Fortinet black logo

Handbook

Automatic configuration overview

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:889904
Download PDF

Automatic configuration overview

VPN configuration for remote clients is simpler if it is automated. Several protocols support automatic configuration:

  • The Fortinet FortiClient Endpoint Security application can completely configure a VPN connection with a suitably configured FortiGate unit given only the FortiGate unit’s address. This protocol is exclusive to Fortinet. For more information, see FortiClient dialup-client configuration.
  • DHCP over IPsec can assign an IP address, Domain, DNS and WINS addresses. The user must first configure IPsec parameters such as gateway address, encryption and authentication algorithms.
  • IKE Mode Config can configure host IP address, Domain, DNS and WINS addresses. The user must first configure IPsec parameters such as gateway address, encryption and authentication algorithms. Several network equipment vendors support IKE Mode Config, which is described in the ISAKMP Configuration Method document draft‑dukes-ike-mode-cfg-02.txt.

This chapter describes how to configure a FortiGate unit as either an IKE Mode Config server or client.

IKE Mode Config method

IKE Mode Config is configured with the CLI command config vpn ipsec phase1-interface. The mode-cfg variable enables IKE Mode Config. The type field determines whether you are creating an IKE Mode Config server or a client. Setting type to dynamic creates a server configuration, otherwise the configuration is a client.

Creating an IKE Mode Config client

If the FortiGate unit will connect as a dialup client to a remote gateway that supports IKE Mode Config, the relevant vpn ipsec phase1-interface variables are as follows:

Variable

Description

ike-version 1

IKE v1 is the default for FortiGate IPsec VPNs.

IKE Mode Config is also compatible with IKE v2
(RFC 4306). Use syntax ike-version 2.

mode-cfg enable

Enable IKE Mode Config.

type {ddns | static}

If you set type to dynamic, an IKE Mode Config server is created.

assign-ip {enable | disable}

Enable to request an IP address from the server.

interface <interface_name>

This is a regular IPsec VPN field. Specify the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound.

proposal <encryption_combination>

This is a regular IPsec VPN field that determines the encryption and authentication settings that the client will accept. For more information, see Phase 1 parameters.

ip-version <4 | 6>

This is a regular IPsec VPN field. By default, IPsec VPNs use IPv4 addressing. You can set ip-version to 6 to create a VPN with IPv6 addressing.

ipv4-split-exclude
ipv6-split-exclude

This command allows the administrator to specify that default traffic flows over the IPsec tunnel except for specified subnets. This is the opposite of the supported split-include feature which allows the administrator to specify that default traffic should not flow over the IPsec tunnel except for specified subnets.

IKE Mode Config client example - CLI

In this example, the FortiGate unit connects to a VPN gateway with a static IP address that can be reached through Port 1. Only the port, gateway and proposal information needs to be configured. All other configuration information will come from the IKE Mode Config server.

config vpn ipsec phase1-interface

edit vpn1

set ip-version 4

set type static

set remote-gw <gw_address>

set interface port 1

set proposal 3des-sha1 aes128-sha1

set mode-cfg enable

set assign-ip enable

end

Creating an IKE Mode Config server

If the FortiGate unit will accept connection requests from dialup clients that support IKE Mode Config, the following vpn ipsec phase1-interface settings are required before any other configuration is attempted:

Variable

Description

ike-version 1

IKE v1 is the default for FortiGate IPsec VPNs.

IKE Mode Config is also compatible with IKE v2
(RFC 4306). Use syntax ike-version 2.

mode-cfg enable

Enable IKE Mode Config.

type dynamic

Any other setting creates an IKE Mode Config client.

interface <interface_name>

This is a regular IPsec VPN field. Specify the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound.

proposal <encryption_combination>

This is a regular IPsec VPN field that determines the encryption and authentication settings that the server will accept. For more information, see Phase 1 parameters.

ip-version <4 | 6>

This is a regular IPsec VPN field. By default, IPsec VPNs use IPv4 addressing. You can set ip‑version to 6 to create a VPN with IPv6 addressing.

IKE Mode Config server example - CLI

In this example, the FortiGate unit assigns IKE Mode Config clients addresses in the range of 10.11.101.160 through 10.11.101.180. DNS and WINS server addresses are also provided. The public interface of the FortiGate unit is Port 1.

When IKE Mode-Configuration is enabled, multiple server IPs can be defined in IPsec Phase 1.

The ipv4-split-include variable specifies a firewall address that represents the networks to which the clients will have access. This destination IP address information is sent to the clients.

Only the CLI fields required for IKE Mode Config are shown here. For detailed information about these variables, see the FortiGate CLI Reference.

config vpn ipsec phase1-interface

edit "vpn-p1"

set type dynamic

set interface "wan1"

set xauthtype auto

set mode aggressive

set mode-cfg enable

set proposal 3des-sha1 aes128-sha1

set dpd disable

set dhgrp 2

set xauthexpire on-rekey

set authusrgrp "FG-Group1"

set ipv4-start-ip 10.10.10.10

set ipv4-end-ip 10.10.10.20

set ipv4-dns-server1 1.1.1.1

set ipv4-dns-server2 2.2.2.2

set ipv4-dns-server3 3.3.3.3

set ipv4-wins-server1 4.4.4.4

set ipv4-wins-server2 5.5.5.5

set domain "fgt1c-domain"

set banner "fgt111C-banner"

set backup-gateway "100.100.100.1" "host1.com" "host2"

set ipv4-split-include OfficeLAN

end

IP address assignment

After you have enabled the basic configuration, you can configure IP address assignment for clients, as well as DNS and WINS server assignment. Usually you will want to assign IP addresses to clients.

The simplest method to assign IP addresses to clients is to assign addresses from a specific range, similar to a DHCP server.

If your clients are authenticated by a RADIUS server, you can obtain the user’s IP address assignment from the Framed-IP-Address attribute. The user must be authenticated using XAuth.

IKE Mode Config can also use a remote DHCP server to assign the client IP addresses. Up to eight addresses can be selected for either IPv4 or IPv6. After the DHCP proxy has been configured, the assign-ip-from command is used to assign IP addresses via DHCP.

Assigning IP addresses from an address range - CLI

If your VPN uses IPv4 addresses,

config vpn ipsec phase1-interface

edit vpn1

set mode-cfg-ipversion 4

set assign-ip enable

set assign-ip-type ip

set assign-ip-from range

set ipv4-start-ip <range_start>

set ipv4-end-ip <range_end>

set ipv4-netmask <netmask>

end

If your VPN uses IPv6 addresses,

config vpn ipsec phase1-interface

edit vpn1

set mode-cfg-ipversion 6

set assign-ip enable

set assign-ip-type ip

set assign-ip-from range

set ipv6-start-ip <range_start>

set ipv6-end-ip <range_end>

end

Assigning IP addresses from a RADIUS server - CLI

The users must be authenticated by a RADIUS server and assigned to the FortiGate user group <grpname>. Since the IP address will not be static, type is set to dynamic, and mode-cfg is enabled. This is IKE Configuration Method so that compatible clients can configure themselves with settings that the FortiGate unit provides.

config vpn ipsec phase1-interface

edit vpn1

set type dynamic

set mode-cfg enable

set assign-ip enable

set assign-ip-from usrgrp

set xauthtype auto

set authusrgrp <grpname>

end

Assigning IP address from DHCP - CLI

The DHCP proxy must first be enabled for IKE Mode Config to use DHCP to assign the VPN client IP address(es).

config system settings

set dhcp-proxy enable

set dhcp-server-ip [ipv4 address]

set dhcp6-server-ip [ipv6-address]

(Up to eight server addresses can be configured)

end

config vpn ipsec phase1-interface

edit vpn1

set mode-cfg enable

set assign-ip-from dhcp

next

end

Assigning IP address from a named firewall address/group - CLI

config vpn ipsec phase1-interface

edit <name>vpn1

set type dynamic

set assign-ip-from name

set ipv4-name <name>

set ipv6-name <name>

next

end

Certificate groups

IKE certificate groups consisting of up to four RSA certificates can be used in IKE Phase 1. Since CA and local certificates are global, the IKE daemon loads them once for all VDOMs and indexes them into trees based on subject and public key hash (for CA certificates), or certificate name (for local certificates). Certificates are linked together based on the issuer, and certificate chains are built by traversing these links. This reduces the need to keep multiple copies of certificates that could exist in multiple chains.

IKE certificate groups can be configured through the CLI.

Configuring the IKE local ID - CLI

config vpn certificate local

edit <name>

set ike-localid <string>

set ike-localid-type {asnldn | fqdn}

end

Split-exclude in IKEv1 mode-cfg

This feature allows the administrator to specify when using IKEv1 Configuration Method that default traffic flows over the IPsec tunnel except for specified subnets. This is the opposite of the supported split-include feature which allows the administrator to specify that default traffic should not flow over the IPsec tunnel except for specified subnets.

The split-include and split-exclude options can both be specified at the same time. Whether a client does the right thing when both are specified depends on the client.

Syntax

config vpn ipsec {phase1 | phase1-interface}

edit <name>

set ike-version 1

set type dynamic

set mode-cfg enable

set ipv4-split-exclude {all | none | address}

set ipv6-split-exclude {all | none | address}

next

end

Automatic configuration overview

VPN configuration for remote clients is simpler if it is automated. Several protocols support automatic configuration:

  • The Fortinet FortiClient Endpoint Security application can completely configure a VPN connection with a suitably configured FortiGate unit given only the FortiGate unit’s address. This protocol is exclusive to Fortinet. For more information, see FortiClient dialup-client configuration.
  • DHCP over IPsec can assign an IP address, Domain, DNS and WINS addresses. The user must first configure IPsec parameters such as gateway address, encryption and authentication algorithms.
  • IKE Mode Config can configure host IP address, Domain, DNS and WINS addresses. The user must first configure IPsec parameters such as gateway address, encryption and authentication algorithms. Several network equipment vendors support IKE Mode Config, which is described in the ISAKMP Configuration Method document draft‑dukes-ike-mode-cfg-02.txt.

This chapter describes how to configure a FortiGate unit as either an IKE Mode Config server or client.

IKE Mode Config method

IKE Mode Config is configured with the CLI command config vpn ipsec phase1-interface. The mode-cfg variable enables IKE Mode Config. The type field determines whether you are creating an IKE Mode Config server or a client. Setting type to dynamic creates a server configuration, otherwise the configuration is a client.

Creating an IKE Mode Config client

If the FortiGate unit will connect as a dialup client to a remote gateway that supports IKE Mode Config, the relevant vpn ipsec phase1-interface variables are as follows:

Variable

Description

ike-version 1

IKE v1 is the default for FortiGate IPsec VPNs.

IKE Mode Config is also compatible with IKE v2
(RFC 4306). Use syntax ike-version 2.

mode-cfg enable

Enable IKE Mode Config.

type {ddns | static}

If you set type to dynamic, an IKE Mode Config server is created.

assign-ip {enable | disable}

Enable to request an IP address from the server.

interface <interface_name>

This is a regular IPsec VPN field. Specify the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound.

proposal <encryption_combination>

This is a regular IPsec VPN field that determines the encryption and authentication settings that the client will accept. For more information, see Phase 1 parameters.

ip-version <4 | 6>

This is a regular IPsec VPN field. By default, IPsec VPNs use IPv4 addressing. You can set ip-version to 6 to create a VPN with IPv6 addressing.

ipv4-split-exclude
ipv6-split-exclude

This command allows the administrator to specify that default traffic flows over the IPsec tunnel except for specified subnets. This is the opposite of the supported split-include feature which allows the administrator to specify that default traffic should not flow over the IPsec tunnel except for specified subnets.

IKE Mode Config client example - CLI

In this example, the FortiGate unit connects to a VPN gateway with a static IP address that can be reached through Port 1. Only the port, gateway and proposal information needs to be configured. All other configuration information will come from the IKE Mode Config server.

config vpn ipsec phase1-interface

edit vpn1

set ip-version 4

set type static

set remote-gw <gw_address>

set interface port 1

set proposal 3des-sha1 aes128-sha1

set mode-cfg enable

set assign-ip enable

end

Creating an IKE Mode Config server

If the FortiGate unit will accept connection requests from dialup clients that support IKE Mode Config, the following vpn ipsec phase1-interface settings are required before any other configuration is attempted:

Variable

Description

ike-version 1

IKE v1 is the default for FortiGate IPsec VPNs.

IKE Mode Config is also compatible with IKE v2
(RFC 4306). Use syntax ike-version 2.

mode-cfg enable

Enable IKE Mode Config.

type dynamic

Any other setting creates an IKE Mode Config client.

interface <interface_name>

This is a regular IPsec VPN field. Specify the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound.

proposal <encryption_combination>

This is a regular IPsec VPN field that determines the encryption and authentication settings that the server will accept. For more information, see Phase 1 parameters.

ip-version <4 | 6>

This is a regular IPsec VPN field. By default, IPsec VPNs use IPv4 addressing. You can set ip‑version to 6 to create a VPN with IPv6 addressing.

IKE Mode Config server example - CLI

In this example, the FortiGate unit assigns IKE Mode Config clients addresses in the range of 10.11.101.160 through 10.11.101.180. DNS and WINS server addresses are also provided. The public interface of the FortiGate unit is Port 1.

When IKE Mode-Configuration is enabled, multiple server IPs can be defined in IPsec Phase 1.

The ipv4-split-include variable specifies a firewall address that represents the networks to which the clients will have access. This destination IP address information is sent to the clients.

Only the CLI fields required for IKE Mode Config are shown here. For detailed information about these variables, see the FortiGate CLI Reference.

config vpn ipsec phase1-interface

edit "vpn-p1"

set type dynamic

set interface "wan1"

set xauthtype auto

set mode aggressive

set mode-cfg enable

set proposal 3des-sha1 aes128-sha1

set dpd disable

set dhgrp 2

set xauthexpire on-rekey

set authusrgrp "FG-Group1"

set ipv4-start-ip 10.10.10.10

set ipv4-end-ip 10.10.10.20

set ipv4-dns-server1 1.1.1.1

set ipv4-dns-server2 2.2.2.2

set ipv4-dns-server3 3.3.3.3

set ipv4-wins-server1 4.4.4.4

set ipv4-wins-server2 5.5.5.5

set domain "fgt1c-domain"

set banner "fgt111C-banner"

set backup-gateway "100.100.100.1" "host1.com" "host2"

set ipv4-split-include OfficeLAN

end

IP address assignment

After you have enabled the basic configuration, you can configure IP address assignment for clients, as well as DNS and WINS server assignment. Usually you will want to assign IP addresses to clients.

The simplest method to assign IP addresses to clients is to assign addresses from a specific range, similar to a DHCP server.

If your clients are authenticated by a RADIUS server, you can obtain the user’s IP address assignment from the Framed-IP-Address attribute. The user must be authenticated using XAuth.

IKE Mode Config can also use a remote DHCP server to assign the client IP addresses. Up to eight addresses can be selected for either IPv4 or IPv6. After the DHCP proxy has been configured, the assign-ip-from command is used to assign IP addresses via DHCP.

Assigning IP addresses from an address range - CLI

If your VPN uses IPv4 addresses,

config vpn ipsec phase1-interface

edit vpn1

set mode-cfg-ipversion 4

set assign-ip enable

set assign-ip-type ip

set assign-ip-from range

set ipv4-start-ip <range_start>

set ipv4-end-ip <range_end>

set ipv4-netmask <netmask>

end

If your VPN uses IPv6 addresses,

config vpn ipsec phase1-interface

edit vpn1

set mode-cfg-ipversion 6

set assign-ip enable

set assign-ip-type ip

set assign-ip-from range

set ipv6-start-ip <range_start>

set ipv6-end-ip <range_end>

end

Assigning IP addresses from a RADIUS server - CLI

The users must be authenticated by a RADIUS server and assigned to the FortiGate user group <grpname>. Since the IP address will not be static, type is set to dynamic, and mode-cfg is enabled. This is IKE Configuration Method so that compatible clients can configure themselves with settings that the FortiGate unit provides.

config vpn ipsec phase1-interface

edit vpn1

set type dynamic

set mode-cfg enable

set assign-ip enable

set assign-ip-from usrgrp

set xauthtype auto

set authusrgrp <grpname>

end

Assigning IP address from DHCP - CLI

The DHCP proxy must first be enabled for IKE Mode Config to use DHCP to assign the VPN client IP address(es).

config system settings

set dhcp-proxy enable

set dhcp-server-ip [ipv4 address]

set dhcp6-server-ip [ipv6-address]

(Up to eight server addresses can be configured)

end

config vpn ipsec phase1-interface

edit vpn1

set mode-cfg enable

set assign-ip-from dhcp

next

end

Assigning IP address from a named firewall address/group - CLI

config vpn ipsec phase1-interface

edit <name>vpn1

set type dynamic

set assign-ip-from name

set ipv4-name <name>

set ipv6-name <name>

next

end

Certificate groups

IKE certificate groups consisting of up to four RSA certificates can be used in IKE Phase 1. Since CA and local certificates are global, the IKE daemon loads them once for all VDOMs and indexes them into trees based on subject and public key hash (for CA certificates), or certificate name (for local certificates). Certificates are linked together based on the issuer, and certificate chains are built by traversing these links. This reduces the need to keep multiple copies of certificates that could exist in multiple chains.

IKE certificate groups can be configured through the CLI.

Configuring the IKE local ID - CLI

config vpn certificate local

edit <name>

set ike-localid <string>

set ike-localid-type {asnldn | fqdn}

end

Split-exclude in IKEv1 mode-cfg

This feature allows the administrator to specify when using IKEv1 Configuration Method that default traffic flows over the IPsec tunnel except for specified subnets. This is the opposite of the supported split-include feature which allows the administrator to specify that default traffic should not flow over the IPsec tunnel except for specified subnets.

The split-include and split-exclude options can both be specified at the same time. Whether a client does the right thing when both are specified depends on the client.

Syntax

config vpn ipsec {phase1 | phase1-interface}

edit <name>

set ike-version 1

set type dynamic

set mode-cfg enable

set ipv4-split-exclude {all | none | address}

set ipv6-split-exclude {all | none | address}

next

end