Fortinet Document Library

Version:


Table of Contents

Cookbook

6.2.0
Download PDF
Copy Link

Tunneled Internet browsing

This is a sample configuration of tunneled internet browsing using a dialup VPN. To centralize network management and control, all branch office traffic is tunneled to HQ, including Internet browsing.

To configure a dialup VPN to tunnel Internet browsing using the GUI:
  1. Configure the dialup VPN server FortiGate at HQ:
    1.   Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
      1. Enter a VPN name, in this example, HQ.
      2. For Template Type, select Site to Site.
      3. For Remote Device Type, select FortiGate.
      4. For NAT Configuration, select The remote site is behind NAT.
      5. Click Next.
    2. Configure the following settings for Authentication:
      1. For Incoming Interface, select port9.
      2. For Authentication Method, select Pre-shared Key.
      3. In the Pre-shared Key field, enter sample as the key.
      4. Click Next.
    3. Configure the following settings for Policy & Routing:
      1. From the Local Interface dropdown menu, select port10.
      2. Configure the Local Subnets as 172.16.101.0.
      3. Configure the Remote Subnets as 0.0.0.0/0.
      4. For Internet Access, select Share Local.
      5. For Shared WAN, select port9.
      6. Click Create.
  2. Configure the dialup VPN client FortiGate at a branch:
    1.   Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
      1. Enter a VPN name, in this example, Branch1 or Branch2.
      2. For Template Type, select Site to Site.
      3. For Remote Device Type, select FortiGate.
      4. For NAT Configuration, select The remote site is behind NAT.
      5. Click Next.
    2. Configure the following settings for Authentication:
      1. For IP Address, select Remote Device and enter 22.1.1.1.
      2. For Outgoing Interface, select wan1.
      3. For Authentication Method, select Pre-shared Key.
      4. In the Pre-shared Key field, enter sample as the key.
      5. Click Next.
    3. Configure the following settings for Policy & Routing:
      1. From the Local Interface dropdown menu, select internal.
      2. Configure the Local Subnets as 10.1.100.0/192.1684.0.
      3. Configure the Remote Subnets as 0.0.0.0/0.
      4. For Internet Access, select Use Remote.
      5. Configure the Local Gateway to 15.1.1.1/13.1.1.1.
      6. Click Create.
To configure a dialup VPN to tunnel Internet browsing using the CLI:
  1. Configure the WAN interface and static route on the FortiGate at HQ.
    config system interface
        edit "port9"
            set alias "WAN"
            set ip 22.1.1.1 255.255.255.0
        next
        edit "port10"
            set alias "Internal"
            set ip 172.16.101.1 255.255.255.0
        next
    end   
    config router static
        edit 1
            set gateway 22.1.1.2
            set device "port9"
        next  
    end
  2. Configure IPsec phase1-interface and phase2-interface configuration at HQ.
    config vpn ipsec phase1-interface
        edit "HQ"
            set type dynamic
            set interface "port9"
            set peertype any
            set net-device enable
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set dpd on-idle
            set psksecret sample
            set dpd-retryinterval 60
        next
    end
    config vpn ipsec phase2-interface
        edit "HQ"
            set phase1name "HQ"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305        
        next
    end
  3. Configure the firewall policy at HQ.
    config firewall policy
        edit 1
            set srcintf "HQ"
            set dstintf "port9" "port10"
            set srcaddr "10.1.100.0" "192.168.4.0"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end
  4. Configure the WAN interface and static route on the FortiGate at the branches.
    1. Branch1.
      config system interface
          edit "wan1"
              set ip 15.1.1.2 255.255.255.0
          next
          edit "internal"
              set ip 10.1.100.1 255.255.255.0
          next
      end 
      config router static
          edit 1
              set gateway 15.1.1.1
              set device "wan1"
          next
      end
    2. Branch2.
      config system interface
          edit "wan1"
              set ip 13.1.1.2 255.255.255.0
          next
          edit "internal"
              set ip 192.168.4.1 255.255.255.0
          next
      end 
      config router static
          edit 1
              set gateway 13.1.1.1
              set device "wan1"
          next
      end
  5. Configure IPsec phase1-interface and phase2-interface configuration at the branches.
    1. Branch1.
      config vpn ipsec phase1-interface
          edit "branch1"
              set interface "wan1"
              set peertype any
              set net-device enable
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set dpd on-idle
              set remote-gw 22.1.1.1
              set psksecret sample 
              set dpd-retryinterval 5
          next
      end
      config vpn ipsec phase2-interface
          edit "branch1"
              set phase1name "branch1"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
              set auto-negotiate enable
              set src-subnet 10.1.100.0 255.255.255.0
          next 
      end
    2. Branch2.
      config vpn ipsec phase1-interface
          edit "branch2"
              set interface "wan1"
              set peertype any
              set net-device enable
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set dpd on-idle
              set remote-gw 22.1.1.1
              set psksecret sample 
              set dpd-retryinterval 5
          next
      end
      config vpn ipsec phase2-interface
          edit "branch2"
              set phase1name "branch2"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
              set auto-negotiate enable
              set src-subnet 192.168.4.0 255.255.255.0
          next 
      end
  6. Configure the firewall policy at the branches.
    1. Branch1.
      config firewall policy
          edit 1
              set name "outbound"
              set srcintf "internal"
              set dstintf "branch1"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set name "inbound"
              set srcintf "branch1"
              set dstintf "internal"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
      end
    2. Branch2.
      config firewall policy
          edit 1
              set name "outbound"
              set srcintf "internal"
              set dstintf "branch2"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set name "inbound"
              set srcintf "branch2"
              set dstintf "internal"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
      end
  7. Configure the static routes at the branches.
    1. Branch1.
      config router static
          edit 2
              set dst 22.1.1.1/32  
              set gateway 15.1.1.1
              set device "wan1"
              set distance 1       
          next
          edit 3
              set device "branch1"
              set distance 5       
          next
      end
    2. Branch2.
      config router static
          edit 2
              set dst 22.1.1.1/32  
              set gateway 13.1.1.1
              set device "wan1"
              set distance 1       
          next
          edit 3
              set device "branch2"
              set distance 5       
          next
      end
  8. Optionally, view the VPN tunnel list on a branch with the diagnose vpn tunnel list command:
    list all ipsec tunnel in vd 0
    ----
    name=branch1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0
    bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1
    
    proxyid_num=1 child_num=1 refcnt=19 ilast=0 olast=0 ad=r/2
    stat: rxp=1 txp=1661 rxb=65470 txb=167314
    dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=2986
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=branch1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=697/0B replaywin=1024
           seqno=13a esn=0 replaywin_lastseq=00000000 itn=0
      life: type=01 bytes=0/0 timeout=2368/2400
      dec: spi=c53a8f7e esp=aes key=16 ecee0cd48664d903d3d6822b1f902fd2
           ah=sha1 key=20 2440a189126c222093ca9acd8b37127285f1f8a7
      enc: spi=6e3636fe esp=aes key=16 fdaa20bcc96f74ae9885e824d3efa29d
           ah=sha1 key=20 70c0891c769ad8007ea1f31a39978ffbc73242d0
      dec:pkts/bytes=0/16348, enc:pkts/bytes=313/55962
      npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1
  9. Optionally, view static routing table on a branch with the get router info routing-table static command:
    Routing table for VRF=0
    S*      0.0.0.0/0 [5/0] is directly connected, branch1
    S*      22.1.1.1/32 [1/0] via 15.1.1.1, wan1

Tunneled Internet browsing

This is a sample configuration of tunneled internet browsing using a dialup VPN. To centralize network management and control, all branch office traffic is tunneled to HQ, including Internet browsing.

To configure a dialup VPN to tunnel Internet browsing using the GUI:
  1. Configure the dialup VPN server FortiGate at HQ:
    1.   Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
      1. Enter a VPN name, in this example, HQ.
      2. For Template Type, select Site to Site.
      3. For Remote Device Type, select FortiGate.
      4. For NAT Configuration, select The remote site is behind NAT.
      5. Click Next.
    2. Configure the following settings for Authentication:
      1. For Incoming Interface, select port9.
      2. For Authentication Method, select Pre-shared Key.
      3. In the Pre-shared Key field, enter sample as the key.
      4. Click Next.
    3. Configure the following settings for Policy & Routing:
      1. From the Local Interface dropdown menu, select port10.
      2. Configure the Local Subnets as 172.16.101.0.
      3. Configure the Remote Subnets as 0.0.0.0/0.
      4. For Internet Access, select Share Local.
      5. For Shared WAN, select port9.
      6. Click Create.
  2. Configure the dialup VPN client FortiGate at a branch:
    1.   Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
      1. Enter a VPN name, in this example, Branch1 or Branch2.
      2. For Template Type, select Site to Site.
      3. For Remote Device Type, select FortiGate.
      4. For NAT Configuration, select The remote site is behind NAT.
      5. Click Next.
    2. Configure the following settings for Authentication:
      1. For IP Address, select Remote Device and enter 22.1.1.1.
      2. For Outgoing Interface, select wan1.
      3. For Authentication Method, select Pre-shared Key.
      4. In the Pre-shared Key field, enter sample as the key.
      5. Click Next.
    3. Configure the following settings for Policy & Routing:
      1. From the Local Interface dropdown menu, select internal.
      2. Configure the Local Subnets as 10.1.100.0/192.1684.0.
      3. Configure the Remote Subnets as 0.0.0.0/0.
      4. For Internet Access, select Use Remote.
      5. Configure the Local Gateway to 15.1.1.1/13.1.1.1.
      6. Click Create.
To configure a dialup VPN to tunnel Internet browsing using the CLI:
  1. Configure the WAN interface and static route on the FortiGate at HQ.
    config system interface
        edit "port9"
            set alias "WAN"
            set ip 22.1.1.1 255.255.255.0
        next
        edit "port10"
            set alias "Internal"
            set ip 172.16.101.1 255.255.255.0
        next
    end   
    config router static
        edit 1
            set gateway 22.1.1.2
            set device "port9"
        next  
    end
  2. Configure IPsec phase1-interface and phase2-interface configuration at HQ.
    config vpn ipsec phase1-interface
        edit "HQ"
            set type dynamic
            set interface "port9"
            set peertype any
            set net-device enable
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set dpd on-idle
            set psksecret sample
            set dpd-retryinterval 60
        next
    end
    config vpn ipsec phase2-interface
        edit "HQ"
            set phase1name "HQ"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305        
        next
    end
  3. Configure the firewall policy at HQ.
    config firewall policy
        edit 1
            set srcintf "HQ"
            set dstintf "port9" "port10"
            set srcaddr "10.1.100.0" "192.168.4.0"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end
  4. Configure the WAN interface and static route on the FortiGate at the branches.
    1. Branch1.
      config system interface
          edit "wan1"
              set ip 15.1.1.2 255.255.255.0
          next
          edit "internal"
              set ip 10.1.100.1 255.255.255.0
          next
      end 
      config router static
          edit 1
              set gateway 15.1.1.1
              set device "wan1"
          next
      end
    2. Branch2.
      config system interface
          edit "wan1"
              set ip 13.1.1.2 255.255.255.0
          next
          edit "internal"
              set ip 192.168.4.1 255.255.255.0
          next
      end 
      config router static
          edit 1
              set gateway 13.1.1.1
              set device "wan1"
          next
      end
  5. Configure IPsec phase1-interface and phase2-interface configuration at the branches.
    1. Branch1.
      config vpn ipsec phase1-interface
          edit "branch1"
              set interface "wan1"
              set peertype any
              set net-device enable
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set dpd on-idle
              set remote-gw 22.1.1.1
              set psksecret sample 
              set dpd-retryinterval 5
          next
      end
      config vpn ipsec phase2-interface
          edit "branch1"
              set phase1name "branch1"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
              set auto-negotiate enable
              set src-subnet 10.1.100.0 255.255.255.0
          next 
      end
    2. Branch2.
      config vpn ipsec phase1-interface
          edit "branch2"
              set interface "wan1"
              set peertype any
              set net-device enable
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set dpd on-idle
              set remote-gw 22.1.1.1
              set psksecret sample 
              set dpd-retryinterval 5
          next
      end
      config vpn ipsec phase2-interface
          edit "branch2"
              set phase1name "branch2"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
              set auto-negotiate enable
              set src-subnet 192.168.4.0 255.255.255.0
          next 
      end
  6. Configure the firewall policy at the branches.
    1. Branch1.
      config firewall policy
          edit 1
              set name "outbound"
              set srcintf "internal"
              set dstintf "branch1"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set name "inbound"
              set srcintf "branch1"
              set dstintf "internal"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
      end
    2. Branch2.
      config firewall policy
          edit 1
              set name "outbound"
              set srcintf "internal"
              set dstintf "branch2"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set name "inbound"
              set srcintf "branch2"
              set dstintf "internal"
              set srcaddr "all"
              set dstaddr "all"
              set action accept
              set schedule "always"
              set service "ALL"
          next
      end
  7. Configure the static routes at the branches.
    1. Branch1.
      config router static
          edit 2
              set dst 22.1.1.1/32  
              set gateway 15.1.1.1
              set device "wan1"
              set distance 1       
          next
          edit 3
              set device "branch1"
              set distance 5       
          next
      end
    2. Branch2.
      config router static
          edit 2
              set dst 22.1.1.1/32  
              set gateway 13.1.1.1
              set device "wan1"
              set distance 1       
          next
          edit 3
              set device "branch2"
              set distance 5       
          next
      end
  8. Optionally, view the VPN tunnel list on a branch with the diagnose vpn tunnel list command:
    list all ipsec tunnel in vd 0
    ----
    name=branch1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0
    bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1
    
    proxyid_num=1 child_num=1 refcnt=19 ilast=0 olast=0 ad=r/2
    stat: rxp=1 txp=1661 rxb=65470 txb=167314
    dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=2986
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=branch1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=697/0B replaywin=1024
           seqno=13a esn=0 replaywin_lastseq=00000000 itn=0
      life: type=01 bytes=0/0 timeout=2368/2400
      dec: spi=c53a8f7e esp=aes key=16 ecee0cd48664d903d3d6822b1f902fd2
           ah=sha1 key=20 2440a189126c222093ca9acd8b37127285f1f8a7
      enc: spi=6e3636fe esp=aes key=16 fdaa20bcc96f74ae9885e824d3efa29d
           ah=sha1 key=20 70c0891c769ad8007ea1f31a39978ffbc73242d0
      dec:pkts/bytes=0/16348, enc:pkts/bytes=313/55962
      npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1
  9. Optionally, view static routing table on a branch with the get router info routing-table static command:
    Routing table for VRF=0
    S*      0.0.0.0/0 [5/0] is directly connected, branch1
    S*      22.1.1.1/32 [1/0] via 15.1.1.1, wan1