Description
This article describes how to configure multiple FortiGates as IPsec VPN Dial-Up clients when the FortiGates are not behind a NAT unit.
Topology.
Solution
VPN Server Configuration.
Configure Interfaces.
config system interface
edit "port1"
set vdom "root"
set ip 10.56.241.43 255.255.252.0
set allowaccess ping
set alias "WAN"
set role wan
next
edit "port5"
set vdom "root"
set ip 10.91.1.43 255.255.240.0
set allowaccess ping https ssh http
set alias "LAN_Port5"
set role lan
next
end
Configure a static default route to the internet.
This configuration may not be required in the environment if a default route to the internet is received dynamically.
config router static
edit 1
set gateway 10.56.243.254
set device "port1"
next
end
Create user accounts for the Dial-Up VPN Clients and add users accounts into a user group.
- The IPsec VPN client will use this account to establish Dial-Up IPsec VPN connection.
- The user group will be configured on the IPsec VPN Phase1 interface configuration.
config user local
edit "client1"
set type password
set passwd fortinet
next
edit "client2"
set type password
set passwd password
next
end
config user group
edit "Dial-Up-VPN_FortiGates"
set member "client1" "client2"
next
end
Create an address object for LAN subnet.
config firewall address
edit "LAN_Port5"
set subnet 10.91.0.0 255.255.240.0
next
end
Create IPsec VPN Phase1 interface.
config vpn ipsec phase1-interface
edit "FGT_Dial-Up"
set type dynamic
set interface "port1"
set mode aggressive
set peertype dialup
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "VPN_Server"
set dpd on-idle
set usrgrp "Dial-Up-VPN_FortiGates"
set dpd-retryinterval 60
next
end
Create IPsec VPN Phase2 interface.
config vpn ipsec phase2-interface
edit "FGT_Dial-Up-VPN"
set phase1name "FGT_Dial-Up"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set keepalive enable
set src-subnet 10.91.0.0 255.255.240.0 <----- Local subnet.
set dst-subnet 0.0.0.0 0.0.0.0 <----- Remote subnet (any).
next
end
Create IPv4 outbound and inbound policies for IPsec VPN.
config firewall policy
edit 1
set name "to_FGT_Dial-Up_clients"
set srcintf "port5"
set dstintf "FGT_Dial-Up"
set srcaddr "LAN_Port5"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "from_FGT_Dial-Up_clients"
set srcintf "FGT_Dial-Up"
set dstintf "port5"
set srcaddr "all"
set dstaddr "LAN_Port5"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
- Although a route-based IPsec tunnel has been created, it is not necessary to add a static route because it is a dialup VPN.
FortiGate will dynamically add or remove appropriate routes to each Dial-up peer, each time the peer's VPN is trying to connect.
IPSec Dial-Up VPN Client1 Configuration.
Configure Interfaces.
config system interface
edit "port1"
set vdom "root"
set ip 10.56.245.44 255.255.252.0
set allowaccess ping
set alias "WAN"
set role wan
next
edit "port6"
set vdom "root"
set ip 10.92.1.43 255.255.240.0
set allowaccess ping https ssh http
set alias "LAN_Port6"
set role lan
next
end
Configure a static route to the internet.
This configuration may not be required in the environment if a default route to the internet is received dynamically.
config router static
edit 1
set gateway 10.56.247.254
set device "port1"
next
end
Create an address object for LAN subnet and VPN server LAN subnet.
config firewall address
edit "LAN_Port6"
set subnet 10.92.0.0 255.255.240.0
next
edit "VPN_Server_LAN"
set subnet 10.91.0.0 255.255.240.0
next
end
Create IPsec VPN Phase1 interface.
config vpn ipsec phase1-interface
edit "VPN_Server"
set interface "port1"
set mode aggressive
set peertype one
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "client1" <----- This is the username defined on the VPN Server.
set remote-gw 10.56.241.43
set peerid "VPN_Server" <----- This is the localid of the VPN Server.
set psksecret fortinet
next
end
Create IPsec VPN Phase2 interface.
config vpn ipsec phase2-interface
edit "VPN_Server"
set phase1name "VPN_Server"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
set src-subnet 10.92.0.0 255.255.240.0 <----- Local subnet.
set dst-subnet 10.91.0.0 255.255.240.0 <----- Remote subnet (VPN server LAN subnet).
next
end
Create IPv4 outbound and inbound policies for IPsec VPN.
config firewall policy
edit 1
set name "to_VPN_Server"
set srcintf "port6"
set dstintf "VPN_Server"
set srcaddr "LAN_Port6"
set dstaddr "VPN_Server_LAN"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "from_VPN_Server"
set srcintf "VPN_Server"
set dstintf "port6"
set srcaddr "VPN_Server_LAN"
set dstaddr "LAN_Port6"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Create a static route to VPN server LAN subnet.
config router static
edit 2
set dst 10.91.0.0 255.255.240.0
set device "VPN_Server"
next
end
IPSec Dial-Up VPN Client2 Configuration.
Configure Interfaces.
config system interface
edit "port1"
set vdom "root"
set ip 10.57.245.44 255.255.252.0
set allowaccess ping
set alias "WAN"
set role wan
next
edit "port7"
set vdom "root"
set ip 10.93.1.43 255.255.240.0
set allowaccess ping https ssh http
set alias "LAN_Port7"
set role lan
next
end
Configure a static route to the internet.
This configuration may not be required in the environment if a default route to the internet is received dynamically.
config router static
edit 1
set gateway 10.57.247.254
set device "port1"
next
end
Create an address object for LAN subnet and VPN server LAN subnet.
config firewall address
edit "LAN_Port7"
set subnet 10.93.0.0 255.255.240.0
next
edit "VPN_Server_LAN"
set subnet 10.91.0.0 255.255.240.0
next
end
Create IPsec VPN Phase1 interface.
config vpn ipsec phase1-interface
edit "VPN_Server"
set interface "port1"
set mode aggressive
set peertype one
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "client2" <----- This is the username defined on the VPN Server.
set remote-gw 10.56.241.43
set peerid "VPN_Server" <----- This is the localid of the VPN Server.
set psksecret password
next
end
Create IPsec VPN Phase2 interface.
config vpn ipsec phase2-interface
edit "VPN_Server"
set phase1name "VPN_Server"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
set src-subnet 10.93.0.0 255.255.240.0 <----- Local subnet.
set dst-subnet 10.91.0.0 255.255.240.0 <----- Remote subnet (VPN server LAN subnet).
next
end
Create IPv4 outbound and inbound policies for IPsec VPN.
config firewall policy
edit 1
set name "to_VPN_Server"
set srcintf "port7"
set dstintf "VPN_Server"
set srcaddr "LAN_Port7"
set dstaddr "VPN_Server_LAN"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "from_VPN_Server"
set srcintf "VPN_Server"
set dstintf "port7"
set srcaddr "VPN_Server_LAN"
set dstaddr "LAN_Port7"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Create a static route to VPN server LAN subnet.
config router static
edit 2
set dst 10.91.0.0 255.255.240.0
set device "VPN_Server"
next
end
Verification.
From PC_B ping a host on the server LAN subnet. The ping is successful.
- On 'FortiGate-Dial-up_Client1' go to Monitor -> IPsec Monitor to view the IPsec tunnel status.
- On the 'FortiGate-Dial-up_Client1' CLI use the command 'diagnose vpn tunnel list' to view IPsec tunnel details.
- From PC_C ping a host on the server LAN subnet. The ping is successful.
- On 'FortiGate-Dial-up_Client2' go to Monitor -> IPsec Monitor to view the IPsec tunnel status.
- On the 'FortiGate-Dial-up_Client2' CLI use the command 'diagnose vpn tunnel list' to view IPsec tunnel details.
- From PC_A ping hosts on the Dial-Up client’s LAN subnet. The pings are successful.
- On 'FortiGate_VPN_Server' go to Monitor -> IPsec Monitor to view the IPsec VPN Dial-Up clients status.
- On the 'FortiGate_VPN_Server' CLI use the command 'diagnose vpn tunnel list' to view IPsec tunnel details.
