This is a sample configuration of tunneled internet browsing using a dialup VPN. To centralize network management and control, all branch office traffic is tunneled to HQ, including Internet browsing.
To configure a dialup VPN to tunnel Internet browsing using the GUI:
- Configure the dialup VPN server FortiGate at HQ:
- Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
- Enter a VPN name, in this example, HQ.
- For Template Type, select Site to Site.
- For Remote Device Type, select FortiGate.
- For NAT Configuration, select The remote site is behind NAT.
- Click Next.
- Configure the following settings for Authentication:
- For Incoming Interface, select port9.
- For Authentication Method, select Pre-shared Key.
- In the Pre-shared Key field, enter sample as the key.
- Click Next.
- Configure the following settings for Policy & Routing:
- From the Local Interface dropdown menu, select port10.
- Configure the Local Subnets as 172.16.101.0.
- Configure the Remote Subnets as 0.0.0.0/0.
- For Internet Access, select Share Local.
- For Shared WAN, select port9.
- Click Create.
- Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
- Configure the dialup VPN client FortiGate at a branch:
- Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
- Enter a VPN name, in this example, Branch1 or Branch2.
- For Template Type, select Site to Site.
- For Remote Device Type, select FortiGate.
- For NAT Configuration, select The remote site is behind NAT.
- Click Next.
- Configure the following settings for Authentication:
- For IP Address, select Remote Device and enter 22.1.1.1.
- For Outgoing Interface, select wan1.
- For Authentication Method, select Pre-shared Key.
- In the Pre-shared Key field, enter sample as the key.
- Click Next.
- Configure the following settings for Policy & Routing:
- From the Local Interface dropdown menu, select internal.
- Configure the Local Subnets as 10.1.100.0/192.1684.0.
- Configure the Remote Subnets as 0.0.0.0/0.
- For Internet Access, select Use Remote.
- Configure the Local Gateway to 15.1.1.1/13.1.1.1.
- Click Create.
- Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
To configure a dialup VPN to tunnel Internet browsing using the CLI:
- Configure the WAN interface and static route on the FortiGate at HQ.
config system interface edit "port9" set alias "WAN" set ip 22.1.1.1 255.255.255.0 next edit "port10" set alias "Internal" set ip 172.16.101.1 255.255.255.0 next end config router static edit 1 set gateway 22.1.1.2 set device "port9" next end - Configure IPsec phase1-interface and phase2-interface configuration at HQ.
config vpn ipsec phase1-interface edit "HQ" set type dynamic set interface "port9" set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set psksecret sample set dpd-retryinterval 60 next end config vpn ipsec phase2-interface edit "HQ" set phase1name "HQ" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next end - Configure the firewall policy at HQ.
config firewall policy edit 1 set srcintf "HQ" set dstintf "port9" "port10" set srcaddr "10.1.100.0" "192.168.4.0" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end - Configure the WAN interface and static route on the FortiGate at the branches.
- Branch1.
config system interface edit "wan1" set ip 15.1.1.2 255.255.255.0 next edit "internal" set ip 10.1.100.1 255.255.255.0 next end config router static edit 1 set gateway 15.1.1.1 set device "wan1" next end - Branch2.
config system interface edit "wan1" set ip 13.1.1.2 255.255.255.0 next edit "internal" set ip 192.168.4.1 255.255.255.0 next end config router static edit 1 set gateway 13.1.1.1 set device "wan1" next end
- Branch1.
- Configure IPsec phase1-interface and phase2-interface configuration at the branches.
- Branch1.
config vpn ipsec phase1-interface edit "branch1" set interface "wan1" set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5 next end config vpn ipsec phase2-interface edit "branch1" set phase1name "branch1" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable set src-subnet 10.1.100.0 255.255.255.0 next end - Branch2.
config vpn ipsec phase1-interface edit "branch2" set interface "wan1" set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5 next end config vpn ipsec phase2-interface edit "branch2" set phase1name "branch2" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable set src-subnet 192.168.4.0 255.255.255.0 next end
- Branch1.
- Configure the firewall policy at the branches.
- Branch1.
config firewall policy edit 1 set name "outbound" set srcintf "internal" set dstintf "branch1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 2 set name "inbound" set srcintf "branch1" set dstintf "internal" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end - Branch2.
config firewall policy edit 1 set name "outbound" set srcintf "internal" set dstintf "branch2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 2 set name "inbound" set srcintf "branch2" set dstintf "internal" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
- Branch1.
- Configure the static routes at the branches.
- Branch1.
config router static edit 2 set dst 22.1.1.1/32 set gateway 15.1.1.1 set device "wan1" set distance 1 next edit 3 set device "branch1" set distance 5 next end - Branch2.
config router static edit 2 set dst 22.1.1.1/32 set gateway 13.1.1.1 set device "wan1" set distance 1 next edit 3 set device "branch2" set distance 5 next end
- Branch1.
- Optionally, view the VPN tunnel list on a branch with the
diagnose vpn tunnel listcommand:list all ipsec tunnel in vd 0 ---- name=branch1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0 bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1 proxyid_num=1 child_num=1 refcnt=19 ilast=0 olast=0 ad=r/2 stat: rxp=1 txp=1661 rxb=65470 txb=167314 dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=2986 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=branch1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=697/0B replaywin=1024 seqno=13a esn=0 replaywin_lastseq=00000000 itn=0 life: type=01 bytes=0/0 timeout=2368/2400 dec: spi=c53a8f7e esp=aes key=16 ecee0cd48664d903d3d6822b1f902fd2 ah=sha1 key=20 2440a189126c222093ca9acd8b37127285f1f8a7 enc: spi=6e3636fe esp=aes key=16 fdaa20bcc96f74ae9885e824d3efa29d ah=sha1 key=20 70c0891c769ad8007ea1f31a39978ffbc73242d0 dec:pkts/bytes=0/16348, enc:pkts/bytes=313/55962 npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1 - Optionally, view static routing table on a branch with the
get router info routing-table staticcommand:Routing table for VRF=0 S* 0.0.0.0/0 [5/0] is directly connected, branch1 S* 22.1.1.1/32 [1/0] via 15.1.1.1, wan1