Remote Access VPN with fortigate client configuration.
Used Version: v4.0,build0521,120313 (MR3 Patch 6)
1. Add user.
In this example a simple local user, but as we can see the list of the remote authentication servers, the fortigate has a lot of possibilities.
myfirewall (root) # sh user adgrp FSSO groups ban configure banned IP addresses fortitoken configure FortiToken fsso FSSO agent configuration group user group configuation ldap LDAP server entry configuation local local user configuration peer config peer user peergrp config peer's user group radius radius server entry configuration setting set user authentication setting sms-provider configure SMS provider tacacs+ TACACS+ server entry configuration |
configure a local user.
config user local
edit "Testuser"
set type password
set passwd ENC hv2ySeh6FHck7qhv72pHvnSOVOHQWMllulMy824/8+n0cn9OdxcPvkOGQ7txjU7YNbmQLrCCIF3qspQucSdaM5KIQHACKsPndkC0K8146RohAY8p
next
end
|
2. Add group.
Add the local user to a user group.
config user group
edit "VPN-Group"
set member "Testuser"
next
end
|
3. Add vpn configuration.
config vpn ipsec phase1-interface
edit "FClient"
set type dynamic
set interface "port1"
set xauthtype auto
set mode aggressive
set mode-cfg enable
set proposal 3des-sha1 aes128-sha1
set authusrgrp "VPN-Group"
set ipv4-start-ip 3.3.3.1
set ipv4-end-ip 3.3.3.5
set ipv4-netmask 255.255.255.0
set dns-mode auto
set ipv4-split-include "InternalNetwork"
set psksecret ENC y7LkCPmimuXHJVhw4OgjIZGHFRXiBDVV1BBmRCVFuicaDO0cbfZSznbKo5BnUrqcbeeezKCZXl+/FItng8y30ELOrXjS6x588NzuzC/bhpd1CZ1a
next
end
|
4. Define Firewall policy.
config firewall policy
edit 1
set srcintf "FClient"
set dstintf "port3"
set srcaddr "VPN-Addresses"
set dstaddr "InternalNetwork"
set action accept
set schedule "always"
set service "ANY"
next
edit 2
set srcintf "port3"
set dstintf "FClient"
set srcaddr "InternalNetwork"
set dstaddr "VPN-Addresses"
set action accept
set schedule "always"
set service "ANY"
next
end
|
5. Backroute to client vpn pool.
I would test if it is really required…normally the firewalls (Cisco and Checkpoint) knows it without any explicit route.
config router static
edit 1
set device "port1"
set gateway 10.200.1.254
next
edit 2
set device "FClient"
set dst 3.3.3.0 255.255.255.0
next
end
|
6. Testing RA VPN.
myfirewall (root) # diag vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=FClient_0 ver=1 serial=5 10.200.1.1:0->10.0.2.10:0 lgwy=static tun=intf mode=dial_inst bound_if=2
parent=FClient index=0
proxyid_num=1 child_num=0 refcnt=7 ilast=3 olast=3
stat: rxp=3 txp=0 rxb=336 txb=0
dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=FClient proto=0 sa=1 ref=2 auto_negotiate=0 serial=1
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:3.3.3.1-3.3.3.1:0
SA: ref=3 options=00000006 type=00 soft=0 mtu=1280 expire=1773 replaywin=1024 seqno=1
life: type=01 bytes=0/0 timeout=1791/1800
dec: spi=18864eeb esp=3des key=24 3661edfbd464a09c33d5a360777cacd6e8a43ed9bc8f7a95
ah=sha1 key=20 e5554e5ade780793440fdd0ab74f1f12e00bab8e
enc: spi=b3372b7b esp=3des key=24 01f2ea46025d33c548518b69bc8624816ad0315ae30f3e68
ah=sha1 key=20 411be79eb3de989523ddd9c1705c9603f17c6518
------------------------------------------------------
name=FClient ver=1 serial=3 0.0.0.0:0->0.0.0.0:0 lgwy=dyn tun=intf mode=dialup bound_if=2
proxyid_num=0 child_num=1 refcnt=5 ilast=887 olast=887
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=active on=0 idle=5000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
|
itsecworks 
Posted on June 19, 2012
0