Automatic configuration overview
VPN configuration for remote clients is simpler if it is automated. Several protocols support automatic configuration:
- The Fortinet FortiClient Endpoint Security application can completely configure a VPN connection with a suitably configured FortiGate unit given only the FortiGate unit’s address. This protocol is exclusive to Fortinet. For more information, see FortiClient dialup-client configuration.
- DHCP over IPsec can assign an IP address, Domain, DNS and WINS addresses. The user must first configure IPsec parameters such as gateway address, encryption and authentication algorithms.
- IKE Mode Config can configure host IP address, Domain, DNS and WINS addresses. The user must first configure IPsec parameters such as gateway address, encryption and authentication algorithms. Several network equipment vendors support IKE Mode Config, which is described in the ISAKMP Configuration Method document draft‑dukes-ike-mode-cfg-02.txt.
This chapter describes how to configure a FortiGate unit as either an IKE Mode Config server or client.
IKE Mode Config method
IKE Mode Config is configured with the CLI command config vpn ipsec phase1-interface
. The mode-cfg
variable enables IKE Mode Config. The type
field determines whether you are creating an IKE Mode Config server or a client. Setting type
to dynamic
creates a server configuration, otherwise the configuration is a client.
Creating an IKE Mode Config client
If the FortiGate unit will connect as a dialup client to a remote gateway that supports IKE Mode Config, the relevant vpn ipsec phase1-interface
variables are as follows:
Variable |
Description |
---|---|
|
IKE v1 is the default for FortiGate IPsec VPNs. |
|
Enable IKE Mode Config. |
|
If you set |
|
Enable to request an IP address from the server. |
|
This is a regular IPsec VPN field. Specify the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound. |
|
This is a regular IPsec VPN field that determines the encryption and authentication settings that the client will accept. For more information, see Phase 1 parameters. |
|
This is a regular IPsec VPN field. By default, IPsec VPNs use IPv4 addressing. You can set |
|
This command allows the administrator to specify that default traffic flows over the IPsec tunnel except for specified subnets. This is the opposite of the supported |
IKE Mode Config client example - CLI
In this example, the FortiGate unit connects to a VPN gateway with a static IP address that can be reached through Port 1. Only the port, gateway and proposal information needs to be configured. All other configuration information will come from the IKE Mode Config server.
config vpn ipsec phase1-interface
edit vpn1
set ip-version 4
set type static
set remote-gw <gw_address>
set interface port 1
set proposal 3des-sha1 aes128-sha1
set mode-cfg enable
set assign-ip enable
end
Creating an IKE Mode Config server
If the FortiGate unit will accept connection requests from dialup clients that support IKE Mode Config, the following vpn ipsec phase1-interface
settings are required before any other configuration is attempted:
Variable |
Description |
---|---|
|
IKE v1 is the default for FortiGate IPsec VPNs. |
|
Enable IKE Mode Config. |
|
Any other setting creates an IKE Mode Config client. |
|
This is a regular IPsec VPN field. Specify the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound. |
|
This is a regular IPsec VPN field that determines the encryption and authentication settings that the server will accept. For more information, see Phase 1 parameters. |
|
This is a regular IPsec VPN field. By default, IPsec VPNs use IPv4 addressing. You can set |
IKE Mode Config server example - CLI
In this example, the FortiGate unit assigns IKE Mode Config clients addresses in the range of 10.11.101.160 through 10.11.101.180. DNS and WINS server addresses are also provided. The public interface of the FortiGate unit is Port 1.
When IKE Mode-Configuration is enabled, multiple server IPs can be defined in IPsec Phase 1.
The ipv4-split-include
variable specifies a firewall address that represents the networks to which the clients will have access. This destination IP address information is sent to the clients.
Only the CLI fields required for IKE Mode Config are shown here. For detailed information about these variables, see the FortiGate CLI Reference.
config vpn ipsec phase1-interface
edit "vpn-p1"
set type dynamic
set interface "wan1"
set xauthtype auto
set mode aggressive
set mode-cfg enable
set proposal 3des-sha1 aes128-sha1
set dpd disable
set dhgrp 2
set xauthexpire on-rekey
set authusrgrp "FG-Group1"
set ipv4-start-ip 10.10.10.10
set ipv4-end-ip 10.10.10.20
set ipv4-dns-server1 1.1.1.1
set ipv4-dns-server2 2.2.2.2
set ipv4-dns-server3 3.3.3.3
set ipv4-wins-server1 4.4.4.4
set ipv4-wins-server2 5.5.5.5
set domain "fgt1c-domain"
set banner "fgt111C-banner"
set backup-gateway "100.100.100.1" "host1.com" "host2"
set ipv4-split-include OfficeLAN
end
IP address assignment
After you have enabled the basic configuration, you can configure IP address assignment for clients, as well as DNS and WINS server assignment. Usually you will want to assign IP addresses to clients.
The simplest method to assign IP addresses to clients is to assign addresses from a specific range, similar to a DHCP server.
If your clients are authenticated by a RADIUS server, you can obtain the user’s IP address assignment from the Framed-IP-Address attribute. The user must be authenticated using XAuth.
IKE Mode Config can also use a remote DHCP server to assign the client IP addresses. Up to eight addresses can be selected for either IPv4 or IPv6. After the DHCP proxy has been configured, the assign-ip-from
command is used to assign IP addresses via DHCP.
Assigning IP addresses from an address range - CLI
If your VPN uses IPv4 addresses,
config vpn ipsec phase1-interface
edit vpn1
set mode-cfg-ipversion 4
set assign-ip enable
set assign-ip-type ip
set assign-ip-from range
set ipv4-start-ip <range_start>
set ipv4-end-ip <range_end>
set ipv4-netmask <netmask>
end
If your VPN uses IPv6 addresses,
config vpn ipsec phase1-interface
edit vpn1
set mode-cfg-ipversion 6
set assign-ip enable
set assign-ip-type ip
set assign-ip-from range
set ipv6-start-ip <range_start>
set ipv6-end-ip <range_end>
end
Assigning IP addresses from a RADIUS server - CLI
The users must be authenticated by a RADIUS server and assigned to the FortiGate user group <grpname>
. Since the IP address will not be static, type
is set to dynamic, and mode-cfg
is enabled. This is IKE Configuration Method so that compatible clients can configure themselves with settings that the FortiGate unit provides.
config vpn ipsec phase1-interface
edit vpn1
set type dynamic
set mode-cfg enable
set assign-ip enable
set assign-ip-from usrgrp
set xauthtype auto
set authusrgrp <grpname>
end
Assigning IP address from DHCP - CLI
The DHCP proxy must first be enabled for IKE Mode Config to use DHCP to assign the VPN client IP address(es).
config system settings
set dhcp-proxy enable
set dhcp-server-ip [ipv4 address]
set dhcp6-server-ip [ipv6-address]
(Up to eight server addresses can be configured)
end
config vpn ipsec phase1-interface
edit vpn1
set mode-cfg enable
set assign-ip-from dhcp
next
end
Assigning IP address from a named firewall address/group - CLI
config vpn ipsec phase1-interface
edit <name>vpn1
set type dynamic
set assign-ip-from name
set ipv4-name <name>
set ipv6-name <name>
next
end
Certificate groups
IKE certificate groups consisting of up to four RSA certificates can be used in IKE Phase 1. Since CA and local certificates are global, the IKE daemon loads them once for all VDOMs and indexes them into trees based on subject and public key hash (for CA certificates), or certificate name (for local certificates). Certificates are linked together based on the issuer, and certificate chains are built by traversing these links. This reduces the need to keep multiple copies of certificates that could exist in multiple chains.
IKE certificate groups can be configured through the CLI.
Configuring the IKE local ID - CLI
config vpn certificate local
edit <name>
set ike-localid <string>
set ike-localid-type {asnldn | fqdn}
end
Split-exclude in IKEv1 mode-cfg
This feature allows the administrator to specify when using IKEv1 Configuration Method that default traffic flows over the IPsec tunnel except for specified subnets. This is the opposite of the supported split-include
feature which allows the administrator to specify that default traffic should not flow over the IPsec tunnel except for specified subnets.
The split-include
and split-exclude
options can both be specified at the same time. Whether a client does the right thing when both are specified depends on the client.
Syntax
config vpn ipsec {phase1 | phase1-interface}
edit <name>
set ike-version 1
set type dynamic
set mode-cfg enable
set ipv4-split-exclude {all | none | address}
set ipv6-split-exclude {all | none | address}
next
end