Description

This article describes how to configure a firewall-to-firewall dialup IPSec tunnel and enable policy routing for traffic from the VPN tunnel.

The sample configuration uses FortiGate-300 as a dialup IPSec VPN server with policy routing and FortiGate-60 for the remote IPSec VPN client.

The FortiGate-300 enables policy routing so that all incoming traffic from the VPN tunnel is forwarded to the gateway and then to the Internet.

Scope

FortiGate-VM v7.4.x, FortiGate-300 v2.80 b219, FortiGate-60 v2.80 b219.

Solution

The configuration is based on the following assumptions:

• The IP address of the external interface is a public IP address for both firewalls.
• The default gateway is pointed to an address on the external interface for both firewalls.
• Gateway can do NAT therefore any traffic going to the gateway can be forwarded to the Internet and back.
•  

Gateway.

Ip: 192.168.3.11. The gateway has a NATed outgoing policy, permit any traffics to go to Internet.

Firewall1 FortiGate-300 configuration.

config system global

    set asymroute enable

end

config system interface

    edit "internal"

        set ip 192.168.3.1 255.255.255.0

        set allowaccess ping https

    next

    edit "external"

        set ip 64.114.95.238 255.255.255.128

        set allowaccess ping https

    next

end

config vpn ipsec phase1

    edit "mygw"

        set interface <Public listening port such as WAN>

        set dpd enable    <set dpd on-demand for v7.4.x>

        set nattraversal enable

        set proposal 3des-sha1 3des-md5

        set type dynamic

        set keepalive 5

        set psksecret 123456

    next

end

config vpn ipsec phase2

    edit "mytunnel"

        set pfs enable

        set phase1name mygw

        set proposal 3des-sha1 3des-md5

        set replay enable

        set wildcardid enable    <This command is not needed for v7.4.x>

    next

end

# config firewall policy

    edit 2

        set srcintf "internal"

        set dstintf "external"

        set srcaddr "all"

        set dstaddr "all"

        set action encrypt   <set action accept for v7.4.x>

        set schedule "always"

        set service "ANY"    <set service "ALL" for v7.4.x>

        set inbound enable   <This command is not needed for v7.4.x>

        set outbound enable  <This command is not needed for v7.4.x>

        set vpntunnel "mytunnel"

    next

end

config router policy

    edit 1

        set gateway 192.168.3.11

        set input_device "external"

        set output_device "internal"

        set src 192.168.2.0 255.255.255.0 <set src 192.168.2.0/24 for v7.4.x>

    next

end

Firewall2 configuration.

config system interface

    edit "internal"

        set dhcp-server-mode server

        set ip 192.168.2.1 255.255.255.0

        set allowaccess ping https

    next

    edit "wan1"

        set ip 64.114.95.237 255.255.255.128

        set allowaccess ping https

    next

end

config vpn ipsec phase1

    edit "mygw”

        set interface  <Public listening port such as WAN>

        set dpd enable <set dpd on-demand for v7.4.x>

        set nattraversal enable

        set proposal 3des-sha1 3des-md5

        set keepalive 5

        set psksecret 123456P

        set remotegw 64.114.95.238

    next

end

config vpn ipsec phase2

    edit "mytunnel"

        set pfs enable

        set phase1name mygw

        set proposal 3des-sha1 3des-md5

        set replay enable

    next

end

config firewall address

    edit "local"

        set subnet 192.168.2.0 255.255.255.0

    next

end

config firewall policy

    edit 3

        set srcintf "internal"

        set dstintf "wan1"

        set srcaddr "local"

        set dstaddr "all"

        set action encrypt

        set schedule "always"

        set service "ANY"

        set inbound enable

        set outbound enable

        set vpntunnel "mytunnel"

    next

end

Verifying on the workstation.

Workstation is able to connect to the Internet.

Traceroute to www.msn.com , gateway list:

1 192.168.2.1

2 64.114.95.238

3 192.168.3.11

... ...

Verifying the Firewall1 FortiGate-300 status.

Fortigate-300 # diagnose vpn tunnel list

tunnel[11]:mytunnel_13, gateway:64.114.95.237:500, hub=, option=38

   eroute[2]:{[0.0.0.0-255.255.255.255]}->{[192.168.2.*]}

 channel[2]:64.114.95.238,natt=0,state=2,keepalive=0,oif=3

     sa[4]:mtu=1434, cur_bytes=132208, timeout=308

     itdb[1]:mtu=1434, cur_bytes=33336, cur_packets=468, spi=67d81675, replay=64

          3DES=b12164725b2211c8b4b6e2b37ed4b4b22ee77f13f3200074

          iv=0000000000000000

          SHA1_HMAC=fe99ce10b52dddeb1a9b6dabbb51c29573d8db82

     otdb[1]:mtu=1434, cur_bytes=80000, cur_packets=465, spi=734feaa2, replay=64

          3DES=3afc260e72418cb66fc16c5aee750447aa2c65160ffc2ec2

          iv=160167f276114574

          SHA1_HMAC=5e027ee96469a78fb6832bbef9880cad8b918640

verifying the Firewall2 status

FortiWiFi-60 # diag vpn t l

tunnel[22]:mytunnel, gateway:64.114.95.238:500, hub=, option=6

   eroute[2]:{[192.168.2.*]}->{[0.0.0.0-255.255.255.255]}

   channel[2]:64.114.95.237,natt=0,state=2,keepalive=0,oif=4

     sa[4]:mtu=1434, cur_bytes=149627, timeout=166

     itdb[1]:mtu=1434, cur_bytes=88664, cur_packets=527, spi=734feaa2, replay=64

          3DES=3afc260e72418cb66fc16c5aee750447aa2c65160ffc2ec2

          iv=0000000000000000

          SHA1_HMAC=5e027ee96469a78fb6832bbef9880cad8b918640

     otdb[1]:mtu=1434, cur_bytes=38592, cur_packets=538, spi=67d81675, replay=64

          3DES=b12164725b2211c8b4b6e2b37ed4b4b22ee77f13f3200074

          iv=3a1e0b480088ded7

          SHA1_HMAC=fe99ce10b52dddeb1a9b6dabbb51c29573d8db82

Troubleshooting:

For the tunnel:

diagnose debug reset

diagnose debug application ike -1

diagnose debug enable

For the traffic:

diagnose debug reset

diagnose debug flow filter addr x.x.x.x y.y.y.y and

diagnose debug flow show function-name enable

diagnose debug flow trace start 100

diagnose debug enable

diagnose sniffer packet any "host <source IP> and host <destination IP>" 4 100