FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 14 - IPsec VPN > FortiGate dialup-client configurations > Configure the server to accept FortiGate dialup-client connections

Configure the server to accept FortiGate dialup-client connections

Before you begin, optionally reserve a unique identifier (peer ID) for the FortiGate dialup client. The dialup client will supply this value to the FortiGate dialup server for authentication purposes during the IPsec Phase 1 exchange. In addition, the value will enable you to distinguish FortiGate dialup-client connections from FortiClient dialup-client connections. The same value must be specified on the dialup server and on the dialup client.

  1. At the FortiGate dialup server, define the Phase 1 parameters needed to authenticate the FortiGate dialup client and establish a secure connection. See Phase 1 parameters. Enter these settings in particular:
Name Enter a name to identify the VPN tunnel. This name appears in Phase 2 configurations, security policies and the VPN monitor.
Remote Gateway Select Dialup User.
Local Interface Select the interface through which clients connect to the FortiGate unit.
Mode If you will be assigning an ID to the FortiGate dialup client, select Aggressive.
Peer Options If you will be assigning an ID to the FortiGate dialup client, select This peer ID and type the identifier that you reserved for the FortiGate dialup client into the adjacent field.
  1. Define the Phase 2 parameters needed to create a VPN tunnel with the FortiGate dialup client. See Phase 2 parameters. Enter these settings in particular:
Name Enter a name to identify this Phase 2 configuration.
Phase 1 Select the name of the Phase 1 configuration that you defined.
  1. Define names for the addresses or address ranges of the private networks that the VPN links. See Defining VPN security policies. Enter these settings in particular:
  • Define an address name for the server, host, or network behind the FortiGate dialup server.
  • Define an address name for the private network behind the FortiGate dialup client.
  1. Define the security policies to permit communications between the private networks through the VPN tunnel. Route-based and policy-based VPNs require different security policies. For detailed information about creating security policies, see Defining VPN security policies.

Route-based VPN security policy

Define an ACCEPT security policy to permit communications between hosts on the private network behind the FortiGate dialup client and the private network behind this FortiGate dialup server. Because communication cannot be initiated in the opposite direction, there is only one policy.

  1. Go to Policy & Objects > Policy > IPv4 and select Create New.
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  3. Enter these settings in particular:
Incoming Interface Select the VPN tunnel (IPsec interface) created in Step 1.
Source Address Select All.
Outgoing Interface Select the interface that connects to the private network behind this FortiGate unit.
Destination Address Select All.
Action Select ACCEPT.
Enable NAT Disable

Policy-based VPN security policy

  1. Go to Policy & Objects > Policy > IPv4 and select Create New.
  2. Enter these settings in particular:
Incoming Interface Select the interface that connects to the private network behind this FortiGate unit.
Source Address Select the address name that you defined for the private network behind this FortiGate unit.
Outgoing Interface Select the FortiGate unit’s public interface.
Destination Address Select the address name that you defined.
VPN Tunnel Select Use Existing and select the name of the Phase 1 configuration that you created in Step1. from the drop-down list.

Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

Clear Allow outbound to prevent traffic from the local network from initiating the tunnel after the tunnel has been established.
  1. To prevent traffic from the local network from initiating the tunnel after the tunnel has been established, you need to disable the outbound VPN traffic in the CLI

config firewall policy

edit <policy_number>

set outbound disable

end

 

Place the policy in the policy list above any other policies having similar source and destination addresses.

If configuring a route-based policy, configure a default route for VPN traffic on this interface.