Fine, so I've changed the Fortigate to 28800s ...
* This seems fragile to me -- is there no auto-negotiation feature in this exchange? Do I really need to hard-code both sides to agree on these various parameters? [Perhaps this is an argument for the FortiClient approach!]
* Is it possible to construct an L2TP service which supports the vagaries of Windows, OS X, and Linux clients? Or does one end up offering (3) separate services, terminated on (3) separate IP addresses?
I am reading the Handbook:
* https://docs.fortinet.com/document/fortigate/6.0.0/handbook/509218/fortigate-dialup-client-configuration
* The Cookbook has a chapter addressing the FortiClient scenario but not L2TP -- I'll get to the FortiClient scenario eventually, but I'm not ready for this yet
==> Anyone have a suggestion for additional reading?
--sk
