Purpose
When is required that the Dial-up VPN Clients, get the same IP segment network.
Scope
All FortiOS
Expectations, Requirements
On FortiClient configuration, can be set two IP address to reach a remote destination.
Configuration
- Create a VDOM
config system global
set vdom-admin enable
end
config vdom
edit tunneling
end
- Create a vdom-link between root and new VDOM
config global
config system vdom-link
edit ivdom
next
end
config system interface
edit ivdom0
set vdom "root"
set ip 1.1.1.1 255.255.255.252
set type vdom-link
next
edit ivdom1
set vdom "tunneling"
set ip 1.1.1.2 255.255.255.252
set type vdom-link
next
end
end
- Set defaut route to Internet
conf vdom
edit tunneling
config router static
edit 1
set device ivdom1
set gateway 1.1.1.1
next
end
end
end
- Create route of VPN IPSec tunnels from vdom root
config vdom
edit root
config router static
edit 0
set device ivdom1
set gateway 172.16.1.0 255.255.255.0
next
end
end
end
- Create firewall VIP
config vdom
edit root
config firewall vip
edit tunel1
set extintf "wan1"
set extip 187.x.x.x
set mappedip 1.1.1.2
next
edit tunel2
set extintf "wan2"
set extip 189.y.y.y
set mappedip 1.1.1.2
next
end
end
end
- Create firewall policies
config vdom
edit root
config firewall policy
edit 0
set srcintf "WANs"
set dstintf "ivdom0"
set srcaddr "all"
set dstaddr "tunel1" "tunel2"
set action accept
set schedule "always"
set service "ALL"
next
edit 0
set srcintf "ivdom0"
set dstintf "LAN"
set srcaddr "allowed_clients"
set dstaddr "allowed_servers"
set action accept
set schedule "always"
set service "ALL"
next
edit 0
set srcintf "LAN"
set dstintf "ivdom0"
set srcaddr "allowed_servers"
set dstaddr "allowed_clients"
set action accept
set schedule "always"
set service "ALL"
next
end
end
end
- Create VPN
config vdom
edit tunneling
config vpn ipsec phase1-interface
edit "FClient"
set type dynamic
set interface "ivdom1"
set keylife 800
set xauthtype auto
set mode-cfg disable
set proposal 3des-sha1 aes128-sha1
set dpd disable
set authusrgrp "USERGROUP"
set psksecret secret
next
end
config vpn ipsec phase2-interface
edit fc
set keepalive enable
set phase1name "FClient"
set proposal 3des-sha1 aes128-sha1
set keylifeseconds 120
set dhcp-ipsec enable
next
end
end
- Create DCHCP pool for IPSec
config vdom
edit tunneling
edit 1
set interface "FClient"
config ip-range
edit 1
set end-ip 172.16.0.250
set start-ip 172.16.0.1
next
end
set lease-time 3600
set netmask 255.255.255.0
set server-type ipsec
set dns-server1 a.b.c.d
set ipsec-lease-hold 0
next
end
end
- Create Firewall policies
config vdom
edit tunneling
config firewall policy
edit 1
set srcintf "FClient"
set dstintf "ivdom1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set srcintf "ivdom1"
set dstintf "FClient"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
end
- Configure your FortiClient with the IP Addresses 187.x.x.x and 189.y.y.y separated by ";".
When is required that the Dial-up VPN Clients, get the same IP segment network.
Scope
All FortiOS
Expectations, Requirements
On FortiClient configuration, can be set two IP address to reach a remote destination.
Configuration
- Create a VDOM
config system global
set vdom-admin enable
end
config vdom
edit tunneling
end
- Create a vdom-link between root and new VDOM
config global
config system vdom-link
edit ivdom
next
end
config system interface
edit ivdom0
set vdom "root"
set ip 1.1.1.1 255.255.255.252
set type vdom-link
next
edit ivdom1
set vdom "tunneling"
set ip 1.1.1.2 255.255.255.252
set type vdom-link
next
end
end
- Set defaut route to Internet
conf vdom
edit tunneling
config router static
edit 1
set device ivdom1
set gateway 1.1.1.1
next
end
end
end
- Create route of VPN IPSec tunnels from vdom root
config vdom
edit root
config router static
edit 0
set device ivdom1
set gateway 172.16.1.0 255.255.255.0
next
end
end
end
- Create firewall VIP
config vdom
edit root
config firewall vip
edit tunel1
set extintf "wan1"
set extip 187.x.x.x
set mappedip 1.1.1.2
next
edit tunel2
set extintf "wan2"
set extip 189.y.y.y
set mappedip 1.1.1.2
next
end
end
end
- Create firewall policies
config vdom
edit root
config firewall policy
edit 0
set srcintf "WANs"
set dstintf "ivdom0"
set srcaddr "all"
set dstaddr "tunel1" "tunel2"
set action accept
set schedule "always"
set service "ALL"
next
edit 0
set srcintf "ivdom0"
set dstintf "LAN"
set srcaddr "allowed_clients"
set dstaddr "allowed_servers"
set action accept
set schedule "always"
set service "ALL"
next
edit 0
set srcintf "LAN"
set dstintf "ivdom0"
set srcaddr "allowed_servers"
set dstaddr "allowed_clients"
set action accept
set schedule "always"
set service "ALL"
next
end
end
end
- Create VPN
config vdom
edit tunneling
config vpn ipsec phase1-interface
edit "FClient"
set type dynamic
set interface "ivdom1"
set keylife 800
set xauthtype auto
set mode-cfg disable
set proposal 3des-sha1 aes128-sha1
set dpd disable
set authusrgrp "USERGROUP"
set psksecret secret
next
end
config vpn ipsec phase2-interface
edit fc
set keepalive enable
set phase1name "FClient"
set proposal 3des-sha1 aes128-sha1
set keylifeseconds 120
set dhcp-ipsec enable
next
end
end
- Create DCHCP pool for IPSec
config vdom
edit tunneling
edit 1
set interface "FClient"
config ip-range
edit 1
set end-ip 172.16.0.250
set start-ip 172.16.0.1
next
end
set lease-time 3600
set netmask 255.255.255.0
set server-type ipsec
set dns-server1 a.b.c.d
set ipsec-lease-hold 0
next
end
end
- Create Firewall policies
config vdom
edit tunneling
config firewall policy
edit 1
set srcintf "FClient"
set dstintf "ivdom1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set srcintf "ivdom1"
set dstintf "FClient"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
end
- Configure your FortiClient with the IP Addresses 187.x.x.x and 189.y.y.y separated by ";".
Labels: