Hi We are running a FortiGate 60E using a single WAN-Connection (set of public IPs) and a straight C-Class private LAN. We have some services in our LAN that my colleagues and me are using every day. Basically everything works just nicely. I have set up a dialup VPN Tunnel (IPsec) to provide access from remote networks. This VPN Tunnel is set to have "Enable IPv4 Split Tunnel" checked as normally we would like have internet traffic not to take the VPN route, but to go there directly. This tunnel works great and we are happy with bandwith and performance. Now in addition to that, we need to have a VPN-Tunnel with "IPv4 Split Tunnel" disabled. In some cases we need to have all traffic go through that tunnel and for internet traffic we'd like to have a different public IP address being used than the one generally defined for WAN1. So appart from the "Split Tunnel" feature and a different Client Address Range, there should not be a difference. But the thing is, this second dialup VPN tunnel doesn't work. In [link]https://forum.fortinet.com/tm.aspx?m=174231[/link] ede_pfau recommends using VDOMs for this kind of setup. But this seems way too complicated to me. Especially as there is no need the securely separate the traffic between the two or to have two different LANs to be reached by the VPN Tunnels. So the typical use case for VDOMs is not given. Does anybody know how to tackle this in the sense of "best practice"? Any help and support is appreciated. itemanuel
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
To use more than 1 IPSec Tunnel in the same interface you must specify unique Peer ID in each VPN tunnel (Authentication section) and the same in Local ID (Phase1 Section).
In Forticlient VPN set the Local ID under Advanced Settings > Phase1
So if above is the fact and can't change, only options for you would be:
1) have two different interfaces for two different dialup IPsec termination points (or separate vdoms, which would do similar)
or,
2) go to SSL VPN instead and separate user groups then set separate policies, or simply use "realm" to separate "portal" for each user group.
Thanks again, Toshi
I did exactly what you proposed. I'm perfectly able to connect using my first tunnel. In the IPsec Monitor the PeerID shows up nicely. But the connection to my second tunnel still doesn't work. I'm getting "The preshared key is not correct". What happens is that not the second tunnel is tried to connect to, but the first. And as have chosen a different preshared key to tell them appart, the key obviously doesn't match. The cause is kind of a strict relation between the WAN1 interface and the first IPsec Tunnel, thus leading to the fact that no other IPsec Tunnel can claim to use WAN1. That's why using separate VDOMs would solve this. But I'm not giving up on finding the right solution without the work of setting up another VDOM.
So I'm wondering how Jan_1966 has found a way to have it work. Does he have two WAN connections, one for each tunnel?
you have to limit the 2nd tunnel to a specific peer id too. This is what Jan_1966 did.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Correct.
So I created 2 Remote Access VPN tunnels with the Wizard (different IP range), then in the Authentication section of each you define the PeerID that is accepted on this Tunnel.
On the Client you define the local ID for the tunnel it needs to connect to.
This way I segregated Corporate laptops from BYOD devices so they could use different Security policies and BYOD is using split tunneling, while the corporate all traffic is directed over the VPN tunnel.
In the Monitor I see generally about 8 Users on one tunnel and about 30 on the other.
Hope this helps.
Jan
Thanks Jan
I think I did the same. I started off with the wizard. Then added the localid using command line as Toshi had proposed. I paste my config here. Would you mind to compare this to yours or to post it here? I suppose you know how to use CLI to get the list.
gate (phase1-interface) # show config vpn ipsec phase1-interface edit "access_dw" set type dynamic set interface "wan1" set mode aggressive set peertype any set net-device disable set mode-cfg enable set ipv4-dns-server1 192.168.10.8 set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set localid "withdw" set dpd on-idle set comments "VPN: access_dw (Created by VPN wizard)" set wizard-type dialup-forticlient set xauthtype auto set authusrgrp "dwi-VPN-access" set ipv4-start-ip 172.16.10.20 set ipv4-end-ip 172.16.10.39 set ipv4-split-include "access_dw_split" set save-password enable set psksecret ENC [[my-secret-hash-1]] set dpd-retryinterval 60 next edit "through_dw" set type dynamic set interface "wan1" set mode aggressive set peertype any set net-device disable set mode-cfg enable set ipv4-dns-server1 192.168.10.8 set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set localid "throughdw" set dpd on-idle set comments "VPN: through_dw (Created by VPN wizard)" set wizard-type dialup-forticlient set xauthtype auto set authusrgrp "dwi-VPN-access" set ipv4-start-ip 10.0.10.20 set ipv4-end-ip 10.0.10.39 set save-password enable set psksecret ENC [[my-secret-hash-2]] set dpd-retryinterval 60 next end
Hi,
I am not going to paste the whole configuration, but your configuration states PeerID Any. On the Fortigate side it's not the localID, but the Peer ID you need to change:
set peertype one
set peerid "Noncorporate"
It's in the Authentication section of the VPN tunnel
Accept type: Specific Peer ID
PeerID: "whatever the name is you accept on this tunnel"
Thanks Jan
With Pedros input I realised I had to change exaktly this using CLI. So
set peertype one set peerid "id-tunnel-1"
set localid "my-local-id" and
set peertype one set peerid "id-tunnel-2"
set localid "my-local-id"
for the other tunnel.
In FortiClient there's one confusing thing though. We had to insert the Peer ID of the selected tunnel in the field "Local ID" in order to have it work correctly.
Now everything's solved! Apart from an issue concerning macOS Catalina users (https://forum.fortinet.com/tm.aspx?m=179386), which I hope will be solved soon. For them we configured an SSL-VPN tunnel. Works for them as well as for iOS clients.
So thanks everybody contributing!
Have a good time and stay healthy
Itemanuel
As far as I am aware the Local ID you specify on the forticlient should be the Peer ID you specified on the fortigate, or at least that's how it works on the ones I have setup.
Run your "diag debug flow" and inspect the action after during the user(s) testing.
Ken Felix
PCNSE
NSE
StrongSwan
Ok, thanks. I didn't know the same "local ID" for a group of clients would connect to a single of dialup at the FGT with the same "peer ID". Then, you just need to have two setups in the same way w/ different local/peer IDs for two groups of clients.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.