Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Matt__
New Contributor

Dialup IPSec with DHCP relay

After many hours of trying to get this to work, I've got it working. Can anyone tell me any other settings I should be changing (NAT on or off on rules?) and why I can't log into the fortigate admin interface via the VPN connection.

 

I'll run down how I got it working.

Fortigate running 5.2.10

Internal subnet 192.168.50.0/24

Internal DNS & DHCP server 192.168.50.11

VPN subnet 192.168.70.0/24

 

Setup 192.168.70.0/24 subnet on Windows DHCP server (192.168.50.11), set value 003 (router) to 192.168.70.1, all other ip config vars should also be set either manually in this subnet or from a global option eg. DNS servers, suffix name.

 

On Fortigate create User&Device group for vpn auth users, then create and add users to this group

In fortigate create new custom tunnel >

[ul]
  • Network
  • Remote gateway - Dialup user
  • Interface - wan
  • Uncheck "Mode Config"
  • NAT Traversal checked
  • Keepalive 10
  • Dead Peer Detection checked
  • Auth
  • Pre-shared key
  • IKE Version 1
  • Mode aggressive
  • Accept any peer ID
  • Phase 1
  • AES128 - SHA256 & AES256 - SHA256 (delete the others)
  • DH Group only 14 checked
  • Key lifetime 86400
  • XAuth
  • Autoserver
  • Add created user group
  • Phase 2
  • leave Local and Remote as 0.0.0.0 / 0.0.0.0
  • AES128 - SHA1 & AES256 - SHA1 (delete the others)
  • Enable replay detection checked
  • Enable PFS checked
  • DH Group - only 14 checked
  • Local port, remote port, protocol checked
  • Autokey keep alive unchecked
  • Key lifetime 43200 seconds[/ul]

     

    In Policy objects create the VPN subnet 192.168.70.0/24 on any interface, (should already have the local subnet on there too)

    Create two policy rules >

    [ul]
  • local interface : local subnet > newly created VPN interface : VPN subnet, ALL TRAFFIC, NAT DISABLED(?)
  • newly created VPN interface : VPN subnet > local interface : local subnet, ALL TRAFFIC, NAT DISABLED(?)[/ul]

     

    Open the cli and run:

    config vpn ipsec phase2-interface

    edit "newly created VPN interface name"

    set dhcp-ipsec enable

    next

    end

     

    Go to System Interfaces, edit new interface VPN tunnel

    Set IP and remote IP as 192.168.70.1

    Uncheck all Administrative Access options

    Enable DHCP

    Advanced - Set to Relay, DHCP server 192.168.50.11, Type IPSec

     

    Install Forticlient VPN on offsite computer

    Add connection

    [ul]
  • Remote Gateway = wan IP
  • Preshared key = key entered earlier
  • Advanced Settings - VPN Settings
  • Mode Aggressive
  • Options - DHCP over IPSec
  • Enable IPv4 splite tunnel
  • Remove options in there already
  • Add 192.168.50.0 / 255.255.255.0
  • Advanced Settings - Phase 1
  • IKE Proposals AES128 - SHA256 & AES256 - SHA256
  • DH Group only check 14
  • Dead peer detection checked
  • NAT traversal checked
  • Advanced Settings - Phase 2
  • IKE Proposals AES128 - SHA1 & AES256 - SHA1
  • Enable replay detection checked
  • Enable PFS checked
  • DH Group set to 14[/ul]

     

    So that's what I've done to successfully get an offsite computer to connect to internal DHCP, as said above not really sure on the NAT settings for the policy rules and I can't access the fortigate web access from a remote computer, fortigate is on 192.168.50.1, the policies are allowing all traffic to and from 50.0 and 70.0 but this is still blocked. I've checked HTTPS on Administrative Access on the 192.168.70.1 VPN tunnel interface but still can't login to web access, either via 192.168.50.1 or 192.168.70.1.

  • 1 REPLY 1
    Toshi_Esumi
    Esteemed Contributor II

    If you can ping the admin access interface IP when the VPN is up, port conflict with SSL VPN (default 443) is likely the problem. You need to change either of them to something else. I saw the same case in a different thread.