Technical Note : Supporting Multiple Cisco VPN Communities with FortiGate

Andy_G · ‎08-24-2010

Description

The “normal” Cisco VPN configuration for FortiGate appliances is documented elsewhere and applies where all users of the Cisco VPN have the same access rights.

This article explains how to alter the configuration to allow different groups to be provided access to different resources.

Solution

Requirements

FortiGate appliance
Wan1 is connected to the WAN.
Port2 is connected to the LAN.
Authentication already configured (LDAP, Active Directory, or Local).
Two user groups already created (“vpn-group1” and “vpn-group2”).

Configuration

In this configuration, each group will get assigned an IP address from a distinct IP pool. If the user is in vpn-group1 they will be assigned an IP address from 10.100.0.[11-19], and if the user is in vpn-group2 they will be assigned an IP address from 10.100.0.[21-29].

Ensure that a secondary IP address is created on wan1 of 10.100.0.1/24 – this will be used as the default gateway for all VPN clients.

The first step is to configure the Phase1 IPSec VPN tunnel. Then repeat for other groups.

config vpn ipsec phase1-interface
   edit “vpn-group1-int”
      set type dynamic
      set interface “wan1”
      set dhgrp 2
      set proposal 3des-sha1 aes128-sha1
      set peertype one
      set xauthtype auto
      set mode aggressive
      set mode-cfg enable
      set peerid “RESOURCE-1”
      set authusrgrp “vpn-group1”
      set ipv4-start-ip 10.100.0.11
      set ipv4-end-ip 10.100.0.19
      set psksecret “mypass1”
   next
end

Note the specific variables here:

Variable	Usage
vpn-group1-int	Unique Interface Name for this group
wan1	Physical Interface used for VPN connections
peerid	The “Group Name” in the Cisco VPN configuration
authusrgrp	The User group that is allowed to use this VPN configuration
ipv4-start-ip	Start of the IP address range to be assigned
ipv4-end-ip	End of the IP address range to be assigned
psksecret	Pre-shared Key for this VPN configuration

The users will need to be given:

The Peer ID (Cisco VPN Group Name).
The Pre-shared Key.
Their username and password (if appropriate).

The Phase 2 configuration follows:

config vpn ipsec phase2-interface
   edit “vpn-group1-phase2”
      set phase1name “vpn-group1-int”
      set proposal 3des-sha1 aes128-sha1
      set dhgrp 2
      set dst-subnet 10.100.0.0/24
   next
end

Finally, to activate the VPN configuration, there must be a firewall rule. This can be one rule or many. An example rule may be:

config firewall policy
   edit 2
      set srcintf “vpn-group1-int”
      set dstintf “port2”
      set srcaddr “all”
      set dstaddr “Resource-Addrgroup-1”
      set action accept
      set schedule “always”
      set service “ANY”
      set logtraffic enable
      set nat enable
   next
end

Here, “Resource-Addrgroup-1” is an address object (or group of addresses objects) that has been defined previously as being the list of resources to which this VPN group has been provided access.

Cisco VPN Configuration

Cisco VPN Clients include the iPhone, iPad and Android VPN configuration. Use the built-in VPN client (or, for Android, download the Cisco VPN configuration from the App Market). Set the IP address (or DNS name), Pre-shared key and Group Name appropriately for the group.

Limitations

A user may not belong to more than one group and use a single VPN configuration. If a user belongs to more than one group, they must use one VPN configuration to connect to one set of resources, and another VPN configuration to connect to another set of resources.

Debugging

As with the standard IPSec VPN, usage of “diag debug app ike -1” will provide much meaningful information on the IPSec VPN negotiation – including which phase1 and phase2 configuration are being negotiated.

Related Articles

Technical Note : Setup a dialup IPSec VPN between Cisco Unity client and FortiGate

Technical Note : Supporting Multiple Cisco VPN Communities with FortiGate

You are leaving our website