[Vpn-help] Fortigate Commercial IPSec Gateway

Noach Sumner nsumner at compu-skill.com
Wed Feb 6 14:26:04 CST 2008 

Matthew, this was working wonderfully (okay the occasional hiccup but
realtively well) until today when we upgraded the firmware on our Fortinet
to MR6. At this point I can no longer connect. Could you possible take a
look again:-(

On 12/1/07, Matthew Grooms <mgrooms at shrew.net> wrote:
>
> All,
>
> You will have to forgive my limited knowledge of the Fortigate product
> line as a used Fortigate 50a was the only model I could afford to
> purchase for testing. I also know very little about L2TP over IPsec as
> this transport is not supported by the Shrew Soft VPN client. What is
> supported is standards based IPsec connectivity which works quite well
> with the model in my test lab. I will do my best to pass on what
> information I know regarding the configuration :)
>
> The Fortigate 50a ( and I assume all bigger/later models ) support auto
> configuration of the client via DHCP over IPsec. This mechanism is new
> to the 2.1.0 client code base and was implemented specifically to
> support Fortigate products. This is easy enough to do with the 50a by
> following the procedures outlined in this document ...
>
>
> http://docs.forticare.com/fgt/techdocs/FortiGate_IPSec_VPN_User_Guide_01-30005-0065-20070716.pdf
>
> Pay close attention to the following sections ...
>
> FortiClient dialip-client configurations
>    \Configuration Overview
>     \Using virtual IP addresses
>    \FortiClient dialup-client configuration example
>     \Configuring FortiGate_1
>      \Configure FortiGate_1 to assign VIPs
>
> Phase 2 parameters
>    \Advanced phase 2 settings
>     \DHCP-IPSec
>
> The basic idea is that you setup your phase2 advanced settings to allow
> the client to request a DHCP address over the IPsec Connection. An
> external DHCP server needs to be created that assigns the client an
> dynamic address to be used by the virtual adapter. Be sure to setup the
> DHCP pool for a network that does not exist behind the fortigate or you
> will have policy conflicts. Here is what my DHCP pool looks like for
> reference ...
>
> Name - vpnclient_dhcp
> Enable - checked
> Type - IPSEC
> IP Range - x.x.x.2 - x.x.x.254 ( dhcp pool network used by clients )
> Network Mask - 255.255.255.0
> Default Gateway - [ IP Address of fortigate internal interface ]
> Domain - shrew.net
> Lease Time - 5 minutes ( or whatever you deem appropriate )
>
> You then create a policy to allow the client to establish a temporary
> IPsec SA. This is used to support a DHCP conversation that takes place
> between the client public adapter and the Fortigate public interface.
> Please note that all Fortigate IPsec policies are defined as LOCAL ->
> REMOTE. Here is what mine looks like for reference ...
>
> Source Interface/Zone - external
> Source Address - [ IP Address of fortigate external interface ]
> Destination Interface/Zone - external
> Destination Address - [ Any 0.0.0.0/0.0.0.0 ]
> Schedule = always
> Service = DHCP ( limit to only DHCP )
> Action = IPSEC
>
> VPN Tunnel - [ phase1 name used by dialup group ]
> Allow inbound - checked
> Allow outbound - checked
> Inbound NAT - unchecked
> Outbound NAT - unchecked
>
> Eventually, you will need one or more policies that allow clients to
> establish IPsec SAs for communicating with private networks. Here is
> what mine looks like for reference ...
>
> Source Interface/Zone - internal
> Source Address - [ private network behind the gateway ]
> Destination Interface/Zone - external
> Destination Address - x.x.x.0/24 ( dhcp pool network used by clients )
> Schedule = always
> Service = ANY ( or whatever you deem appropriate )
> Action = IPSEC
>
> VPN Tunnel - [ phase1 name used by dialup group ]
> Allow inbound - checked
> Allow outbound - checked
> Inbound NAT - unchecked
> Outbound NAT - unchecked
>
> The only other configuration required is to setup phase1 and phase2
> under Auto IKE but you already have this squared away. The only thing to
> remember is that the phase2 DHCP-IPsec option needs to be checked which
> allows IPsec protected DHCP requests to be inspected by the dhcp server
> on the external interface.
>
> To test client connectivity, you will need to use the VPN Client 2.1.0
> alpha build or later. Please remember to change your Site Configuration
> Auto configuration option to "dhcp over ipsec" under the General tab.
> That should be it.
>
> The Fortigate documentation link shown above is compliments of Harondel
> J. Sibble. His knowledge of the Fortigate platform dwarfs my own. We can
> only hope that if any information included in this email is botched, he
> will jump in and set us straight :)
>
> Hope this helps,
>
> -Matthew
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20080206/e7db7d68/attachment-0001.html>

More information about the vpn-help mailing list