Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bfeng
Staff
Staff

Created on ‎06-16-2009 12:54 PM Edited on ‎07-06-2022 09:36 AM By Anonymous

Article Id 198528

Technical Note : Setup a dialup IPSec VPN between Cisco Unity client and FortiGate

Description

Dialup IPSec between a Cisco VPN client (Unity client) and a FortiGate unit was not supported before FortiOS 4.0 MR1.

Beginning with FortiOS 4.0 MR1 FortiOS supports the Cisco Unity client by supporting IKE Configuration Method (draft-dukes-ike-mode-cfg-02).

The Unity client protocol is Cisco's term for IKE configuration method. The IKE configuration method was never ratified, however Cisco and various other vendors support some or all of the draft (http://tools.ietf.org/html/draft-dukes-ike-mode-cfg-02).

Notes:

(1) Configuration method is only available for route based (interface mode) IPSec.
(2) If the dialer is using NAT then FortiOS 4.0 MR1 Patch 1 must be used.


Scope

FortiOS 4.0 MR1, route based (interface mode) IPSec VPN
FortiOS 4.0 MR1 Patch 1 for NAT dialers
Configuration Method - Cisco VPN client (the version used in this article is 4.8.02.00100)


Solution

Configuration

On the FortiGate unit:

1. Configure a local user by going to User > Local and selecting Create New.

localipsecuser.jpg

2. Create a user group to add the new user to. Go to User > Group and select Create New.

ipsecusrgrp.jpg

3. Create a Phase1 IPSec interface by going to VPN > IPSec and selecting Create New and complete the following settings:

Mode: Aggressive
Ipsec interface mode: Enable
Proposal: AES128, SHA1
DH Group: 2
XAUTH: Enable as Server, and select the user group created in step 2
Peer Options: can be any if this tunnel is the only dialup tunnel defined and all dialup vpn users connect to this tunnel. Otherwise use accept a specified peer ID or peer ID in dialup group. If accept peer ID in dialup group, the tunnel preshared key will be the password of the local users in the dialup group.

fgtp14ciscovpnclient1.jpg

fgtp14ciscovpnclient3.jpg

From CLI, edit the phase1 interface

config vpn ipsec phase1-interface
    edit "dialup1"
        set mode-cfg enable
        set ipv4-start-ip 192.168.233.1       >>>> the first ip in the range which FGT will assign to the ipsec client
        set ipv4-end-ip 192.168.233.254    >>>> the last ip in the range which FGT will assign to the ipsec client
        set ipv4-netmask 255.255.255.0     >>>> subnet mask
        set ipv4-dns-server1 10.5.1.1          >>>> optional DNS info passed to the client
        set ipv4-wins-server1 10.5.1.1         >>>>optional WINS info passed to the client
        set ipv4-split-include "10.5.x.x"        >>>>optional dst address/address group name if split tunneling is desired
end

After all, the dialup phase1 will look like below from CLI:


config vpn ipsec phase1-interface
    edit "dialup1"
        set type dynamic
        set interface "external"
        set dhgrp 2
        set proposal aes128-sha1
        set xauthtype pap
        set mode aggressive
        set mode-cfg enable
        set authusrgrp "ipsecgrp"
        set ipv4-start-ip 192.168.233.1
        set ipv4-end-ip 192.168.233.254
        set ipv4-netmask 255.255.255.0
        set ipv4-dns-server1 10.5.1.1
        set ipv4-wins-server1 10.5.1.1
        set ipv4-split-include "10.5.x.x"
        set psksecret ENC +rAiG3Qgp2j5a5CnyHeRj8HRwY+fTaAj52FncVwImO61sUJuFjKQp/Z98M7PAARONXRhPrhU2dcFoG0qT3Je+AZkXhpCjm3r0V5iuwpmOEfSGAqi
    next
end

4. Configure the Phase2 settings

Proposal: AES128, SHA1
PFS: selected
DH Group: 2

Note: When the Configuration Method is enabled (set mode-cfg enable), DHCP-IPSEC does not apply.

fgtp24ciscovpnclient.jpg

From CLI the:

config vpn ipsec phase2-interface
    edit "dialupp2"
        set dhgrp 2
        set phase1name "dialup1"
        set proposal aes128-sha1
    next
end

5.  Configure a firewall policy to allow traffic from ipsec interface to desired system interface and vise versa.

 

On Cisco VPN Client:

Name: this is the LocalID of the client, if the Peer ID option on Fortigate is not accept any peer id, the Name here need to match the accepted peer id setup on FortiGate unit.
Password: this is the pre-shared key of the tunnel.

bfeng_ciscovpnclt1.jpg



Verification:


On FortiGate unit enter the following diagnose commands
diagnose vpn ike filter dst-addr4 <client's public ip>
diag debug app ike -1
diag debug enable

Related Articles

Technical Note : Supporting Multiple Cisco VPN Communities with FortiGate

30954
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.