Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
snowman386
New Contributor III

IPSec policy server forticlient remote networks

Is there any way to have the forticlient automatically learn the remote networks from the policy server? i thought this was the point of the policy server that i setup. here are the details of my config: Policy based dialup vpn using xauth DHCP server assigns VIPs to the clients with no default gateway (for split tunneling) forticlient configured for automatic ipsec vpn vpn policy server has been setup with the radius user group and the phase 2 connection of the dialup vpn I want the fortigate to assign the remote networks to the forticlient based on the firewall policy that contains the vpn tunnel (or any method. this just seems the most logical). that way i can add/remove destination subnets from the address group and have the clients automatically update instead of having to touch each client. It seems that the policy server does not assign remote networks though as the only way i can communicate to the remote networks is to change dhcp to assign a default gateway or change the forticlient to a manual ipsec vpn and specify the individual remote networks. The first way is not desirable as i dont want vpn clients consuming twice as much bandwidth to browse the internet. The second is not desirable as each vpn client has to be updated when remote networks are added/removed. Hope that all makes sense. Thanks
18 REPLIES 18
Carl_Wallmark
Valued Contributor

Hello and Welcome, Yes it´s possible, but you need to make som changes in the CLI, first of all, configure your VPN tunnel for policy server: # config vpn ipsec forticlient # edit <just a name> # set usergroupname <name of authentication group> # set phase2name <name of phase2> # end then you must create an Address Group: Firewall -> Address (you need to change both src-addr-type and dst-addr-type) Then edit your vpn phase2 in cli and change type of address: # config vpn ipsec phase2-interface # edit <phase2 name> # set src-addr-type name # set src-name <name of address> # end then you can add all subnets to that address group, and when policy server is enabled it will push all networks to your forticlients

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
snowman386
New Contributor III

fantastic. i will try that out and let you know. this info should be in the IPSEC guide!!! I triple checked the guide about forticlient dialup vpns.
snowman386
New Contributor III

i get this error when i run the command:
cannot use named address for only one selector object set operator error, 5 discard the setting Command fail. Return code 5
I assume it means i have to set the dst-name also. would that be the VIP subnet i created for the forticlients? Thanks
snowman386
New Contributor III

ok. i really need help now. i am trying to configure interface mode because it seems easier to manage but i cannot get the forticlient to connect. here are the errors i get on the forticlient:
Feb 26 13:31:49: Initiator: sent x.x.x.x main mode message #1 (OK) Feb 26 13:31:50: Initiator: sent x.x.x.x main mode message #2 (OK) Feb 26 13:31:50: Initiator: sent x.x.x.x main mode message #3 (OK) Feb 26 13:31:50: Initiator: parsed x.x.x.x main mode message #3 (DONE) Feb 26 13:31:50: Initiator: sent x.x.x.x quick mode message #1 (OK)
and
program=ipsec msg=Failed to add vpn gateway x.x.x.x to trusted zone loc_ip=75.246.65.108 loc_port=500 rem_ip=x.x.x.x rem_port=500 out_if=0 vpn_tunnel=manual status=negotiate_error msg=" No response from the peer, retransmit (st=2).... "
i setup the phase one in interface mode (left local gateway default), added two firewall policies for the vpn interface and lan interface, and setup a ipsec dhcp server on the vpn interface. i had this working great on policy mode but there has to be something simple im missing with interface mode.
abelio
Valued Contributor

i setup the phase one in interface mode (left local gateway default), added two firewall policies for the vpn interface and lan interface, and setup a ipsec dhcp server on the vpn interface. i had this working great on policy mode but there has to be something simple im missing with interface mode.
There' s no support for dhcp over ipsec under fortiOS 3.0 for route/interfase based VPNs You' ve to run fortiOS 4.0 to do that; Could be that an explanation?

regards




/ Abel

regards / Abel
snowman386
New Contributor III

well i am on 4.0MR1 Patch 3. i tried configuring forticlient with a manual VIP and it still will not even connect. i get " vpn has trouble connecting with the remote gateway. retrying now..." do i need to add a firewall policy to the wan or setup any static routes?
snowman386
New Contributor III

here is my phase one and two configs
 edit " LOV_IPSEC_FC_P1" 
      set type dynamic
      set interface " port1" 
      set ip-version 4
      set ike-version 1
      set local-gw 0.0.0.0
      set localid ' ' 
      set dpd enable
      set nattraversal enable
      set dhgrp 5
      set proposal 3des-sha1 aes128-sha1
      set keylife 28800
      set authmethod psk
      set peertype any
      set xauthtype disable
      set mode main
      set mode-cfg disable
      set default-gw 0.0.0.0
      set default-gw-priority 0
      set dpd-retrycount 3
      set dpd-retryinterval 5
      set psksecret ENC xxxxxxxxx
      set keepalive 10
      set distance 1
      set priority 0
edit " LOV_IPSEC_FC_P2" set dst-addr-type subnet set dst-port 0 set keepalive disable set keylife-type seconds set pfs enable set phase1name " LOV_IPSEC_FC_P1" set proposal 3des-sha1 aes128-sha1 set protocol 0 set replay enable set route-overlap use-new set single-source disable set src-addr-type subnet set src-port 0 set dhcp-ipsec enable set dhgrp 5 set dst-subnet 0.0.0.0 0.0.0.0 set keylifeseconds 1800 set src-subnet 0.0.0.0 0.0.0.0 next
two firewall rules
set srcintf " LOV_CORP" set dstintf " LOV_IPSEC_FC_P1" set srcaddr " LOV_VPN_DESTINATION_NETWORKS" set dstaddr " LOV_IPSEC_CLIENT_SUBNET" set action accept set status enable set logtraffic disable set per-ip-shaper ' ' set session-ttl 0 set wccp disable set disclaimer disable set natip 0.0.0.0 0.0.0.0 set match-vip disable set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments ' ' set endpoint-check disable set label ' ' set identity-based disable set schedule " always" set service " ANY" set profile-status disable set traffic-shaper ' ' set nat disable
set srcintf " LOV_IPSEC_FC_P1" set dstintf " LOV_CORP" set srcaddr " all" set dstaddr " all" set action accept set status enable set logtraffic disable set per-ip-shaper ' ' set ippool disable set session-ttl 0 set wccp disable set disclaimer disable set natip 0.0.0.0 0.0.0.0 set match-vip disable set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments ' ' set endpoint-check disable set label ' ' set identity-based disable set schedule " always" set service " ANY" set profile-status disable set traffic-shaper ' ' set nat enable set fixedport disable
and dhcp server
 set conflicted-ip-timeout 1800
  set default-gateway 0.0.0.0
  set dns-server1 0.0.0.0
  set dns-server2 0.0.0.0
  set dns-server3 0.0.0.0
  set domain ' ' 
  set enable enable
  set interface " LOV_IPSEC_FC_P1" 
  set lease-time 86400
  set netmask 255.255.255.128
  set option1 0
  set option2 0
  set option3 0
  set server-type ipsec
  set wins-server1 0.0.0.0
  set wins-server2 0.0.0.0
  set end-ip 10.0.98.254
  set ip-mode range
  set ipsec-lease-hold 0
  set start-ip 10.0.98.129
abelio
Valued Contributor

configure your forticlient for " obtain IP from DHCP server over ipsec" , no manual vip and re-check your firewall policy srcaddr/dstaddr settings; not seem very consistent with each other. Replace it for ' all' and retry

regards




/ Abel

regards / Abel
snowman386
New Contributor III

ORIGINAL: abelio configure your forticlient for " obtain IP from DHCP server over ipsec" , no manual vip and re-check your firewall policy srcaddr/dstaddr settings; not seem very consistent with each other. Replace it for ' all' and retry
well i have tried all/all in both directions and set the client for dhcp and manual. no combination has worked.
Labels
Top Kudoed Authors