Chapter 11 IPsec VPN for FortiOS 5.0 : FortiClient dialup-client configurations : FortiClient dialup-client configuration example : Configuring FortiGate_1
  
Configuring FortiGate_1
When a FortiGate unit receives a connection request from a dialup client, it uses IPsec phase 1 parameters to establish a secure connection and authenticate the client. Then, if the security policy permits the connection, the FortiGate unit establishes the tunnel using IPsec phase 2 parameters and applies the IPsec security policy. Key management, authentication, and security services are negotiated dynamically through the IKE protocol.
To support these functions, the following general configuration steps must be performed at the FortiGate unit:
Define the phase 1 parameters that the FortiGate unit needs to authenticate the dialup clients and establish a secure connection. See “To define the phase 1 parameters”.
Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel and enable all dialup clients having VIP addresses on the 10.254.254.0/24 network to connect using the same tunnel definition. See “To define the phase 2 parameters”.
Create security policy to control the permitted services and permitted direction of traffic between the IP source address and the dialup clients. See “To define the firewall addresses”.
Configure the FortiGate unit to service DHCP requests from dialup clients. See “Configuring the FortiClient Endpoint Security application”.
To define the phase 1 parameters
1. Go to VPN > IPsec > Auto Key (IKE).
2. Select Create Phase 1, enter the following information, and select OK:
Name
todialups
Remote Gateway
Dialup User
Local Interface
Port 1
Mode
Main
Authentication Method
Preshared Key
Pre-shared Key
hardtoguess
Peer Options
Accept any peer ID
Advanced
Select
Enable IPsec Interface Mode
Enable for route-based VPN.
Disable for policy-based VPN.
To define the phase 2 parameters
1. Go to VPN > IPsec > Auto Key (IKE) and select Create Phase 2.
2. Select Advanced, enter the following information, and select OK:
Name
td_2
Phase 1
todialups
Advanced
DHCP-IPsec
To define the firewall addresses
1. Go to Firewall Objects > Address > Addresses.
2. Select Create New, enter the following information, and select OK:
Name
internal_net
Type
Subnet
Subnet/IP Range
10.11.101.0/24
Interface
Port 2
3. Select Create New, enter the following information, and select OK:
Name
dialups
Type
IP Range
Subnet/IP Range
10.254.254.1-10.254.254.10
Interface
Route-based VPN: todialups
Policy-based VPN: Any
The security policies for route-based and policy-based VPNs are described in separate sections below.
To define security policies - route-based VPN
1. Go to Policy > Policy > Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information, and select OK:
Incoming Interface
todialups
Source Address
dialups
Outgoing Interface
Port 2
Destination Address
internal_net
Action
ACCEPT
Enable NAT
Disable
4. Select Create New.
5. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
6. Enter the following information, and select OK:
Incoming Interface
Port 2
Source Address
internal_net
Outgoing Interface
todialups
Destination Address
dialups
Action
ACCEPT
Enable NAT
Disable
7. Select Create New.
8. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
9. Enter the following information, and select OK:
Incoming Interface
Port 2
Source Address
internal_net
Outgoing Interface
todialups
Destination Address
all
Service
DHCP
Action
ACCEPT
Enable NAT
Disable
10. Place these policies in the policy list above any other policies having similar source and destination addresses.
The policy in step 7 is required for DHCP to function properly for policy-based VPNs. You can omit this policy if you change the Destination Address Name to all in the step before. Route-based policies are not affected by this.
To define the security policy - policy-based VPN
1. Go to Policy > Policy > Policy and select Create New.
2. Select the Policy Type of VPN and leave the Policy Subtype as IPsec.
3. Enter the following information, and select OK:
Local Interface
Port 2
Local Protected Subnet
internal_net
Outgoing VPN Interface
Port 1
Remote Protected Subnet
dialups
VPN Tunnel
Select Use Existing and select todialups from the drop-down list.
Allow traffic to be initiated from the remote site
Enable
4. Place the policy in the policy list above any other policies having similar source and destination addresses.