FortiClient Dialup-Client IPSec VPN PDF
FortiClient Dialup-Client IPSec VPN PDF
FortiClient Dialup-Client IPSec VPN PDF
Example
Technical Note
Fortinet Inc.
© Copyright 2004-2005 Fortinet Inc. All rights reserved.
No part of this publication including text, examples, diagrams or illustrations may be reproduced,
transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or
otherwise, for any purpose, without prior written permission of Fortinet Inc.
Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective holders.
Contents
Table of Contents
Network topology ................................................................................................................ 5
Before you begin ....................................................................................................................................... 6
Configuring FortiGate_1...................................................................................................... 6
Define the phase 1 parameters....................................................................................... 7
Define the phase 2 parameters....................................................................................... 8
Define the firewall encryption policy................................................................................ 8
Configure FortiGate_1 to relay DHCP requests.............................................................. 9
Configuring the FortiClient Host Security application........................................................ 10
This technical note features a detailed configuration example that demonstrates how
to set up a FortiClient dialup-client IPSec VPN that uses preshared keys for
authentication purposes. In the example configuration, the FortiClient Host Security
application acquires a Virtual IP (VIP) address through FortiGate DHCP relay. The
following sections are included:
• Network topology
• Configuring FortiGate_1
• Configuring the FortiClient Host Security application
Network topology
In a dialup-client configuration, remote hosts running VPN client software such as the
FortiClient Host Security application are assigned dynamic IP addresses through an
ISP before the VPN client initiates a connection to a FortiGate dialup server.
By default, the FortiClient Host Security application encrypts IP traffic and addresses
the encrypted packets to the public interface of the FortiGate unit. Encrypted packets
from the FortiGate unit may be addressed either to the public IP address of the remote
host (if the remote host connects to the Internet directly), or if the host computer is
behind a NAT device, encrypted packets from the FortiGate unit are addressed to the
remote host’s IP address on the private network behind the NAT device.
Note: For encrypted traffic to pass through the NAT device, the device must be NAT_T
compatible. For more information, see the FortiGate VPN Guide.
As a precaution to prevent IP-address overlap between the remote host and the
private network behind the FortiGate unit, FortiClient dialup clients may be configured
to acquire uncommonly used VIP addresses through the FortiGate DHCP relay
feature: the FortiClient Host Security application is configured to broadcast a DHCP
request to the FortiGate unit, and the FortiGate unit is configured to relay the DHCP
request to a DHCP server behind the FortiGate unit. The DHCP server is configured
to respond with a VIP address for the dialup client.
The FortiClient dialup client uses the acquired VIP address as its source address for
IP packets for the duration of the connection. IP packets from the FortiClient dialup
client are addressed to a computer on the private network behind the FortiGate unit.
IP packets from the network behind the FortiGate unit are addressed to the client VIP
address. See Figure 1.
Site_1
192.168.12.0/24
Dialup_1
Server_1 FortiGate_1 VIP address
192.168.12.1 10.254.254.100
Esc Enter
Internet
172.16.10.1
Configuring FortiGate_1
When a FortiGate unit receives a connection request from a dialup client, it uses
IPSec phase 1 parameters to establish a secure connection and authenticate the
client. Then, if the firewall policy permits the connection, the FortiGate unit establishes
the tunnel using IPSec phase 2 parameters and applies the firewall encryption policy.
Key management, authentication, and security services are negotiated dynamically
through the IKE protocol.
Gateway Name Type a name for the remote gateway (for example,
Dialup_clients).
Remote Gateway Dialup User
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
3 Enter the following CLI command to enable all dialup clients having VIP addresses on
the 10.254.254.0/24 network to connect using the same phase 2 tunnel definition:
Interface/Zone Source
Select the interface to the internal (private) network.
Destination
Select the interface to the external (public) network.
Address Name Source
Server_1
Destination
all
Schedule As required.
Service As required.
Action ENCRYPT
VPN Tunnel Select FG1toDialupClients, and then select
Inbound NAT to translate the IP source addresses of
inbound decrypted packets into the IP address of the
FortiGate interface to the private network.
3 Place the policy in the policy list above any other policies having similar source and
destination addresses.
To configure FortiClient
1 At the remote host, start FortiClient.
2 Go to VPN > Connections and select Add.
3 In the Connection Name field, type a descriptive name for the connection.
4 In the Remote Gateway field, type the public static IP address of the FortiGate unit.
5 In the Remote Network fields, type the private IP address and netmask of the server
that FortiClient needs to access behind the FortiGate unit (for example,
192.168.12.1/255.255.255.255).
6 From the Authentication Method list, select Preshared Key.
7 In the Preshared Key field, type the preshared key. The value must be identical to the
preshared key that you specified previously in the FortiGate_1 configuration.
8 Select Advanced.
9 In the Advanced Settings dialog box, select Acquire virtual IP address and then select
Config.
10 Verify that the Dynamic Host Configuration Protocol (DHCP) over IPSec option is
selected, and then select OK.
11 Select OK twice to close the dialog boxes.
12 Exit FortiClient and repeat this procedure at all other remote hosts.