# config system interfaceConfigure a static default route to the internet.
edit "port1"
set vdom "root"
set ip 10.56.241.43 255.255.252.0
set allowaccess ping https ssh http
set alias "WAN"
set role wan
next
edit "port5"
set vdom "root"
set ip 10.91.1.43 255.255.240.0
set allowaccess ping https ssh http
set alias "LAN_Port5"
set role lan
next
end
# config router staticCreate user accounts for the Dial-Up VPN Clients and add users accounts into a user group.
edit 1
set gateway 10.56.243.254
set device "port1"
next
end
# config user localCreate an address object for LAN subnet.
edit "client1"
set type password
set passwd fortinet
next
edit "client2"
set type password
set passwd password
next
end
# config user group
edit "Dial-Up-VPN_FortiGates"
set member "client1" "client2"
next
end
# config firewall addressCreate IPsec VPN Phase1 interface.
edit "LAN_Port5"
set subnet 10.91.0.0 255.255.240.0
next
end
# config vpn ipsec phase1-interfaceCreate IPsec VPN Phase2 interface.
edit "FGT_Dial-Up"
set type dynamic
set interface "port1"
set mode aggressive
set peertype dialup
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "VPN_Server"
set dpd on-idle
set usrgrp "Dial-Up-VPN_FortiGates"
set dpd-retryinterval 60
next
end
# config vpn ipsec phase2-interfaceCreate IPv4 outbound and inbound policies for IPsec VPN.
edit "FGT_Dial-Up-VPN"
set phase1name "FGT_Dial-Up"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set keepalive enable
set src-subnet 10.91.0.0 255.255.240.0 <----- Local subnet.
set dst-subnet 0.0.0.0 0.0.0.0 <----- Remote subnet (any).
next
end
# config firewall policy- Although a route-based IPsec tunnel has been created, it is not necessary to add a static route because it is a dialup VPN.
edit 1
set name "to_FGT_Dial-Up_clients"
set srcintf "port5"
set dstintf "FGT_Dial-Up"
set srcaddr "LAN_Port5"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "from_FGT_Dial-Up_clients"
set srcintf "FGT_Dial-Up"
set dstintf "port5"
set srcaddr "all"
set dstaddr "LAN_Port5"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
# config system interfaceConfigure a static route to the internet.
edit "port1"
set vdom "root"
set ip 10.56.245.44 255.255.252.0
set allowaccess ping https ssh http
set alias "WAN"
set role wan
next
edit "port6"
set vdom "root"
set ip 10.92.1.43 255.255.240.0
set allowaccess ping https ssh http
set alias "LAN_Port6"
set role lan
next
end
# config router staticCreate an address object for LAN subnet and VPN server LAN subnet.
edit 1
set gateway 10.56.247.254
set device "port1"
next
end
# config firewall addressCreate IPsec VPN Phase1 interface.
edit "LAN_Port6"
set subnet 10.92.0.0 255.255.240.0
next
edit "VPN_Server_LAN"
set subnet 10.91.0.0 255.255.240.0
next
end
# config vpn ipsec phase1-interface
edit "VPN_Server"
set interface "port1"
set mode aggressive
set peertype one
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "client1" <----- This is the username defined on the VPN Server.
set remote-gw 10.56.241.43
set peerid "VPN_Server" <----- This is the localid of the VPN Server.
set psksecret fortinet
next
end
# config vpn ipsec phase2-interfaceCreate IPv4 outbound and inbound policies for IPsec VPN.
edit "VPN_Server"
set phase1name "VPN_Server"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
set src-subnet 10.92.0.0 255.255.240.0 <----- Local subnet.
set dst-subnet 10.91.0.0 255.255.240.0 <----- Remote subnet (VPN server LAN subnet).
next
end
# config firewall policyCreate a static route to VPN server LAN subnet.
edit 1
set name "to_VPN_Server"
set srcintf "port6"
set dstintf "VPN_Server"
set srcaddr "LAN_Port6"
set dstaddr "VPN_Server_LAN"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "from_VPN_Server"
set srcintf "VPN_Server"
set dstintf "port6"
set srcaddr "VPN_Server_LAN"
set dstaddr "LAN_Port6"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
# config router staticIPSec Dial-Up VPN Client2 Configuration.
edit 2
set dst 10.91.0.0 255.255.240.0
set device "VPN_Server"
next
end
# config system interfaceConfigure a static route to the internet.
edit "port1"
set vdom "root"
set ip 10.57.245.44 255.255.252.0
set allowaccess ping https ssh http
set alias "WAN"
set role wan
next
edit "port7"
set vdom "root"
set ip 10.93.1.43 255.255.240.0
set allowaccess ping https ssh http
set alias "LAN_Port7"
set role lan
next
end
# config router staticCreate an address object for LAN subnet and VPN server LAN subnet.
edit 1
set gateway 10.57.247.254
set device "port1"
next
end
# config firewall addressCreate IPsec VPN Phase1 interface.
edit "LAN_Port7"
set subnet 10.93.0.0 255.255.240.0
next
edit "VPN_Server_LAN"
set subnet 10.91.0.0 255.255.240.0
next
end
# config vpn ipsec phase1-interfaceCreate IPsec VPN Phase2 interface.
edit "VPN_Server"
set interface "port1"
set mode aggressive
set peertype one
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "client2" <----- This is the username defined on the VPN Server.
set remote-gw 10.56.241.43
set peerid "VPN_Server" <----- This is the localid of the VPN Server.
set psksecret password
next
end
# config vpn ipsec phase2-interfaceCreate IPv4 outbound and inbound policies for IPsec VPN.
edit "VPN_Server"
set phase1name "VPN_Server"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
set src-subnet 10.93.0.0 255.255.240.0 <----- Local subnet.
set dst-subnet 10.91.0.0 255.255.240.0 <----- Remote subnet (VPN server LAN subnet).
next
end
# config firewall policyCreate a static route to VPN server LAN subnet.
edit 1
set name "to_VPN_Server"
set srcintf "port7"
set dstintf "VPN_Server"
set srcaddr "LAN_Port7"
set dstaddr "VPN_Server_LAN"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "from_VPN_Server"
set srcintf "VPN_Server"
set dstintf "port7"
set srcaddr "VPN_Server_LAN"
set dstaddr "LAN_Port7"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
# config router staticVerification.
edit 2
set dst 10.91.0.0 255.255.240.0
set device "VPN_Server"
next
end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.