Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
calsaac2010
New Contributor

remote VPN dial in when Fortigate is configured in transparent mode

Hi

 

Understand there are limitation when setting fortigate in transparent mode. One of which is VPN. Can the VPN be set up for remote client to dial in? Or is this limited to site to site tunnelling. Even that has limitation I believe

 

Thanks 

6 REPLIES 6
ede_pfau
SuperUser
SuperUser

If I remember correctly VPN in transparent mode is one of the few (few, few) cases where you need to create a policy-based VPN - action "IPSEC" or "ENCRYPT". Per se, a dial-in VPN should be possible, as well as a site-to-site VPN. No luck searching the docs?

Which firmware version are you running?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
calsaac2010
New Contributor

Hi Ede_Pfau

 

First thank you for the quick response. So far, I have seen example of IPsec VPN tunnel between two FG in transparent mode. I think I understand your logic referring to one of entity of the site to site IPsec tunnel as a client. To the point, you mean I can use a remote forticlient to dial into the FG configured as a VPN server operating in transparent mode. But only IPsec.  So the FG can be configured to assign a dedicated pool of IP to the remote client.

 

I did not find a doc on this particular topic or an example close to this. Do you have ?

 

Regards 

calsaac2010

Hi Ede_Pfau

 

I forgot to mention the version 5.0. 

 

regards

emnoc
Esteemed Contributor III

Hvae you tried to  contact FTNT for a cookbook or tech doc

 

mailto:techdoc@fortinet.com

 

They might have a KB or document  for just this type of setup.Some how I don't think you can do this but  if anybody would know it would be tac/support and the techdoc team.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau

Yes, if a TP FGT supports IPsec VPN then why shouldn't it be supporting dial-in from a Forticlient? We're talking about IPsec only here. You could have a look at a v3 Handbook for the details on how to set up a dial-in "policy-based" VPN and try to transfer that config onto the TP mode FGT. In v3, policy-based VPN was standard, and dial-in was supported of course.

 

Whether a TP mode FGT supports DHCP-over-IPsec is a different question. I'd bet it does not. Shouldn't be much of a problem though, and your second one anyway.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
calsaac2010

Hi

 

Just want to say thanks for the input. It is true Ipsec Site to site tunnelling is supported on TP mode and is in the doc. And the rationale here I guess is that if one end or one of the site (like a client) looking into the other site can be set up on the VPN tunnel , why wouldnt it work with a forticlient with the similar setup.   Unfortunately, there is little or no example or info out there.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors