FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bfeng
Staff
Staff
Description
Dialup IPSec between a Cisco VPN client (Unity client) and a FortiGate unit was not supported before FortiOS 4.0 MR1.

Beginning with FortiOS 4.0 MR1 FortiOS supports the Cisco Unity client by supporting IKE Configuration Method (draft-dukes-ike-mode-cfg-02).

The Unity client protocol is Cisco's term for IKE configuration method. The IKE configuration method was never ratified, however Cisco and various other vendors support some or all of the draft (http://tools.ietf.org/html/draft-dukes-ike-mode-cfg-02).

Notes:

(1) Configuration method is only available for route based (interface mode) IPSec.
(2) If the dialer is using NAT then FortiOS 4.0 MR1 Patch 1 must be used.

Scope
FortiOS 4.0 MR1, route based (interface mode) IPSec VPN
FortiOS 4.0 MR1 Patch 1 for NAT dialers
Configuration Method - Cisco VPN client (the version used in this article is 4.8.02.00100)

Solution

Configuration

On the FortiGate unit:

1. Configure a local user by going to User > Local and selecting Create New.

localipsecuser.jpg

2. Create a user group to add the new user to. Go to User > Group and select Create New.

ipsecusrgrp.jpg

3. Create a Phase1 IPSec interface by going to VPN > IPSec and selecting Create New and complete the following settings:

Mode: Aggressive
Ipsec interface mode: Enable
Proposal: AES128, SHA1
DH Group: 2
XAUTH: Enable as Server, and select the user group created in step 2
Peer Options: can be any if this tunnel is the only dialup tunnel defined and all dialup vpn users connect to this tunnel. Otherwise use accept a specified peer ID or peer ID in dialup group. If accept peer ID in dialup group, the tunnel preshared key will be the password of the local users in the dialup group.

fgtp14ciscovpnclient1.jpg

fgtp14ciscovpnclient3.jpg

From CLI, edit the phase1 interface

config vpn ipsec phase1-interface
    edit "dialup1"
        set mode-cfg enable
        set ipv4-start-ip 192.168.233.1       >>>> the first ip in the range which FGT will assign to the ipsec client
        set ipv4-end-ip 192.168.233.254    >>>> the last ip in the range which FGT will assign to the ipsec client
        set ipv4-netmask 255.255.255.0     >>>> subnet mask
        set ipv4-dns-server1 10.5.1.1          >>>> optional DNS info passed to the client
        set ipv4-wins-server1 10.5.1.1         >>>>optional WINS info passed to the client
        set ipv4-split-include "10.5.x.x"        >>>>optional dst address/address group name if split tunneling is desired
end


After all, the dialup phase1 will look like below from CLI:

config vpn ipsec phase1-interface
    edit "dialup1"
        set type dynamic
        set interface "external"
        set dhgrp 2
        set proposal aes128-sha1
        set xauthtype pap
        set mode aggressive
        set mode-cfg enable
        set authusrgrp "ipsecgrp"
        set ipv4-start-ip 192.168.233.1
        set ipv4-end-ip 192.168.233.254
        set ipv4-netmask 255.255.255.0
        set ipv4-dns-server1 10.5.1.1
        set ipv4-wins-server1 10.5.1.1
        set ipv4-split-include "10.5.x.x"
        set psksecret ENC +rAiG3Qgp2j5a5CnyHeRj8HRwY+fTaAj52FncVwImO61sUJuFjKQp/Z98M7PAARONXRhPrhU2dcFoG0qT3Je+AZkXhpCjm3r0V5iuwpmOEfSGAqi
    next
end


4. Configure the Phase2 settings

Proposal: AES128, SHA1
PFS: selected
DH Group: 2

Note: When the Configuration Method is enabled (set mode-cfg enable), DHCP-IPSEC does not apply.

fgtp24ciscovpnclient.jpg

From CLI the:

config vpn ipsec phase2-interface
    edit "dialupp2"
        set dhgrp 2
        set phase1name "dialup1"
        set proposal aes128-sha1
    next
end


5.  Configure a firewall policy to allow traffic from ipsec interface to desired system interface and vise versa.


On Cisco VPN Client:

Name: this is the LocalID of the client, if the Peer ID option on Fortigate is not accept any peer id, the Name here need to match the accepted peer id setup on FortiGate unit.
Password: this is the pre-shared key of the tunnel.

bfeng_ciscovpnclt1.jpg



Verification:


On FortiGate unit enter the following diagnose commands
diagnose vpn ike filter dst-addr4 <client's public ip>
diag debug app ike -1
diag debug enable


Internal Notes

Diagnose on Fortigate:

diag vpn ike filter dst-addr4 <client's public ip>
diag debug app ike -1
diag debug enable

Normal debug output from Fortigate:

fg1 # ike 0: comes 172.16.87.91:1133->172.31.210.49:500,ifindex=16....
ike 0: IKEv1 exchange=Aggressive id=c6017de3bfbc2120/0000000000000000 len=849
ike 0:dialup1: new connection.
ike 0:dialup1: check for IP assignment method ...
ike 0:dialup1: no IP assignment method defined
ike 0:dialup1:10: responder: aggressive mode get 1st message...
ike 0:dialup1:10: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:dialup1:10: XAUTHv6 negotiated
ike 0:dialup1:10: VID KAME/racoon AFCAD71368A1F1C96B8696FC77570100
ike 0:dialup1:10: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:dialup1:10: VID unknown (16): 90CB80913EBB696E086381B5EC427B1F
ike 0:dialup1:10: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0:dialup1:10: UNITY support enabled
ike 0:dialup1:10: negotiation result
ike 0:dialup1:10: proposal id = 1:
ike 0:dialup1:10:   protocol id = ISAKMP:
ike 0:dialup1:10:      trans_id = KEY_IKE.
ike 0:dialup1:10:      encapsulation = IKE/none
ike 0:dialup1:10:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:dialup1:10:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:dialup1:10:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:dialup1:10:         type=OAKLEY_GROUP, val=1024.
ike 0:dialup1:10: ISKAMP SA lifetime=28800
ike 0:dialup1:10: cookie c6017de3bfbc2120/7f639b347abf987b
ike 0:dialup1:10: sent IKE msg (agg_r1send): 172.31.210.49:500->172.16.87.91:1133, len=328
ike dialup1: Responder: sent 172.16.87.91 aggressive mode message #1 (OK)

ike 0: comes 172.16.87.91:1133->172.31.210.49:500,ifindex=16....
ike 0: IKEv1 exchange=Aggressive id=c6017de3bfbc2120/7f639b347abf987b len=124
ike 0: found dialup1 172.31.210.49 16 -> 172.16.87.91:1133
ike 0:dialup1:10: responder: aggressive mode get 2nd response...
ike 0:dialup1:10: received notify type 24578
ike 0:dialup1:10: VID unknown (16): 33C6DAFEBFBD2120137DA6AE161C6A53
ike 0:dialup1:10: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0:dialup1:10: UNITY support enabled
ike 0:dialup1:10: PSK authentication succeeded
ike 0:dialup1:10: authentication OK
ike dialup1: Responder: parsed 172.16.87.91 aggressive mode message #2 (DONE)

ike 0:dialup1: adding new dialup tunnel for 172.16.87.91:1133
ike 0:dialup1_0: added new dialup tunnel for 172.16.87.91:1133
ike 0:dialup1_0:10: send ISAKMP RESPONDER-LIFETIME 28800 sec
ike 0:dialup1_0:10: sent IKE msg (RESPONDER-LIFETIME): 172.31.210.49:500->172.16.87.91:1133, len=108

ike 0:dialup1_0:10: initiating XAUTH.
ike 0:dialup1_0:10: sending XAUTH request
ike 0:dialup1_0:10: sent IKE msg (cfg_send): 172.31.210.49:500->172.16.87.91:1133, len=76
ike dialup1_0: Initiator: sent 172.16.87.91 xauth mode message #1 (OK)

ike 0:dialup1_0:10: ISAKMP SA established
ike 0:dialup1_0: DPD disabled, not negotiated
ike 0:dialup1_0:10: processing INITIAL-CONTACT
ike 0:dialup1_0: flushing
ike 0:dialup1_0: flushed
ike 0:dialup1_0:10: processed INITIAL-CONTACT
ike 0:dialup1_0:10: sent IKE msg (CFG_RETRANS): 172.31.210.49:500->172.16.87.91:1133, len=76

ike 0: comes 172.16.87.91:1133->172.31.210.49:500,ifindex=16....
ike 0: IKEv1 exchange=Mode config id=c6017de3bfbc2120/7f639b347abf987b:27e3dce5 len=92
ike 0: found dialup1_0 172.31.210.49 16 -> 172.16.87.91:1133
ike 0:dialup1_0:10: received XAUTH_USER_NAME 'ipsecuser1' length 5
ike 0:dialup1_0:10: received XAUTH_USER_PASSWORD length 7
ike 0:dialup1_0: XAUTH user "ipsecuser1" in group 'ipsecgrp' (5)
ike 0:dialup1_0: XAUTH succeeded for user "ipsecuser1"
ike 0:dialup1_0:10: sent IKE msg (cfg_send): 172.31.210.49:500->172.16.87.91:1133, len=76
ike dialup1_0: Initiator: sent 172.16.87.91 xauth mode message #2 (OK)

ike 0: comes 172.16.87.91:1133->172.31.210.49:500,ifindex=16....
ike 0: IKEv1 exchange=Mode config id=c6017de3bfbc2120/7f639b347abf987b:542ca03a len=60
ike 0: found dialup1_0 172.31.210.49 16 -> 172.16.87.91:1133
ike dialup1_0: Initiator: parsed 172.16.87.91 xauth mode message #2 (DONE)

ike 0: comes 172.16.87.91:1133->172.31.210.49:500,ifindex=16....
ike 0: IKEv1 exchange=Mode config id=c6017de3bfbc2120/7f639b347abf987b:40cc5663 len=204
ike 0: found dialup1_0 172.31.210.49 16 -> 172.16.87.91:1133
ike 0:dialup1_0:10: mode-cfg type 1 request 0:''
ike 0:dialup1_0:10: mode-cfg using allocated IPv4 192.168.233.1
ike 0:dialup1_0:10: mode-cfg assigned (1) IPv4 address 192.168.233.1
ike 0:dialup1_0:10: mode-cfg type 2 request 0:''
ike 0:dialup1_0:10: mode-cfg assigned (2) IPv4 netmask 255.255.255.0
ike 0:dialup1_0:10: mode-cfg type 3 request 0:''
ike 0:dialup1_0:10: mode-cfg send (3) IPv4 DNS(1) 10.5.1.1
ike 0:dialup1_0:10: mode-cfg type 4 request 0:''
ike 0:dialup1_0:10: mode-cfg send (4) WINS(1) 10.5.1.1
ike 0:dialup1_0:10: mode-cfg type 5 request 0:''
ike 0:dialup1_0:10: mode-cfg INTERNAL_ADDRESS_EXPIRY ignored, address does not expire
ike 0:dialup1_0:10: mode-cfg type 28672 request 0:''
ike 0:dialup1_0:10: mode-cfg UNITY type 28672 requested
ike 0:dialup1_0:10: mode-cfg no banner configured, ignoring
ike 0:dialup1_0:10: mode-cfg type 28673 request 0:''
ike 0:dialup1_0:10: mode-cfg UNITY type 28673 requested
ike 0:dialup1_0:10: mode-cfg UNITY type 28673 not supported, ignoring
ike 0:dialup1_0:10: mode-cfg type 28674 request 0:''
ike 0:dialup1_0:10: mode-cfg UNITY type 28674 requested
ike 0:dialup1_0:10: mode-cfg no domain configured, ignoring
ike 0:dialup1_0:10: mode-cfg type 28676 request 0:''
ike 0:dialup1_0:10: mode-cfg UNITY type 28676 requested
ike 0:dialup1_0:10: mode-cfg send (28676) IPv4 subnet 10.5.0.0/255.255.0.0
ike 0:dialup1_0:10: mode-cfg type 28675 request 0:''
ike 0:dialup1_0:10: mode-cfg UNITY type 28675 requested
ike 0:dialup1_0:10: mode-cfg UNITY type 28675 not supported, ignoring
ike 0:dialup1_0:10: mode-cfg type 28679 request 0:''
ike 0:dialup1_0:10: mode-cfg UNITY type 28679 requested
ike 0:dialup1_0:10: mode-cfg send (28679) DH 2
ike 0:dialup1_0:10: mode-cfg type 28683 request 0:''
ike 0:dialup1_0:10: mode-cfg attribute type 28683 not supported, ignoring
ike 0:dialup1_0:10: mode-cfg type 28681 request 0:''
ike 0:dialup1_0:10: mode-cfg UNITY type 28681 requested
ike 0:dialup1_0:10: mode-cfg UNITY type 28681 not supported, ignoring
ike 0:dialup1_0:10: mode-cfg type 7 request 42:'436973636F2053797374656D732056504E20436C69656E7420342E382E30322E303031303A57696E4E54'
ike 0:dialup1_0:10: mode-cfg received APPLICATION_VERSION Cisco Systems VPN Client 4.8.02.0010:WinNTp
ike 0:dialup1_0:10: mode-cfg send APPLICATION_VERSION 'Fortigate-310B v4.01.0,build0152b152,090601 (Beta 0)'
ike 0:dialup1_0:10: mode-cfg type 28680 request 12:'800100018002000180030002'
ike 0:dialup1_0:10: mode-cfg UNITY type 28680 requested
ike 0:dialup1_0:10: mode-cfg UNITY type 28680 not supported, ignoring
ike 0:dialup1_0:10: mode-cfg type 28682 request 16:'564D54454D504C4154452D585050524F'
ike 0:dialup1_0:10: mode-cfg UNITY type 28682 requested
ike 0:dialup1_0:10: mode-cfg UNITY type 28682 not supported, ignoring
ike 0:dialup1_0:10: mode-cfg type 28677 request 0:''
ike 0:dialup1_0:10: mode-cfg UNITY type 28677 requested
ike 0:dialup1_0:10: mode-cfg UNITY type 28677 not supported, ignoring
ike 0:dialup1_0:10: sent IKE msg (cfg_send): 172.31.210.49:500->172.16.87.91:1133, len=172

ike 0: comes 172.16.87.91:1133->172.31.210.49:500,ifindex=16....
ike 0: IKEv1 exchange=Quick id=c6017de3bfbc2120/7f639b347abf987b:cb402354 len=1260
ike 0: found dialup1_0 172.31.210.49 16 -> 172.16.87.91:1133
ike 0:dialup1_0:10:17: responder received first quick-mode message
ike 0:dialup1_0:10:17: peer proposal is: peer:192.168.233.1-192.168.233.1, me:0.0.0.0-255.255.255.255, ports=0/0, protocol=0/0
ike 0:dialup1_0:10:17: trying dialupp2
ike 0:dialup1_0:10:dialupp2:17: matched phase2
ike 0:dialup1_0:10:dialupp2:17: dynamic client
ike 0:dialup1_0:10:dialupp2:17: my proposal:
ike 0:dialup1_0:10:dialupp2:17: proposal id = 1:
ike 0:dialup1_0:10:dialupp2:17:   protocol id = IPSEC_ESP:
ike 0:dialup1_0:10:dialupp2:17:      trans_id = ESP_3DES
ike 0:dialup1_0:10:dialupp2:17:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:dialup1_0:10:dialupp2:17:         type = AUTH_ALG, val=SHA1
ike 0:dialup1_0:10:dialupp2:17:      trans_id = ESP_AES (key_len = 128)
ike 0:dialup1_0:10:dialupp2:17:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:dialup1_0:10:dialupp2:17:         type = AUTH_ALG, val=SHA1
ike 0:dialup1_0:10:dialupp2:17: incoming proposal:
ike 0:dialup1_0:10:dialupp2:17: proposal id = 1:
ike 0:dialup1_0:10:dialupp2:17:   protocol id = IPSEC_ESP:
ike 0:dialup1_0:10:dialupp2:17:      trans_id = ESP_AES (key_len = 256)
ike 0:dialup1_0:10:dialupp2:17:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:dialup1_0:10:dialupp2:17:         type = AUTH_ALG, val=MD5
ike 0:dialup1_0:10:dialupp2:17: incoming proposal:
ike 0:dialup1_0:10:dialupp2:17: proposal id = 2:
ike 0:dialup1_0:10:dialupp2:17:   protocol id = IPSEC_ESP:
ike 0:dialup1_0:10:dialupp2:17:      trans_id = ESP_AES (key_len = 256)
ike 0:dialup1_0:10:dialupp2:17:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:dialup1_0:10:dialupp2:17:         type = AUTH_ALG, val=SHA1
ike 0:dialup1_0:10:dialupp2:17: incoming proposal:
ike 0:dialup1_0:10:dialupp2:17: proposal id = 3:
ike 0:dialup1_0:10:dialupp2:17:   protocol id = IPSEC_ESP:
ike 0:dialup1_0:10:dialupp2:17:      trans_id = ESP_AES (key_len = 128)
ike 0:dialup1_0:10:dialupp2:17:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:dialup1_0:10:dialupp2:17:         type = AUTH_ALG, val=MD5
ike 0:dialup1_0:10:dialupp2:17: incoming proposal:
ike 0:dialup1_0:10:dialupp2:17: proposal id = 4:
ike 0:dialup1_0:10:dialupp2:17:   protocol id = IPSEC_ESP:
ike 0:dialup1_0:10:dialupp2:17:      trans_id = ESP_AES (key_len = 128)
ike 0:dialup1_0:10:dialupp2:17:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:dialup1_0:10:dialupp2:17:         type = AUTH_ALG, val=SHA1
ike 0:dialup1_0:10:dialupp2:17: negotiation result
ike 0:dialup1_0:10:dialupp2:17: proposal id = 4:
ike 0:dialup1_0:10:dialupp2:17:   protocol id = IPSEC_ESP:
ike 0:dialup1_0:10:dialupp2:17:      trans_id = ESP_AES (key_len = 128)
ike 0:dialup1_0:10:dialupp2:17:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:dialup1_0:10:dialupp2:17:         type = AUTH_ALG, val=SHA1
ike 0:dialup1_0:10:dialupp2:17: set pfs=1024
ike 0:dialup1_0:10:dialupp2:17: using tunnel mode.
ike 0:dialup1_0:10:dialupp2:17: add RESPONDER-LIFETIME 1800 seconds
ike 0:dialup1_0:10: sent IKE msg (quick_r1send): 172.31.210.49:500->172.16.87.91:1133, len=332
ike dialup1_0: Responder: sent 172.16.87.91 quick mode message #1 (OK)

ike 0: comes 172.16.87.91:1133->172.31.210.49:500,ifindex=16....
ike 0: IKEv1 exchange=Quick id=c6017de3bfbc2120/7f639b347abf987b:cb402354 len=60
ike 0: found dialup1_0 172.31.210.49 16 -> 172.16.87.91:1133
ike 0:dialup1_0:10:dialupp2:17: replay protection enabled
ike 0:dialup1_0:10:dialupp2:17: SA life soft seconds=1790.
ike 0:dialup1_0:10:dialupp2:17: SA life hard seconds=1800.
ike 0:dialup1_0:10:dialupp2:17: add dynamic IPsec SA selectors
ike 0:dialup1_0:10:dialupp2:17: tunnel 1 of VDOM limit 0/0
ike 0:dialup1_0:10:dialupp2:17: IPsec SA selectors #src=1 #dst=1
ike 0:dialup1_0:10:dialupp2:17: src 0 7 0.0.0.0-255.255.255.255
ike 0:dialup1_0:10:dialupp2:17: dst 0 7 192.168.233.1-192.168.233.1
ike 0:dialup1_ike shrank heap by 126976 bytes

On Cisco client:

If split tunneling is enabled by setting phase1-interface with set ipv4-split-include "10.5.x.x"
once the tunnel established, the routing table on the client would be like below:

C:\Documents and Settings\Fortinet>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0c 29 94 c4 54 ...... AMD PCNET Family PCI Ethernet Adapter - Pack
et Scheduler Miniport
0x20004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler
 Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      172.16.87.1    172.16.87.91       10
         10.5.0.0      255.255.0.0    192.168.233.2   192.168.233.1       1                !!!!!!!! route for split tunneling
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      172.16.87.0    255.255.255.0     172.16.87.91    172.16.87.91       10
     172.16.87.91  255.255.255.255        127.0.0.1       127.0.0.1       10
   172.16.255.255  255.255.255.255     172.16.87.91    172.16.87.91       10
    172.31.210.49  255.255.255.255     172.16.87.10    172.16.87.91       1
    192.168.184.3  255.255.255.255     172.16.87.10    172.16.87.91       1
    192.168.233.0    255.255.255.0    192.168.233.1   192.168.233.1       10
    192.168.233.1  255.255.255.255        127.0.0.1       127.0.0.1       10
  192.168.233.255  255.255.255.255    192.168.233.1   192.168.233.1       10
        224.0.0.0        240.0.0.0     172.16.87.91    172.16.87.91       10
        224.0.0.0        240.0.0.0    192.168.233.1   192.168.233.1       10
  255.255.255.255  255.255.255.255     172.16.87.91    172.16.87.91       1
  255.255.255.255  255.255.255.255    192.168.233.1   192.168.233.1       1
Default Gateway:       172.16.87.1
===========================================================================
Persistent Routes:
  None

 

Related Articles

Technical Note : Supporting Multiple Cisco VPN Communities with FortiGate

Contributors