Forticlient through PAT

Gareth · ‎08-18-2004

Hi All, I have a support ticket raised for this, but I am appreciative of the quality of the forum, don' t want to neglect it and thought I' d put this to the collective: Fortigate 300 - 2.50 MR9 Forticlient seems to work fine for single users, including users behind a PAT device, so NAT-T is working fine and sessions are seen terminated on port 4500. One of our customer' s remote sites is a rented office where many of their devices go through PAT translation. One device connects fine using Forticlient. Second device seems to connect fine also. Both devices seem to have network connectivity (of some sort) and are using separate static addresses configured in the client. Although the client is being authenticated, whichever one is passing traffic shows up, then if the other client tries to pass traffic the authentication box flashes up and the session goes from idle to up. Basically we have two clients which are both authenticated, but only one of the tunnels is up at any one time. The dialup monitor also reflects this. The fortinet (because of the PAT) seems to believe that there is just one session. PPTP is working through the same infrastructure - also multiple users from the same PAT address. My main question to support was whether this setup should be supported. We have quite a few other facilities set up on the box (PPTP, RSA, site to site VPN' s) so I' m reluctant to move immediately to another OS, but will if a possible fix is suggested. Any ideas or similar problems?? Cheers, Gaz

vanc · ‎08-18-2004

I don' t think the client can do anything regarding this issue. As Fortigate only identify connections by IP and Natted port, PAT may not work properly. You may raise a feature request ticket for Fortigate.

Gareth · ‎08-18-2004

When you say Natted port, I presume you mean the destination port? Would be handy if the source port was referenced. Seems daft not to these days. The two sessions exist in the session table, but only one exists in the Dialup monitor. I' ll wait to see what comes back from the support ticket and if nothing crops up I' ll raise a feature request. Cheers

UkWizard · ‎08-18-2004

This is exactly the problem you will see, as VPNS do not go through NAT very well, this is a restriction of the VPN protocol and NOT the device. PPTP is really the only (usually) reliable VPn that will happily travel through a NAT environment. Fortinet wont be able to resolve this (as no-one can until the standard changes). The only way you can do this is to have a external IP allocated for each workstation internally (VIP static Nat, one external to one internal). This works most of the time, but still is not guaranteed.

UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.

Gareth · ‎08-18-2004

Cisco VPN client to Pix (6.3.4) works fine in the same situation, so I' m presuming Cisco are going above and beyond the standards with recent releases. We have got PPTP in use as well. The reason for using the Forticlient was that extended authentication to RSA is not supported using PPTP. We' re having to stick to local database. It works, if you change to PAP for the PPTP, but at that point you' ve just got a GRE tunnel with no encryption. Out of the frying pan in to the fire

UkWizard · ‎08-18-2004

RSA servers have native support for radius authentication, so should would with fortinet for PPTP as well, using the rsa server as the supplying radius auth method. Theoretically anyway.

UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.

Gareth · ‎08-18-2004

That' s what we thought (hoped), and in fact specified as a solution, but the man from Fortinet - He say no! No support for RSA/PPTP. We thought we may get it to work anyway, but after a couple of hours, the only way was to use PAP auth as I mentioned, which does not allow for encryption of the GRE tunnel. I' m open to suggestions as PPTP would do us fine if we' re going to have problems with Forticlient, but I' m out of ideas for it, and Fortinet have snubbed it.

UkWizard · ‎08-19-2004

So did you try setting up a radius entry in the fortinet to auth against the RSA server. Then add the fortinet as a agent on the RSA server. I would expect that to work.

UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.

Gareth · ‎08-19-2004

Yep - worked using PAP, but as Microsoft documented, this doesn' t allow encryption of the GRE tunnel. Couldn' t get anything except PAP (unencrypted password) to work. I may have a bit of a sticky one if we don' t manage to get the Forticlient working

UkWizard · ‎08-19-2004

you could try making sure nat-traversal is enabled on the client and fortinet, and see if that helps. Or static Nats for each internal client. But personally, i think you should consider switching to a site-to-site vpn instead.

UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.