Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Matt_T
New Contributor

Replacing SSL-VPN with Dial-up IPSec.

Hello,

 

We have been trying to setup a Dial-up IPSec connection for our remote user base (30-40 users) seeing as SSL-VPN is being/has been removed from FortiOS 7.4 and newer (we are currently on 7.2.11).  I can get a single machine to connect and work as intended, but when I connect another user device, it connects but there is no traffic that returns to the user.  It seems like only one connection works, all subsequent are denied.

 

I've "set add-route disabled" from the CLI on the interface, but that didn't help.  So far none of my searches have turned up anything more than that.

 

If it matters, our working SSL-VPN uses SAML and I have a similarly configured SAML for the Dial-Up Ipsec.

 

Sorry in advance, I am very green when it comes to these FGT.

 

Phase1

edit "vpn_Dial-Up"
set type dynamic
set interface "port35"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 #.#.#.#
set ipv4-dns-server2 #.#.#.#
set proposal aes256-sha256 aes256-sha256
set add-route disable
set dpd on-idle
set comments "Scripted from FMG"
set dhgrp ##
set eap enable
set eap-identity send-request
set authusrgrp "Azure"
set ipv4-start-ip 192.168.70.1
set ipv4-end-ip 192.168.70.126
set ipv4-split-include "Local_Subnets"
set psksecret ***********
set dpd-retryinterval 60
next
end

 

Regards,

 

Matt

2 REPLIES 2
funkylicious
SuperUser
SuperUser

hi,

i would suggest going thru these guides if not already, 

https://docs.fortinet.com/document/forticlient/7.2.0/new-features/712604/ipsec-vpn-saml-based-authen... 

https://www.andrewtravis.com/blog/ipsec-vpn-with-saml 

https://docs.fortinet.com/document/fortigate/7.4.7/administration-guide/951346

 

since you are doing split-tunnel, are the networks from Local_subnets ( need to be subnets and not ranges ) visible in the routing table of you computer after connecting ? e.g. if you have windows you could check with, route print -4 in cmd.

also, in the firewall rules you only need the 192.168.70.1-.126 object as source addr w/o the group and i would leave add-route enabled.

 

after you connect try doing a, diagnose firewall iprope flush , and see if traffic works.

 

"jack of all trades, master of none"
"jack of all trades, master of none"
Matt_T

Hello,

 

Local_Subnets is a subnet, not a range of IP's.

 

The route table on laptop 1 and laptop 2 both have the subnets in there, but I noticed something.  On Laptop1 the gateway (G:) and interface (I:) on for the internal subnets are G: 192.168.70.2 and I: 192.168.70.1.  On laptop 2 however, the G: 192.168.70.3 and I: 192.168.70.2.  

So, the second laptop is trying to use the first laptop as an interface? and pic the next available IP as the Gateway?  That doesn't seem to make sense.

 

As for the SAML config, that all works. I am able to authenticate both laptops... just the second one I connect with (via Hotspot so that it's not on the same internet source connection) connects but no traffic.

 

Thanks,

 

Matt

 

 

 

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors