[Vpn-help] Fortigate Commercial IPSec Gateway

[Noach Sumner]

I am using a Fortigate 200A and very much wanted to get the VPN Client
working with my Fortigate unit. I therefore tried setting up the client and
had no luck. However Matthew was happy to help me and I now have a working
config. I then went and tried playing with as many settings as I could to
see what works and what doesn't.

It seems to me the vast majority of options work (as long as you can set it
on BOTH the Fortigate and the Client). Every encryption and authentication
option I saw on both worked for example. It seems setting anything to Auto
is the wrong way to go as this doesn't seem to work for any settings.
Therefore the best advice I can give is where ever possible set the setting
and don't select auto.

I found 2 options that DO NOT WORK!

I have NAT Transversal set on the Fortigate but if I enable it on the client
I can not get it to connect at all.
In addition using MAIN ID (phase1) does not appear to work at all.

I will of course be glad to be corrected but this is how it appears to me.

On 12/1/07, Matthew Grooms <mgrooms at shrew.net> wrote:
>
> All,
>
> You will have to forgive my limited knowledge of the Fortigate product
> line as a used Fortigate 50a was the only model I could afford to
> purchase for testing. I also know very little about L2TP over IPsec as
> this transport is not supported by the Shrew Soft VPN client. What is
> supported is standards based IPsec connectivity which works quite well
> with the model in my test lab. I will do my best to pass on what
> information I know regarding the configuration :)
>
> The Fortigate 50a ( and I assume all bigger/later models ) support auto
> configuration of the client via DHCP over IPsec. This mechanism is new
> to the 2.1.0 client code base and was implemented specifically to
> support Fortigate products. This is easy enough to do with the 50a by
> following the procedures outlined in this document ...
>
>
> http://docs.forticare.com/fgt/techdocs/FortiGate_IPSec_VPN_User_Guide_01-30005-0065-20070716.pdf
>
> Pay close attention to the following sections ...
>
> FortiClient dialip-client configurations
>    \Configuration Overview
>     \Using virtual IP addresses
>    \FortiClient dialup-client configuration example
>     \Configuring FortiGate_1
>      \Configure FortiGate_1 to assign VIPs
>
> Phase 2 parameters
>    \Advanced phase 2 settings
>     \DHCP-IPSec
>
> The basic idea is that you setup your phase2 advanced settings to allow
> the client to request a DHCP address over the IPsec Connection. An
> external DHCP server needs to be created that assigns the client an
> dynamic address to be used by the virtual adapter. Be sure to setup the
> DHCP pool for a network that does not exist behind the fortigate or you
> will have policy conflicts. Here is what my DHCP pool looks like for
> reference ...
>
> Name - vpnclient_dhcp
> Enable - checked
> Type - IPSEC
> IP Range - x.x.x.2 - x.x.x.254 ( dhcp pool network used by clients )
> Network Mask - 255.255.255.0
> Default Gateway - [ IP Address of fortigate internal interface ]
> Domain - shrew.net
> Lease Time - 5 minutes ( or whatever you deem appropriate )
>
> You then create a policy to allow the client to establish a temporary
> IPsec SA. This is used to support a DHCP conversation that takes place
> between the client public adapter and the Fortigate public interface.
> Please note that all Fortigate IPsec policies are defined as LOCAL ->
> REMOTE. Here is what mine looks like for reference ...
>
> Source Interface/Zone - external
> Source Address - [ IP Address of fortigate external interface ]
> Destination Interface/Zone - external
> Destination Address - [ Any 0.0.0.0/0.0.0.0 ]
> Schedule = always
> Service = DHCP ( limit to only DHCP )
> Action = IPSEC
>
> VPN Tunnel - [ phase1 name used by dialup group ]
> Allow inbound - checked
> Allow outbound - checked
> Inbound NAT - unchecked
> Outbound NAT - unchecked
>
> Eventually, you will need one or more policies that allow clients to
> establish IPsec SAs for communicating with private networks. Here is
> what mine looks like for reference ...
>
> Source Interface/Zone - internal
> Source Address - [ private network behind the gateway ]
> Destination Interface/Zone - external
> Destination Address - x.x.x.0/24 ( dhcp pool network used by clients )
> Schedule = always
> Service = ANY ( or whatever you deem appropriate )
> Action = IPSEC
>
> VPN Tunnel - [ phase1 name used by dialup group ]
> Allow inbound - checked
> Allow outbound - checked
> Inbound NAT - unchecked
> Outbound NAT - unchecked
>
> The only other configuration required is to setup phase1 and phase2
> under Auto IKE but you already have this squared away. The only thing to
> remember is that the phase2 DHCP-IPsec option needs to be checked which
> allows IPsec protected DHCP requests to be inspected by the dhcp server
> on the external interface.
>
> To test client connectivity, you will need to use the VPN Client 2.1.0
> alpha build or later. Please remember to change your Site Configuration
> Auto configuration option to "dhcp over ipsec" under the General tab.
> That should be it.
>
> The Fortigate documentation link shown above is compliments of Harondel
> J. Sibble. His knowledge of the Fortigate platform dwarfs my own. We can
> only hope that if any information included in this email is botched, he
> will jump in and set us straight :)
>
> Hope this helps,
>
> -Matthew
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20071210/c047f58f/attachment-0001.html>