Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Wallerson
Staff
Staff

Created on ‎02-26-2023 09:17 PM

Article Id 247153

Technical Tip: How to move FortiClient DialUP VPN to a different VRF

Description This article describeshow to move DialUP VPN from the default VRF to another.
Scope

FortiGate v7.0+.

FortiClient v7.0+.
Solution

In this example, DialUP and LAN interface belongs to VRF default (VRF 0). These interfaces will be moved to VRF 3.

 

The DialUP VPN is already configured and working. DialUP users can reach the LAN interface:

 

Port4 -> WAN interface.

DialUp -> VPN DialUP interface that is bound to WAN (Port4)

Port3 -> LAN interfaces

 

FGT-VM04 (root) # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info

Routing table for VRF=0
S *> 10.213.13.1/32 [15/0] via DialUp tunnel 10.213.13.1, [1/0]
C *> 10.255.255.1/32 is directly connected, loopback_0
C *> 192.168.1.0/24 is directly connected, port4
C *> 192.168.6.0/24 is directly connected, port3
C *> 192.168.74.0/24 is directly connected, port1
C *> 192.168.75.0/24 is directly connected, port10

 

Change the VRF ID on each interface:

 

1) DialUP interface:

 

# config system interface
     edit "DialUp"
        set vdom "root"
        set vrf 3
        set allowaccess fabric
        set type tunnel
        set snmp-index 15
        set interface "port4"
     next
end

 

2) LAN interface:

 

# config system interfac
     edit "port3"
       set vdom "root"
       set vrf 3
       set ip 192.168.6.1 255.255.255.0
       set allowaccess ping https
       set type physical
       set alias "SERVERS"
       set snmp-index 3
    next
end

 

3) When the user connects to the VPN via FortiClient, the routing-table shows the following:

 

FGT-VM04 (root) # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info

Routing table for VRF=0
C *> 10.255.255.1/32 is directly connected, loopback_0
C *> 192.168.1.0/24 is directly connected, port4
C *> 192.168.74.0/24 is directly connected, port1
C *> 192.168.75.0/24 is directly connected, port10

Routing table for VRF=3
S *> 10.213.13.1/32 [15/0] via DialUp tunnel 10.213.13.1, [1/0]
C *> 192.168.6.0/24 is directly connected, port3

 

DialUp and Port3 are members of the same VRF. The 10.213.13.1 is the IP got by FortiClient.
Labels:
266
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.