Hello team!!!
I hope you are fine!!
We have here, 2 kind of VPN users trying to access different resources on different VLANs (Behind the same Fortigate), we need, for example, the following:
* User Group 1: Can access LAN but not DMZ
* User Group 2: Can access DMZ but not LAN
We have 3 WANs, the idea is create one VPN for each WAN.
We choose L2TP/IPsec VPN, because this dont require to install FortiClient in each Client. All the test were done with L2TP/IPsec VPN (Using the option "Windows Native" in the wizard)
What we tried in first place, is to create 2 VPNs for each WAN, one for each user group (6 VPNs), but this seems that the Fortigate, only is listenning for one VPN in each WAN.
I deleted all the VPNs and references (Including addresses)
I created again the VPNs for each WAN, just for "User Group 1"
I could connect and access the network through the VPN, everything was fine
I added the 3 VPNs for "User Group 2" (1 for each WAN)
I coud NOT connect, wrong credentials
I added the same user to "User Group 2" and I could connect (Even removing the username from "User Group 1")
When I see the Fortigate, the user was connected to the VPN for "User Group 1", but it needed credentials inside "User Group 2".
So, I am thinking another aproach
I think maybe I could set static IPs for Clients in "User Group 2", and manage permissions in Firewall Policies to choose to which LAN can access each IP range. But I dont like to set static IPs
Do you have a better idea?
Thanks in advance.
Regards,
Damián
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Ahh, ok, I will test this.
Thanks a lot!
Hello again!!
I have tried with FortiClient VPNs, but when I add a user group in the policy, the VPN stop working (Again, the traffic does not match any policy)
So, to test, I wanted to follow what @pminarik said, create an IKEv2 VPN, but I dont know how to create this. I think I should use "Custom" VPN, but this has a lot of options and idk which settings should I choose to this VPN to work on Windows and most OS native clients.
Do you have any cookbook or any other suggestion?
Bit of a late reply, but you can try using this doc as a baseline: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Windows-IKEv2-native-VPN-with-machine-cert...
Use this, and then tweak as needed/desired. Make sure to run ike debug when testing to catch any configuration mismatches.
Thanks pminarik!!
not one peer but one peer-id! On a dial up this means every peer has to send that unique peer id so the FGT can determine the correct ipsec. That does NOT limit your ipsec to just one peer!
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thanks!
Is it possible to configure peer-ids on native Windows VPN clients?
Is this just for forticlient clients?
So, in this case, I need all users for VPN1 to use peer-id 1, and all users for VPN2 to use peer-id 2, right?
Regards,
Damián
the most Windows IPSec Clients I know support setting a peer id (in this case local id).
And yes that's right.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1082 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.