RA VPN Configuration on Fortigate

Posted on June 19, 2012


Remote Access VPN with fortigate client configuration.
Used Version: v4.0,build0521,120313 (MR3 Patch 6)

1. Add user.

In this example a simple local user, but as we can see the list of the remote authentication servers, the fortigate has a lot of possibilities.

myfirewall (root) # sh user
adgrp           FSSO groups
ban             configure banned IP addresses
fortitoken      configure FortiToken
fsso            FSSO agent configuration
group           user group configuation
ldap            LDAP server entry configuation
local           local user configuration
peer            config peer user
peergrp         config peer's user group
radius          radius server entry configuration
setting         set user authentication setting
sms-provider    configure SMS provider
tacacs+         TACACS+ server entry configuration

configure a local user.

config user local
    edit "Testuser"
        set type password
        set passwd ENC hv2ySeh6FHck7qhv72pHvnSOVOHQWMllulMy824/8+n0cn9OdxcPvkOGQ7txjU7YNbmQLrCCIF3qspQucSdaM5KIQHACKsPndkC0K8146RohAY8p

2. Add group.

Add the local user to a user group.

config user group
    edit "VPN-Group"
            set member "Testuser"

3. Add vpn configuration.

config vpn ipsec phase1-interface
    edit "FClient"
        set type dynamic
        set interface "port1"
        set xauthtype auto
        set mode aggressive
        set mode-cfg enable
        set proposal 3des-sha1 aes128-sha1
        set authusrgrp "VPN-Group"
        set ipv4-start-ip
        set ipv4-end-ip
        set ipv4-netmask
        set dns-mode auto
        set ipv4-split-include "InternalNetwork"
        set psksecret ENC y7LkCPmimuXHJVhw4OgjIZGHFRXiBDVV1BBmRCVFuicaDO0cbfZSznbKo5BnUrqcbeeezKCZXl+/FItng8y30ELOrXjS6x588NzuzC/bhpd1CZ1a

4. Define Firewall policy.

config firewall policy
    edit 1
        set srcintf "FClient"
        set dstintf "port3"
            set srcaddr "VPN-Addresses"
            set dstaddr "InternalNetwork"
        set action accept
        set schedule "always"
            set service "ANY"
    edit 2
        set srcintf "port3"
        set dstintf "FClient"
            set srcaddr "InternalNetwork"
            set dstaddr "VPN-Addresses"
        set action accept
        set schedule "always"
            set service "ANY"

5. Backroute to client vpn pool.

I would test if it is really required…normally the firewalls (Cisco and Checkpoint) knows it without any explicit route.

config router static
    edit 1
        set device "port1"
        set gateway
    edit 2
        set device "FClient"
        set dst

6. Testing RA VPN.

myfirewall (root) # diag vpn tunnel list
list all ipsec tunnel in vd 0
name=FClient_0 ver=1 serial=5> lgwy=static tun=intf mode=dial_inst bound_if=2
parent=FClient index=0
proxyid_num=1 child_num=0 refcnt=7 ilast=3 olast=3
stat: rxp=3 txp=0 rxb=336 txb=0
dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=FClient proto=0 sa=1 ref=2 auto_negotiate=0 serial=1
  src: 0:
  dst: 0:
  SA: ref=3 options=00000006 type=00 soft=0 mtu=1280 expire=1773 replaywin=1024 seqno=1
  life: type=01 bytes=0/0 timeout=1791/1800
  dec: spi=18864eeb esp=3des key=24 3661edfbd464a09c33d5a360777cacd6e8a43ed9bc8f7a95
       ah=sha1 key=20 e5554e5ade780793440fdd0ab74f1f12e00bab8e
  enc: spi=b3372b7b esp=3des key=24 01f2ea46025d33c548518b69bc8624816ad0315ae30f3e68
       ah=sha1 key=20 411be79eb3de989523ddd9c1705c9603f17c6518
name=FClient ver=1 serial=3> lgwy=dyn tun=intf mode=dialup bound_if=2
proxyid_num=0 child_num=1 refcnt=5 ilast=887 olast=887
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=active on=0 idle=5000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
Posted in: Fortigate, Security, VPN