Support matching firewall policies and policy routes based on source IP geography of dial-up IPsec remote users

A FortiGate VPN gateway can be configured to route egress traffic to the Internet through a specific interface (port2 or port3) based on the originating geolocation of the ingress client traffic (Canada or US). This can be achieved using FortiClient Secure Internet Access (SIA) configuration together with a policy route to route traffic to the proper egress interface.

Previously, using the supported configuration of Matching IPsec tunnel gateway based on address parameters, IPsec clients with public source IP addresses originating from a specific geolocation (country/region) were matched by specifying the source geography within the IPsec tunnel configuration itself, namely, in the Phase 1 configuration. This meant that for every geolocation to be matched, a new IPsec tunnel, consisting of Phase 1 and Phase 2 settings, needed to be configured.

FortiOS has added support for specifying source geography addresses in firewall policies and policy routes on a FortiGate configured for dial-up IPsec remote access. With this enhancement, a single IPsec tunnel can be used while matching client source IP addresses based on geolocation can be achieved by configuring source geography addresses in the firewall policies and policy routes.

Example

In this example, the client PC1 behind FGTA with NAT enabled is located in Canada. FGTD is configured as the VPN Gateway with:

• Firewall source address (geo-CA) configured with CA country

• VPN IPsec tunnel

• Firewall policy with geo-CA selected as the source address

This example shows how a firewall policy and policy route involving a dialup IPsec tunnel can both be matched based on the source IP geolocation of incoming dialup clients. FortiOS internally keeps track of the original geolocation of incoming dialup traffic and integrates with firewall policies and with policy routing.

To configure FGTD:

1. On FGTD, configure a firewall address with a geolocation country/region:

   config firewall address
       edit "geo-CA"
           set uuid 3c2d2398-9d91-51f0-4c8d-58f43ee65c8a
           set type geography
           set country "CA"
       next
   end

2. Configure an IPsec VPN tunnel:

   config vpn ipsec phase1-interface
       edit "Dialup"
           set type dynamic
           set interface "wan1"
           set ike-version 2
           set peertype any
           set net-device disable
           set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
           set dhgrp 20 21
           set wizard-type dialup-fortigate
           set transport auto
           set psksecret ENC *
       next
   end
   config vpn ipsec phase2-interface
       edit "Dialup"
           set phase1name "Dialup"
           set proposal aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
           set dhgrp 20 21
       next
   end

3. Configure a firewall policy and select geo-CA as the source address:

   config firewall policy
       edit 1
           set name "vpn_Dialup_local"
           set uuid 9378cc0e-9d8e-51f0-4e0d-a90274db10fb
           set srcintf "port1"
           set dstintf "Dialup"
           set action accept
           set srcaddr "Dialup_local"
           set dstaddr "Dialup_remote"
           set schedule "always"
           set service "ALL"
           set comments "VPN: Dialup -- Created by VPN wizard"
       next
       edit 2
           set name "vpn_Dialup_remote"
           set uuid 937abc9e-9d8e-51f0-c288-04ad4bb6f72f
           set srcintf "Dialup"
           set dstintf "port1"
           set action accept
           set srcaddr "geo-CA"
           set dstaddr "192.168.5.0"
           set schedule "always"
           set service "ALL"
           set comments "VPN: Dialup -- Created by VPN wizard"
       next
   end

4. Configure a policy route to ensure client traffic from Canada is routed out of port2:

   config router policy
       edit 1
           set input-device "Dialup"
           set srcaddr "geo-CA"
           set dstaddr "all"
           set gateway 198.51.100.2
           set output-device "port2"
       next
   end

5. Verify using the VPN IKE gateway list and the VPN tunnel list:

   • VPN IKE gateway list:

     # diagnose vpn ike gateway list 
     
     vd: root/0
     name: Dialup_0
     version: 2
     interface: port13 19
     addr: 198.51.100.1:500 -> 192.0.2.1:500
     tun_id: 192.0.2.1/::10.0.0.7
     remote_location: 0.0.0.0
     network-id: 0
     transport: UDP
     created: 263s ago
     peer-id: 192.0.2.1
     peer-id-auth: no
     pending-queue: 0
     PPK: no
     IKE SA: created 1/1  established 1/1  time 10/10/10 ms
     IPsec SA: created 1/2  established 1/2  time 0/0/0 ms
     
       id/spi: 5 7608e6dac7750e94/564ba227bdbd6dee
       direction: responder
       status: established 263-263s ago = 10ms
       proposal: aes128-sha256
       child: no
       SK_ei: 933120ad1055a39a-1c27f7ed4dfb258a
       SK_er: 32520d03666c4cbe-b79c65eff6b69c12
       SK_ai: 37da2c44ddb06cef-ab93d092d0c3ef7b-a182b40e35c98c60-2a6937a90a089707
       SK_ar: 4afc71586c84b9bd-e7e6a247bde21748-072dbdeb992b005c-c8466694bd177444
       PPK: no
       message-id sent/recv: 0/11
       QKD: no
       PQC-KEM (IKE): no
       PQC-KEM (all IPsec): no
       lifetime/rekey: 86400/85866
       DPD sent/recv: 00000000/00000000
       peer-id: 192.0.2.1

   • VPN tunnel list:

     # diagnose vpn tunnel list 
     list all ipsec tunnel in vd 0
     ------------------------------------------------------
     name=Dialup_0 ver=2 serial=7 198.51.100.1:0->192.0.2.1:0 nexthop=198.51.100.2 tun_id=192.0.2.1 tun_id6=::10.0.0.7 status=up dst_mtu=1500 weight=1 country=CA
     bound_if=19 real_if=19 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none options[0x22a8]=npu rgwy-chg frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0
     
     parent=Dialup index=0
     proxyid_num=1 child_num=0 refcnt=5 ilast=105 olast=106 ad=/0
     stat: rxp=159 txp=4 rxb=24588 txb=336
     dpd: mode=on-demand on=1 status=ok idle=20000ms retry=3 count=0 seqno=0
     natt: mode=none draft=0 interval=0 remote_port=0
     fec: egress=0 ingress=0 
     proxyid=Dialup proto=0 sa=1 ref=2 serial=2 add-route
       src: 0:192.168.5.0-192.168.5.255:0
       dst: 0:10.1.100.0-10.1.100.255:0
       SA:  ref=6 options=6a6 type=00 soft=0 mtu=1438 expire=43075/0B replaywin=2048
            seqno=405 esn=0 replaywin_lastseq=00000013 qat=0 rekey=0 hash_search_len=1
       life: type=01 bytes=0/0 timeout=43186/43200
       dec: spi=9dc42e9e esp=aes key=16 e3c82f72ce497d27736b120cda74f23a
            ah=sha256 key=32 b9702181e33b8b4986b4d3b847bfe0307231ee423dc8651085dcfe58d88771c8
       enc: spi=c8e99d60 esp=aes key=16 c40474714b560d0855653089b4cea604
            ah=sha256 key=32 45bf85337226f86b9a7774657170b206db1df5b40a9eb31a3ec2bb79949c9b32
       dec:pkts/bytes=2/168, enc:pkts/bytes=4/624
       npu_flag=03 npu_rgwy=192.0.2.1:0 npu_lgwy=198.51.100.1:0npu_selid=8
       dec_npuid=1 enc_npuid=1 dec_engid=-1 enc_engid=-1 dec_saidx=11 enc_saidx=8
     ------------------------------------------------------
     name=Dialup ver=2 serial=1 198.51.100.1:0->0.0.0.0:0 nexthop=198.51.100.2 tun_id=10.0.0.1 tun_id6=::10.0.0.1 status=up dst_mtu=0 weight=1
     bound_if=19 real_if=0 lgwy=static/1 tun=intf mode=dialup/2 encap=none options[0x228]=npu frag-rfc  role=primary accept_traffic=1 overlay_id=0
     
     proxyid_num=0 child_num=1 refcnt=3 ilast=42952401 olast=42952401 ad=/0
     stat: rxp=734 txp=114 rxb=113640 txb=9576
     dpd: mode=on-demand on=0 status=ok idle=20000ms retry=3 count=0 seqno=0
     natt: mode=none draft=0 interval=0 remote_port=0
     fec: egress=0 ingress=0