Created on 08-01-2021 10:44 PM Edited on 06-27-2024 05:44 AM By Jean-Philippe_P
Description
This article describes how to configure multiple FortiGates as IPsec VPN Dial-Up clients when the FortiGates are not behind a NAT unit.
Topology.
Solution
VPN Server Configuration.
Configure Interfaces.
config system interface
edit "port1"
set vdom "root"
set ip 10.56.241.43 255.255.252.0
set allowaccess ping
set alias "WAN"
set role wan
next
edit "port5"
set vdom "root"
set ip 10.91.1.43 255.255.240.0
set allowaccess ping https ssh http
set alias "LAN_Port5"
set role lan
next
end
Configure a static default route to the internet.
This configuration may not be required in the environment if a default route to the internet is received dynamically.
config router static
edit 1
set gateway 10.56.243.254
set device "port1"
next
end
Create user accounts for the Dial-Up VPN Clients and add users accounts into a user group.
config user local
edit "client1"
set type password
set passwd fortinet
next
edit "client2"
set type password
set passwd password
next
end
config user group
edit "Dial-Up-VPN_FortiGates"
set member "client1" "client2"
next
end
Create an address object for LAN subnet.
config firewall address
edit "LAN_Port5"
set subnet 10.91.0.0 255.255.240.0
next
end
Create IPsec VPN Phase1 interface.
config vpn ipsec phase1-interface
edit "FGT_Dial-Up"
set type dynamic
set interface "port1"
set mode aggressive
set peertype dialup
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "VPN_Server"
set dpd on-idle
set usrgrp "Dial-Up-VPN_FortiGates"
set dpd-retryinterval 60
next
end
Create IPsec VPN Phase2 interface.
config vpn ipsec phase2-interface
edit "FGT_Dial-Up-VPN"
set phase1name "FGT_Dial-Up"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set keepalive enable
set src-subnet 10.91.0.0 255.255.240.0 <----- Local subnet.
set dst-subnet 0.0.0.0 0.0.0.0 <----- Remote subnet (any).
next
end
Create IPv4 outbound and inbound policies for IPsec VPN.
config firewall policy
edit 1
set name "to_FGT_Dial-Up_clients"
set srcintf "port5"
set dstintf "FGT_Dial-Up"
set srcaddr "LAN_Port5"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "from_FGT_Dial-Up_clients"
set srcintf "FGT_Dial-Up"
set dstintf "port5"
set srcaddr "all"
set dstaddr "LAN_Port5"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
IPSec Dial-Up VPN Client1 Configuration.
Configure Interfaces.
config system interface
edit "port1"
set vdom "root"
set ip 10.56.245.44 255.255.252.0
set allowaccess ping
set alias "WAN"
set role wan
next
edit "port6"
set vdom "root"
set ip 10.92.1.43 255.255.240.0
set allowaccess ping https ssh http
set alias "LAN_Port6"
set role lan
next
end
Configure a static route to the internet.
This configuration may not be required in the environment if a default route to the internet is received dynamically.
config router static
edit 1
set gateway 10.56.247.254
set device "port1"
next
end
Create an address object for LAN subnet and VPN server LAN subnet.
config firewall address
edit "LAN_Port6"
set subnet 10.92.0.0 255.255.240.0
next
edit "VPN_Server_LAN"
set subnet 10.91.0.0 255.255.240.0
next
end
Create IPsec VPN Phase1 interface.
config vpn ipsec phase1-interface
edit "VPN_Server"
set interface "port1"
set mode aggressive
set peertype one
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "client1" <----- This is the username defined on the VPN Server.
set remote-gw 10.56.241.43
set peerid "VPN_Server" <----- This is the localid of the VPN Server.
set psksecret fortinet
next
end
Create IPsec VPN Phase2 interface.
config vpn ipsec phase2-interface
edit "VPN_Server"
set phase1name "VPN_Server"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
set src-subnet 10.92.0.0 255.255.240.0 <----- Local subnet.
set dst-subnet 10.91.0.0 255.255.240.0 <----- Remote subnet (VPN server LAN subnet).
next
end
Create IPv4 outbound and inbound policies for IPsec VPN.
config firewall policy
edit 1
set name "to_VPN_Server"
set srcintf "port6"
set dstintf "VPN_Server"
set srcaddr "LAN_Port6"
set dstaddr "VPN_Server_LAN"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "from_VPN_Server"
set srcintf "VPN_Server"
set dstintf "port6"
set srcaddr "VPN_Server_LAN"
set dstaddr "LAN_Port6"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Create a static route to VPN server LAN subnet.
config router static
edit 2
set dst 10.91.0.0 255.255.240.0
set device "VPN_Server"
next
end
IPSec Dial-Up VPN Client2 Configuration.
Configure Interfaces.
config system interface
edit "port1"
set vdom "root"
set ip 10.57.245.44 255.255.252.0
set allowaccess ping
set alias "WAN"
set role wan
next
edit "port7"
set vdom "root"
set ip 10.93.1.43 255.255.240.0
set allowaccess ping https ssh http
set alias "LAN_Port7"
set role lan
next
end
Configure a static route to the internet.
This configuration may not be required in the environment if a default route to the internet is received dynamically.
config router static
edit 1
set gateway 10.57.247.254
set device "port1"
next
end
Create an address object for LAN subnet and VPN server LAN subnet.
config firewall address
edit "LAN_Port7"
set subnet 10.93.0.0 255.255.240.0
next
edit "VPN_Server_LAN"
set subnet 10.91.0.0 255.255.240.0
next
end
Create IPsec VPN Phase1 interface.
config vpn ipsec phase1-interface
edit "VPN_Server"
set interface "port1"
set mode aggressive
set peertype one
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "client2" <----- This is the username defined on the VPN Server.
set remote-gw 10.56.241.43
set peerid "VPN_Server" <----- This is the localid of the VPN Server.
set psksecret password
next
end
Create IPsec VPN Phase2 interface.
config vpn ipsec phase2-interface
edit "VPN_Server"
set phase1name "VPN_Server"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
set src-subnet 10.93.0.0 255.255.240.0 <----- Local subnet.
set dst-subnet 10.91.0.0 255.255.240.0 <----- Remote subnet (VPN server LAN subnet).
next
end
Create IPv4 outbound and inbound policies for IPsec VPN.
config firewall policy
edit 1
set name "to_VPN_Server"
set srcintf "port7"
set dstintf "VPN_Server"
set srcaddr "LAN_Port7"
set dstaddr "VPN_Server_LAN"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set name "from_VPN_Server"
set srcintf "VPN_Server"
set dstintf "port7"
set srcaddr "VPN_Server_LAN"
set dstaddr "LAN_Port7"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Create a static route to VPN server LAN subnet.
config router static
edit 2
set dst 10.91.0.0 255.255.240.0
set device "VPN_Server"
next
end
Verification.
From PC_B ping a host on the server LAN subnet. The ping is successful.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.