Description
This article describes if users have a requirement where the remote user's internet traffic is also going through IPsec VPN.
Scope
FortiGate.
Solution
In this example, remote users are allowed to access the corporate network using an IPsec VPN connected to FortiClient. The remote user's internet traffic is also routed through the FortiGate (split tunneling will not be enabled).
To create a new firewall address, go to Policy & Objects -> Addresses and select 'Create New'. Set Category to address and enter a Name. Set type to 'Subnet' under Subnet/IP Range to the local subnet, and Interface to 'lan'.
Configuring the IPsec VPN.
To create the VPN, go to VPN -> IPsec Wizard and create a new tunnel using a pre-existing template.
Name the VPN.
The tunnel name cannot include any spaces or exceed 13 characters.
Set 'Remote Access' under 'Template Type', and set' FortiClient' under 'Remote Device Type' to FortiClient VPN for OS X, Windows, and Android.
To view the VPN interface created by the wizard, go to Network -> Interfaces.
The IPsec wizard automatically created a security policy allowing IPsec VPN users to access the internal network.
To create the VPN, go to VPN -> IPsec Wizard and create a new tunnel using a pre-existing template.
Name the VPN.
The tunnel name cannot include any spaces or exceed 13 characters.
Set 'Remote Access' under 'Template Type', and set' FortiClient' under 'Remote Device Type' to FortiClient VPN for OS X, Windows, and Android.
Set the Incoming Interface to 'WAN1' and 'Authentication Method' to 'Pre-shared Key'.
Enter a pre-shared key.
Enter a pre-shared key.
This pre-shared key is a credential for the VPN and is differing from the user password.
Select the 'Employees group'.
Set 'Local Interface' to 'lan' and set 'Local Address' to the 'Internal-Network'.
Enter a 'Client Address Range' for VPN users.
The IP range entered here prompts FortiOS to create a new firewall object for the VPN tunnel using the name of your tunnel followed by the _range suffix (in the example, IPsec-FCT_range).
Make sure Enable IPv4 Split Tunnel is not selected, so that all Internet traffic will go through the FortiGate.
If Enable Split Tunneling is selected, traffic not intended for the corporate network will not flow through the FortiGate or be subject to the corporate security profiles.
Select 'Client Options' as desired.
After the tunnel created, a summary page appears listing the objects which have been added to the FortiGate’s configuration by the wizard.
If multiple dialup IPsec VPNs are defined for the same dialup server interface, each phase1 configuration has to define a unique peer ID to distinguish the tunnel that the remote client is connecting to:
Go to VPN -> IPsec Tunnels and edit the just created tunnel.
Select 'Convert To Custom Tunnel'.
In the Authentication section, select 'Edit'.
Under 'Peer Options', set 'Accept Type's to 'Specific peer ID'.
In the 'Peer ID' field, enter a unique ID, such as "dialup1".
Select 'OK'.
Select 'Convert To Custom Tunnel'.
In the Authentication section, select 'Edit'.
Under 'Peer Options', set 'Accept Type's to 'Specific peer ID'.
In the 'Peer ID' field, enter a unique ID, such as "dialup1".
Select 'OK'.
To view the VPN interface created by the wizard, go to Network -> Interfaces.
To view the firewall address created by the wizard, go to Policy & Objects -> Addresses.
To view the security policy created by the wizard, go to Policy & Objects > IPv4 Policy.
Creating a security policy.
The IPsec wizard automatically created a security policy allowing IPsec VPN users to access the internal network.
However, since split tunneling is disabled, another policy has to be created to allow users to access the Internet through the FortiGate.
To create a new policy, go to Policy & Objects -> IPv4 Policies and select 'Create New'.
- Set a policy name that will identify what this policy is used for (in the example, IPsec-VPN-Internet).
- Set Incoming Interface to the tunnel interface and Outgoing Interface to WAN1.
- Set Source to the IPsec client address range, Destination Address to all, Service to ALL, and enable NAT.
Configure any remaining firewall and security options as desired.
Note Public Cloud: For FortiGate HA deployments on the cloud, is required to manually set the same IP on the tunnel interface on the secondary unit. Cluster will be out-of-sync until this action is performed. This only occurs if the IP on the IPsec tunnel is configured.
Example:
- Config through the member 'FGT-A' as stated above.
- Copy the interface tunnel settings to the secundary member 'FGT-B'.
- The cluster will be in sync again.
Configuring FortiClient.
To add the VPN connection, open FortiClient, go to Remote Access and select 'Add a new connection'.
To add the VPN connection, open FortiClient, go to Remote Access and select 'Add a new connection'.
- Set the VPN to 'IPsec VPN' and 'Remote Gateway' to the 'FortiGate IP address'.
- Set 'Authentication Method' to' Pre-Shared Key' and enter the key below.
Expand 'Advanced Settings' to 'Phase 1' and in the Local ID field, enter dialup1. Configure remaining settings as needed, then select 'Save'.
Related documents:
