IKE Mode Config clients
IKE Mode Config is an alternative to DHCP over IPsec. It allows dialup VPN clients to obtain virtual IP address, network, and DNS configurations amongst others from the VPN server. A FortiGate can be configured as either an IKE Mode Config server or client.
IKE Mode Config can configure the host IP address, domain, DNS addresses ,and WINS addresses. IPsec parameters such as gateway address, encryption, and authentication algorithms must be configured. Several network equipment vendors support IKE Mode Config.
An IKE Mode Config server or client is configured using config vpn ipsec phase1-interface and involves the following parameters:
|
Parameter |
Description |
|---|---|
|
ike-version {1 | 2} |
IKE v1 is the default for FortiGate IPsec VPNs. IKE Mode Config is also compatible with IKE v2. |
|
mode-cfg {enable | disable} |
Enable/disable IKE Mode Config. |
|
type {static | dynamic | ddns} |
If you set |
|
assign-ip {enable | disable} |
Enable to request an IP address from the server. This configuration is for IKE Mode Config clients only. |
|
interface <interface_name> |
Specify the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound. |
|
proposal <encryption_combination> |
The encryption and authentication settings that the client will accept. |
|
ip-version {4 | 6} |
By default, IPsec VPNs use IPv4 addressing. |
|
ipv4-split-include <string> ipv6-split-include <string> |
Mode Config server configuration. Applicable to IKEv1 and IKEv2. Specify the firewall address or address group that represents the subnets that the clients will have access to. This information is sent to the clients so that default traffic should not flow over the IPsec tunnel except for the specified subnets. |
|
split-include-service <string> |
Mode Config server configuration. Applicable to IKEv1 and IKEv2. Specify the service or service group that represents the services that the clients will have access to. This information is sent to the clients so that default traffic should not flow over the IPsec tunnel except for the specified services. |
|
ipv4-split-exclude <string> ipv6-split-exclude <string> |
Specify the subnets that should not be accessed over the IPsec tunnel. This information is sent to the clients so that all default traffic should flow over the IPsec tunnel except for the specified subnets. |
Creating an IKE Mode Config client
In this example, the FortiGate connects to a VPN gateway with a static IP address that can be reached through port 1. Only the port, gateway, and proposal information needs to be configured. All other configuration information will come from the IKE Mode Config server.
To configure an IKE Mode Config client:
config vpn ipsec phase1-interface
edit vpn1
set ip-version 4
set type static
set remote-gw <gw_address>
set interface port1
set proposal 3des-sha1 aes128-sha1
set mode-cfg enable
set assign-ip enable
next
end
Split-exclude in IKEv1
The split-exclude option specifies that default traffic flows over the IPsec tunnel except for specified subnets. This is the opposite of split-include, which specifies that default traffic should not flow over the IPsec tunnel except for specified subnets. The split-include and split-exclude options can be specified at the same time.
To configure split-exclude:
config vpn ipsec phase1-interface
edit <name>
set ike-version 1
set type dynamic
set mode-cfg enable
set ipv4-split-exclude <string>
set ipv6-split-exclude <string>
next
end
Creating an IKE Mode Config server
To configure IKE Mode config settings, the following must be configured first :
config vpn ipsec phase1-interface
edit "vpn-p1"
set type dynamic
set interface <interface_name>
set ike-version < 1 | 2 >
set mode-cfg enable
set proposal <encryption_combination>
set ip-version < 4 | 6 >
next
end
In this example, the FortiGate assigns IKE Mode Config clients addresses in the range of 10.11.101.160 - 10.11.101.180. DNS and WINS server addresses are also provided. The public interface of the FortiGate unit is port1.
When IKE Mode-Configuration is enabled, multiple server IPs can be defined in IPsec phase 1.
The ipv4-split-include parameter specifies a firewall address (OfficeLAN), which represents the networks that the clients will have access to. This destination IP address information is sent to the clients.
To configure an IKE Mode Config server:
config vpn ipsec phase1-interface
edit "vpn-p1"
set type dynamic
set interface "wan1"
set xauthtype auto
set mode aggressive
set mode-cfg enable
set proposal 3des-sha1 aes128-sha1
set dpd disable
set dhgrp 2
set authusrgrp "FG-Group1"
set ipv4-start-ip 10.10.10.10
set ipv4-end-ip 10.10.10.20
set ipv4-dns-server1 1.1.1.1
set ipv4-dns-server2 2.2.2.2
set ipv4-dns-server3 3.3.3.3
set ipv4-wins-server1 4.4.4.4
set ipv4-wins-server2 5.5.5.5
set domain "fgt1c-domain"
set banner "fgt111C-banner"
set backup-gateway "100.100.100.1" "host1.com" "host2"
set ipv4-split-include OfficeLAN
next
end
Assigning IP addresses
Once the basic configuration is enabled, you can configure IP address assignment for clients, as well as DNS and WINS server assignments. Usually you will want to assign IP addresses to clients. The easiest way is to assign addresses from a specific range, similar to a DHCP server.
To assign an IP from an address range:
config vpn ipsec phase1-interface
edit vpn1
set ip-version 4
set assign-ip enable
set assign-ip-from range
set ipv4-start-ip <range_start>
set ipv4-end-ip <range_end>
set ipv4-netmask <netmask>
next
end
To assign an IP from a named firewall address or group:
config vpn ipsec phase1-interface
edit vpn1
set type dynamic
set assign-ip-from name
set ipv4-name <name>
set ipv6-name <name>
next
end
RADIUS server
If the client is authenticated by a RADIUS server, you can obtain the user’s IP address assignment from the Framed-IP-Address attribute. The user must be authenticated using XAuth.
The users must be authenticated by a RADIUS server and assigned to the FortiGate user group <grp_name>. Since the IP address is not static, type is set to dynamic and mode-cfg is enabled. With IKE Mode Config, compatible clients can configure themselves with settings provided by the FortiGate.
To assign an IP from a RADIUS server:
config vpn ipsec phase1-interface
edit vpn1
set type dynamic
set mode-cfg enable
set assign-ip enable
set assign-ip-from usrgrp
set xauthtype auto
set authusrgrp <grp_name>
next
end
DHCP server
IKE Mode Config can use a remote DHCP server to assign the client IP addresses. Up to eight server addresses can be selected for either IPv4 or IPv6. The DHCP proxy must be enabled first.
To assign an IP from a DHCP server:
config system settings
set dhcp-proxy enable
set dhcp-server-ip <address>
set dhcp6-server-ip <address>
endconfig vpn ipsec phase1-interface
edit vpn1
set mode-cfg enable
set assign-ip-from dhcp
next
end
Certificate groups
IKE certificate groups consisting of up to four RSA certificates can be used in IKE phase 1. Since CA and local certificates are global, the IKE daemon loads them once for all VDOMs and indexes them into trees based on subject and public key hash (for CA certificates), or certificate name (for local certificates). Certificates are linked together based on the issuer, and certificate chains are built by traversing these links. This reduces the need to keep multiple copies of certificates that could exist in multiple chains.
To configure the IKE local ID:
config vpn certificate local
edit <name>
set ike-localid <string>
set ike-localid-type {asnldn | fqdn}
next
end
Split-exclude in IKEv1
The split-exclude setting specifies that default traffic flows over the IPsec tunnel except for specified subnets. This is the opposite of split-include, which specifies that default traffic should not flow over the IPsec tunnel except for specified subnets. The split-include and split-exclude settings can be specified at the same time.
To configure split-exclude:
config vpn ipsec phase1-interface
edit <name>
set ike-version 1
set type dynamic
set mode-cfg enable
set ipv4-split-exclude <string>
set ipv6-split-exclude <string>
next
end