[Vpn-help] Fortigate Commercial IPSec Gateway
Matthew Grooms
mgrooms at shrew.net
Fri Nov 30 18:06:23 CST 2007
All,
You will have to forgive my limited knowledge of the Fortigate product
line as a used Fortigate 50a was the only model I could afford to
purchase for testing. I also know very little about L2TP over IPsec as
this transport is not supported by the Shrew Soft VPN client. What is
supported is standards based IPsec connectivity which works quite well
with the model in my test lab. I will do my best to pass on what
information I know regarding the configuration :)
The Fortigate 50a ( and I assume all bigger/later models ) support auto
configuration of the client via DHCP over IPsec. This mechanism is new
to the 2.1.0 client code base and was implemented specifically to
support Fortigate products. This is easy enough to do with the 50a by
following the procedures outlined in this document ...
http://docs.forticare.com/fgt/techdocs/FortiGate_IPSec_VPN_User_Guide_01-30005-0065-20070716.pdf
Pay close attention to the following sections ...
FortiClient dialip-client configurations
\Configuration Overview
\Using virtual IP addresses
\FortiClient dialup-client configuration example
\Configuring FortiGate_1
\Configure FortiGate_1 to assign VIPs
Phase 2 parameters
\Advanced phase 2 settings
\DHCP-IPSec
The basic idea is that you setup your phase2 advanced settings to allow
the client to request a DHCP address over the IPsec Connection. An
external DHCP server needs to be created that assigns the client an
dynamic address to be used by the virtual adapter. Be sure to setup the
DHCP pool for a network that does not exist behind the fortigate or you
will have policy conflicts. Here is what my DHCP pool looks like for
reference ...
Name - vpnclient_dhcp
Enable - checked
Type - IPSEC
IP Range - x.x.x.2 - x.x.x.254 ( dhcp pool network used by clients )
Network Mask - 255.255.255.0
Default Gateway - [ IP Address of fortigate internal interface ]
Domain - shrew.net
Lease Time - 5 minutes ( or whatever you deem appropriate )
You then create a policy to allow the client to establish a temporary
IPsec SA. This is used to support a DHCP conversation that takes place
between the client public adapter and the Fortigate public interface.
Please note that all Fortigate IPsec policies are defined as LOCAL ->
REMOTE. Here is what mine looks like for reference ...
Source Interface/Zone - external
Source Address - [ IP Address of fortigate external interface ]
Destination Interface/Zone - external
Destination Address - [ Any 0.0.0.0/0.0.0.0 ]
Schedule = always
Service = DHCP ( limit to only DHCP )
Action = IPSEC
VPN Tunnel - [ phase1 name used by dialup group ]
Allow inbound - checked
Allow outbound - checked
Inbound NAT - unchecked
Outbound NAT - unchecked
Eventually, you will need one or more policies that allow clients to
establish IPsec SAs for communicating with private networks. Here is
what mine looks like for reference ...
Source Interface/Zone - internal
Source Address - [ private network behind the gateway ]
Destination Interface/Zone - external
Destination Address - x.x.x.0/24 ( dhcp pool network used by clients )
Schedule = always
Service = ANY ( or whatever you deem appropriate )
Action = IPSEC
VPN Tunnel - [ phase1 name used by dialup group ]
Allow inbound - checked
Allow outbound - checked
Inbound NAT - unchecked
Outbound NAT - unchecked
The only other configuration required is to setup phase1 and phase2
under Auto IKE but you already have this squared away. The only thing to
remember is that the phase2 DHCP-IPsec option needs to be checked which
allows IPsec protected DHCP requests to be inspected by the dhcp server
on the external interface.
To test client connectivity, you will need to use the VPN Client 2.1.0
alpha build or later. Please remember to change your Site Configuration
Auto configuration option to "dhcp over ipsec" under the General tab.
That should be it.
The Fortigate documentation link shown above is compliments of Harondel
J. Sibble. His knowledge of the Fortigate platform dwarfs my own. We can
only hope that if any information included in this email is botched, he
will jump in and set us straight :)
Hope this helps,
-Matthew
More information about the vpn-help
mailing list