[Vpn-help] Fortigate Commercial IPSec Gateway

Matthew Grooms mgrooms at shrew.net
Fri Nov 30 18:06:23 CST 2007 

All,

You will have to forgive my limited knowledge of the Fortigate product 
line as a used Fortigate 50a was the only model I could afford to 
purchase for testing. I also know very little about L2TP over IPsec as 
this transport is not supported by the Shrew Soft VPN client. What is 
supported is standards based IPsec connectivity which works quite well 
with the model in my test lab. I will do my best to pass on what 
information I know regarding the configuration :)

The Fortigate 50a ( and I assume all bigger/later models ) support auto 
configuration of the client via DHCP over IPsec. This mechanism is new 
to the 2.1.0 client code base and was implemented specifically to 
support Fortigate products. This is easy enough to do with the 50a by 
following the procedures outlined in this document ...

http://docs.forticare.com/fgt/techdocs/FortiGate_IPSec_VPN_User_Guide_01-30005-0065-20070716.pdf

Pay close attention to the following sections ...

FortiClient dialip-client configurations
   \Configuration Overview
    \Using virtual IP addresses
   \FortiClient dialup-client configuration example
    \Configuring FortiGate_1
     \Configure FortiGate_1 to assign VIPs

Phase 2 parameters
   \Advanced phase 2 settings
    \DHCP-IPSec

The basic idea is that you setup your phase2 advanced settings to allow 
the client to request a DHCP address over the IPsec Connection. An 
external DHCP server needs to be created that assigns the client an 
dynamic address to be used by the virtual adapter. Be sure to setup the 
DHCP pool for a network that does not exist behind the fortigate or you 
will have policy conflicts. Here is what my DHCP pool looks like for
reference ...

Name - vpnclient_dhcp
Enable - checked
Type - IPSEC
IP Range - x.x.x.2 - x.x.x.254 ( dhcp pool network used by clients )
Network Mask - 255.255.255.0
Default Gateway - [ IP Address of fortigate internal interface ]
Domain - shrew.net
Lease Time - 5 minutes ( or whatever you deem appropriate )

You then create a policy to allow the client to establish a temporary 
IPsec SA. This is used to support a DHCP conversation that takes place 
between the client public adapter and the Fortigate public interface. 
Please note that all Fortigate IPsec policies are defined as LOCAL -> 
REMOTE. Here is what mine looks like for reference ...

Source Interface/Zone - external
Source Address - [ IP Address of fortigate external interface ]
Destination Interface/Zone - external
Destination Address - [ Any 0.0.0.0/0.0.0.0 ]
Schedule = always
Service = DHCP ( limit to only DHCP )
Action = IPSEC

VPN Tunnel - [ phase1 name used by dialup group ]
Allow inbound - checked
Allow outbound - checked
Inbound NAT - unchecked
Outbound NAT - unchecked

Eventually, you will need one or more policies that allow clients to 
establish IPsec SAs for communicating with private networks. Here is 
what mine looks like for reference ...

Source Interface/Zone - internal
Source Address - [ private network behind the gateway ]
Destination Interface/Zone - external
Destination Address - x.x.x.0/24 ( dhcp pool network used by clients )
Schedule = always
Service = ANY ( or whatever you deem appropriate )
Action = IPSEC

VPN Tunnel - [ phase1 name used by dialup group ]
Allow inbound - checked
Allow outbound - checked
Inbound NAT - unchecked
Outbound NAT - unchecked

The only other configuration required is to setup phase1 and phase2 
under Auto IKE but you already have this squared away. The only thing to 
remember is that the phase2 DHCP-IPsec option needs to be checked which 
allows IPsec protected DHCP requests to be inspected by the dhcp server 
on the external interface.

To test client connectivity, you will need to use the VPN Client 2.1.0 
alpha build or later. Please remember to change your Site Configuration 
Auto configuration option to "dhcp over ipsec" under the General tab. 
That should be it.

The Fortigate documentation link shown above is compliments of Harondel 
J. Sibble. His knowledge of the Fortigate platform dwarfs my own. We can 
only hope that if any information included in this email is botched, he 
will jump in and set us straight :)

Hope this helps,

-Matthew

More information about the vpn-help mailing list