Description
This article describes scenarios where there dialup IPSec VPN is a requirement to manually assign a static IP to a specific set of users and at the same time dynamic lease should also work for the rest of the users.
This article describes how to configure FortiClient IPSec dialup VPN with manual static IP assignment and dynamic IP lease simultaneously on the same WAN interface.
Scope
FortiGate.
Solution
To achieve the requirement, configure two IPSec dialup VPN tunnels :
- One for dynamic IP lease users.
- One for static IP assignment users.
CLI Configuration on FortiGate for Dynamic Lease.
config firewall address
edit "Diaup_VPN_Dynamic_Range"
set type iprange
set start-ip 10.10.10.10
set end-ip 10.10.10.20
next
end
config user local
edit "user2_dynamic"
set type password
set email-to "<email>"
set passwd <password>
next
end
config user group
edit "vpn_dynamic"
set member "user2_dynamic"
next
end
config vpn ipsec phase1-interface
edit "Dynamic_Lease"
set type dynamic
set interface "port1"
set mode aggressive
set peertype any
set mode-cfg enable <----- 'mode-cfg' should be enabled.
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dpd on-idle
set xauthtype auto
set authusrgrp "vpn_dynamic"
set assign-ip-from name
set ipv4-netmask 255.255.255.0
set dns-mode auto
set ipv4-split-include "Internal_Lan"
set ipv4-name "Diaup_VPN_Dynamic_Range" <----- Dynamic IP range.
set psksecret <psk>
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "Dynamic_Lease"
set phase1name "Dynamic_Lease"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
next
end
config firewall policy
edit <id>
set name "Dialup_Dynamic_VPN"
set srcintf "Dynamic_Lease"
set dstintf "port2"
set srcaddr "Diaup_VPN_Dynamic_Range"
set dstaddr "Internal_Lan"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
FortiClient configuration for dynamic lease.
CLI Configuration on FortiGate for Static Lease.
Note.
Manually setting is not fully supported by FortiClient v6.0.9 or above.
config firewall address
edit "Dialup_Static_Assignment_Range"
set type iprange
set start-ip 10.10.10.30
set end-ip 10.10.10.40
next
end
config user local
edit "user1_static"
set type password
set email-to "<email>"
set passwd <password>
next
end
config user group
edit "vpn_static"
set member "user1_static"
next
end
config vpn ipsec phase1-interface
edit "Static_Lease"
set type dynamic
set interface "port1"
set mode aggressive
set peertype one <----- Need to set peertype to one for specific peer ID.
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "static.lease"
set xauthtype auto
set authusrgrp "vpn_static"
set peerid "static.lease" <----- Need to define peerid for static IP client.
set psksecret <psk>
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "Static_Lease"
set phase1name "Static_Lease"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
next
end
edit <id>
set name "Dialup_Static_VPN"
set srcintf "Static_Lease"
set dstintf "port2"
set srcaddr "Dialup_Static_Assignment_Range"
set dstaddr "Internal_Lan"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
FortiClient configuration for static lease.
Notes:
'mode-cfg' has to be disabled in the static lease phase-1 configuration.
When mode-cfg is disabled, the split tunneling will not work since 'ipv4-split-include' would be unavailable.
An alternative for having a 'static IP' to a remote user is through DHCP over IPsec then add a DHCP IP reservation:
Technical Tip: DHCP IP address reservation with Dial up IPsec VPN
