|
Description |
This article describes how to configure dial-up IPsec VPN over IPSec site-to-site VPN connection. |
|
Scope |
Version 6.0 or above. |
|
Solution |
This is a configuration of site-to-site IPsec VPN that allows access to the remote endpoint via IPSec dialup VPN. Here a site-to-site VPN connection will be configured between the head office (HO) and the branch office. And end user will connect to the branch office via IPsec dial up connection and after that user will access the remote server which is in HO LAN. Configure the IPSec site-to-site VPN where considering the dialup network subnet/ range as 10.10.10.0/24 for branch office side:
HO Firewall#
Step 1):
Step 2):
Step 3):
Step 4):
Step 5):
Branch Firewall: Now configure the site-to-site VPN.
Step 6):
Step 7):
Step 8):
Step 9):
Step 10):
Step 11):
Now configure the IPSec dialup connection for the branch user.
Step 12):
Step 13):
Step 14):
Step 15):
Step 16):
Step 17):
Now configure a special policy to allow traffic from the dialup tunnel to the site-to-site tunnel.
Step 18):
Now move to the client's computer and configure the FortiClient.
Step 19):
After a successful connection, the user should be able to reach the 192.168.1.0/24 network which is behind the HO firewall.
Now let's verify the same configuration from CLI:
***********************************HO Firewall************************************** HO-FW # sh | grep -f "To-Branch" # config system interface edit "To-Branch" <--- set vdom "root" set type tunnel set snmp-index 15 set interface "port3" next end
# config firewall address edit "To-Branch_local_subnet_1" <--- set uuid 927e48e0-5473-51ed-4e8e-dbd1c3c97d17 set allow-routing enable set subnet 192.168.1.0 255.255.255.0 next edit "To-Branch_remote_subnet_1" <--- set uuid 92896392-5473-51ed-1aa9-aa8ea0c27f81 set allow-routing enable set subnet 192.168.2.0 255.255.255.0 next edit "To-Branch_remote_subnet_2" <--- set uuid 928efbae-5473-51ed-59c5-921e3b809bdf set allow-routing enable set subnet 10.10.10.0 255.255.255.0 next end
# config firewall addrgrp edit "To-Branch_local" <--- set uuid 9283ab00-5473-51ed-d27f-a450aed98e3d set member "To-Branch_local_subnet_1" <--- set comment "VPN: To-Branch (Created by VPN wizard)" <--- set allow-routing enable next edit "To-Branch_remote" <--- set uuid 9294903c-5473-51ed-388c-585fdf647eb4 set member "To-Branch_remote_subnet_1" "To-Branch_remote_subnet_2" <--- set comment "VPN: To-Branch (Created by VPN wizard)" <--- set allow-routing enable next end
# config vpn ipsec phase1-interface edit "To-Branch" <--- set interface "port3" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: To-Branch (Created by VPN wizard)" <--- set wizard-type static-fortigate set remote-gw 172.16.1.2 set psksecret ENC DRtAUEChBpiKZvQ0FxIgP8eSw8Zj2ZghjE1YJj1JiPfn6LtHoLLNcbYPPeNrHlph4wGEZTNyBQ8E3Jgd0OfYPZClWr4GCTLExH3LJc3MsNRT4DHqQZPsW4pRu8T5iu3ZJgcdA0Q50wcER Y1cBjgRGqJ6rXzSEWDjlLxvJWUxuuYjMAkg8GRXTj+syH3EnKy9Ites/w== next end
# config vpn ipsec phase2-interface edit "To-Branch" <--- set phase1name "To-Branch" <--- set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: To-Branch (Created by VPN wizard)" <--- set src-addr-type name set dst-addr-type name set src-name "To-Branch_local" <--- set dst-name "To-Branch_remote" <--- next end
# config firewall policy edit 2 set name "vpn_To-Branch_local_0" <--- set uuid 92ab822e-5473-51ed-514b-e46aa198cd3e set srcintf "port2" set dstintf "To-Branch" <--- set action accept set srcaddr "To-Branch_local" <--- set dstaddr "To-Branch_remote" <--- set schedule "always" set service "ALL" set comments "VPN: To-Branch (Created by VPN wizard)" <--- next edit 3 set name "vpn_To-Branch_remote_0" <--- set uuid 92bc5072-5473-51ed-9787-03aa6d45305b set srcintf "To-Branch" <--- set dstintf "port2" set action accept set srcaddr "To-Branch_remote" <--- set dstaddr "To-Branch_local" <--- set schedule "always" set service "ALL" set comments "VPN: To-Branch (Created by VPN wizard)" <--- next end
# config router static edit 2 set device "To-Branch" <--- set comment "VPN: To-Branch (Created by VPN wizard)" <--- set dstaddr "To-Branch_remote" <--- next edit 3 set distance 254 set comment "VPN: To-Branch (Created by VPN wizard)" <--- set blackhole enable set dstaddr "To-Branch_remote" <--- next end
HO-FW #
**********************************Branch Firewall*************************** # config system interface edit "To-HO" <--- set vdom "root" set type tunnel set snmp-index 15 set interface "port3" next end
# config firewall address edit "To-HO_local_subnet_1" <--- set uuid 0c6420fa-547c-51ed-2ea9-ec6c14a37679 set allow-routing enable set subnet 192.168.2.0 255.255.255.0 next edit "To-HO_local_subnet_2" <--- set uuid 0c6990b2-547c-51ed-3469-5d282a92059e set allow-routing enable set subnet 10.10.10.0 255.255.255.0 next edit "To-HO_remote_subnet_1" <--- set uuid 0c9c0754-547c-51ed-7da1-3a1944314334 set allow-routing enable set subnet 192.168.1.0 255.255.255.0 next end
# config firewall addrgrp edit "To-HO_local" <--- set uuid 0c6f6d98-547c-51ed-e863-e9aec3dc7182 set member "To-HO_local_subnet_1" "To-HO_local_subnet_2" <--- set comment "VPN: To-HO (Created by VPN wizard)" <--- set allow-routing enable next edit "To-HO_remote" <--- set uuid 0ca1b190-547c-51ed-f62e-d296247a9edc set member "To-HO_remote_subnet_1" <--- set comment "VPN: To-HO (Created by VPN wizard)" <--- set allow-routing enable next edit "IPSec-Dailup_split" set uuid 26b64874-54a0-51ed-9c6f-bb6c2c8d2de9 set member "To-HO_local_subnet_1" "To-HO_remote_subnet_1" <--- set comment "VPN: IPSec-Dailup (Created by VPN wizard)" next end
# config vpn ipsec phase1-interface edit "To-HO" <--- set interface "port3" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: To-HO (Created by VPN wizard)" <--- set wizard-type static-fortigate set remote-gw 172.16.1.1 set psksecret ENC A3Ww0ZaJ6uc1Z7Qt2xhQOqmEOKpig4y/mKBGQNFRHAa0n5UMfHnz3bzAS4vp9naTCRt3Hj9R042XEvYmkXEDWfOLZSwo3kwVH6+kn9RfnolauTTcQXc80TXk7sYGFUvAkPuc9GHNOW/XG O5MWeWAXnEEcTZ14cV7mNojsdfNrwOQhxgCV3uDWUUB6fspRN1aOwlyLA== next end
# config vpn ipsec phase2-interface edit "To-HO" <--- set phase1name "To-HO" <--- set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: To-HO (Created by VPN wizard)" <--- set src-addr-type name set dst-addr-type name set src-name "To-HO_local" <--- set dst-name "To-HO_remote" <--- next end
# config firewall policy edit 2 set name "vpn_To-HO_local_0" <--- set uuid 0cb9ed8c-547c-51ed-fc8f-266ec53018c0 set srcintf "port2" set dstintf "To-HO" <--- set action accept set srcaddr "To-HO_local" <--- set dstaddr "To-HO_remote" <--- set schedule "always" set service "ALL" set comments "VPN: To-HO (Created by VPN wizard)" <--- next edit 3 set name "vpn_To-HO_remote_0" <--- set uuid 0cc1921c-547c-51ed-041c-db5cc294f879 set srcintf "To-HO" <--- set dstintf "port2" set action accept set srcaddr "To-HO_remote" <--- set dstaddr "To-HO_local" <--- set schedule "always" set service "ALL" set comments "VPN: To-HO (Created by VPN wizard)" <--- next edit 4 set name "vpn_IPSec-Dailup_TO-Branch" set uuid 26d1f452-54a0-51ed-50c6-0561c12b094e set srcintf "IPSec-Dailup" set dstintf "port2" set action accept set srcaddr "IPSec-Dailup_range" set dstaddr "To-HO_local_subnet_1" "To-HO_remote_subnet_1" <--- set schedule "always" set service "ALL" set nat enable set groups "IPSecUser" set comments "VPN: IPSec-Dailup (Created by VPN wizard)" next edit 5 set name "vpn_IPSec-Dailup_TO-HO" set uuid 13924fb2-54a1-51ed-7022-bf38b9b0a543 set srcintf "IPSec-Dailup" set dstintf "To-HO" <--- set action accept set srcaddr "IPSec-Dailup_range" set dstaddr "To-HO_remote_subnet_1" <--- set schedule "always" set service "ALL" set comments "VPN: IPSec-Dailup (Created by VPN wizard) (Copy of vpn_IPSec-Dailup_remote_0)" next edit 6 set name "SSL VPN" set uuid 20a2be9c-561a-51ed-97f6-fb547395f06b set srcintf "ssl.root" set dstintf "port2" set action accept set srcaddr "all" set dstaddr "To-HO_local_subnet_1" <--- set schedule "always" set service "ALL" set nat enable set groups "VPN-group" next end
# config router static edit 2 set device "To-HO" <--- set comment "VPN: To-HO (Created by VPN wizard)" <--- set dstaddr "To-HO_remote" <--- next edit 3 set distance 254 set comment "VPN: To-HO (Created by VPN wizard)" <--- set blackhole enable set dstaddr "To-HO_remote" <--- next end
Branch-FW #
******************************Branch Dialup connection*****************************
Branch-FW # sh | grep -f "IPSec-Dailup" # config system interface edit "IPSec-Dailup" <--- set vdom "root" set allowaccess fabric set type tunnel set snmp-index 16 set interface "port4" next end
# config firewall address edit "IPSec-Dailup_range" <--- set uuid 26cb9d00-54a0-51ed-d404-1b1760c06cac set type iprange set comment "VPN: IPSec-Dailup (Created by VPN wizard)" <--- set start-ip 10.10.10.1 set end-ip 10.10.10.254 next end
# config firewall addrgrp edit "IPSec-Dailup_split" <--- set uuid 26b64874-54a0-51ed-9c6f-bb6c2c8d2de9 set member "To-HO_local_subnet_1" "To-HO_remote_subnet_1" set comment "VPN: IPSec-Dailup (Created by VPN wizard)" <--- next end
# config vpn ipsec phase1-interface edit "IPSec-Dailup" <--- set type dynamic set interface "port4" set mode aggressive set peertype any set net-device disable set mode-cfg enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: IPSec-Dailup (Created by VPN wizard)" <--- set wizard-type dialup-forticlient set xauthtype auto set ipv4-start-ip 10.10.10.1 set ipv4-end-ip 10.10.10.254 set dns-mode auto set ipv4-split-include "IPSec-Dailup_split" <--- set save-password enable set psksecret ENC mDIumK7IXxGoRjau5rAG1ZiirwntyAusnKSvhxStyYU2f9pRJmlFUfIQVT6vpKcRw1iBCHYIj/5UjssS/B1GmCD1bk/hN5iE0B0pOusZvIlmBcQEHmnIrqlGL2baamw7yiVJfCEgcUTjy uPovkTIo6Q2KuYY8NcsjwvDVupAgNhoBqNOnrNqMCoohzkUfI2zTuCV+Q== next end
# config vpn ipsec phase2-interface edit "IPSec-Dailup" <--- set phase1name "IPSec-Dailup" <--- set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: IPSec-Dailup (Created by VPN wizard)" <--- next end
# config firewall policy edit 4 set name "vpn_IPSec-Dailup_TO-Branch" <--- set uuid 26d1f452-54a0-51ed-50c6-0561c12b094e set srcintf "IPSec-Dailup" <--- set dstintf "port2" set action accept set srcaddr "IPSec-Dailup_range" <--- set dstaddr "To-HO_local_subnet_1" "To-HO_remote_subnet_1" set schedule "always" set service "ALL" set nat enable set groups "IPSecUser" set comments "VPN: IPSec-Dailup (Created by VPN wizard)" <--- next edit 5 set name "vpn_IPSec-Dailup_TO-HO" <--- set uuid 13924fb2-54a1-51ed-7022-bf38b9b0a543 set srcintf "IPSec-Dailup" <--- set dstintf "To-HO" set action accept set srcaddr "IPSec-Dailup_range" <--- set dstaddr "To-HO_remote_subnet_1" set schedule "always" set service "ALL" set comments "VPN: IPSec-Dailup (Created by VPN wizard) (Copy of vpn_IPSec-Dailup_remote_0)" <--- next end
Branch-FW #
*********************Verification from firewall by capturing packet************************
HO-FW # diagnose sniffer packet any 'host 192.168.1.2 and icmp' 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[host 192.168.1.2 and icmp] 2022-11-01 13:24:10.656066 To-Branch in 10.10.10.1 -> 192.168.1.2: icmp: echo request 2022-11-01 13:24:10.656091 port2 out 10.10.10.1 -> 192.168.1.2: icmp: echo request 2022-11-01 13:24:10.656865 port2 in 192.168.1.2 -> 10.10.10.1: icmp: echo reply 2022-11-01 13:24:10.656878 To-Branch out 192.168.1.2 -> 10.10.10.1: icmp: echo reply 2022-11-01 13:24:11.667286 To-Branch in 10.10.10.1 -> 192.168.1.2: icmp: echo request 2022-11-01 13:24:11.667307 port2 out 10.10.10.1 -> 192.168.1.2: icmp: echo request 2022-11-01 13:24:11.667658 port2 in 192.168.1.2 -> 10.10.10.1: icmp: echo reply 2022-11-01 13:24:11.667665 To-Branch out 192.168.1.2 -> 10.10.10.1: icmp: echo reply
Branch-FW # diagnose sniffer packet any 'host 192.168.1.2 and icmp' 4 0 l Using Original Sniffing Mode interfaces=[any] filters=[host 192.168.1.2 and icmp] 2022-11-01 13:24:10.627641 IPSec-Dailup in 10.10.10.1 -> 192.168.1.2: icmp: echo request 2022-11-01 13:24:10.627665 To-HO out 10.10.10.1 -> 192.168.1.2: icmp: echo request 2022-11-01 13:24:10.628787 To-HO in 192.168.1.2 -> 10.10.10.1: icmp: echo reply 2022-11-01 13:24:10.628796 IPSec-Dailup out 192.168.1.2 -> 10.10.10.1: icmp: echo reply 2022-11-01 13:24:11.638929 IPSec-Dailup in 10.10.10.1 -> 192.168.1.2: icmp: echo request 2022-11-01 13:24:11.638954 To-HO out 10.10.10.1 -> 192.168.1.2: icmp: echo request 2022-11-01 13:24:11.639510 To-HO in 192.168.1.2 -> 10.10.10.1: icmp: echo reply 2022-11-01 13:24:11.639516 IPSec-Dailup out 192.168.1.2 -> 10.10.10.1: icmp: echo reply
Related articles: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/45836/ssl-vpn-to-ipsec-vpn |
