Hot!Full access and RDP only access on FortiGate 200E

Author
cashbuddy
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/01/26 01:53:23
  • Status: offline
2018/07/04 05:10:32 (permalink)
0

Full access and RDP only access on FortiGate 200E

Hi Guys,
 
We need to create two profiles for Remote VPN access on Fortigate 
 
FULL access:
Laptop users have all ports open to LAN (for RDP/SMB/HTTP(s) traffic to servers) and uses UTM-10.20.1.254 as a gateway 
the problem is when i configured VPN profile there was no way to assign gateway, how i can do this?
At the moment laptop gets 10.20.3.2 and his gateway is 10.20.3.3
 
RDP access:
Users has only access to their workstations in the office. This is somehow already sorted by allowing only RDP and DNS in the Remote to Local policy
No gateway to be assigned, currently it automatically assign 10.20.3.3 
 
Please see attached diagram
 
Kind Regards

Attached Image(s)

#1

11 Replies Related Threads

    AK
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/07/05 05:54:59
    • Location: Germany
    • Status: offline
    Re: Full access and RDP only access on FortiGate 200E 2018/07/05 06:11:45 (permalink)
    0
    Do you use SSLVPN or IPSec VPN for Remote Access ?
     
    #2
    cashbuddy
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/26 01:53:23
    • Status: offline
    Re: Full access and RDP only access on FortiGate 200E 2018/07/05 06:37:02 (permalink)
    0
    I use IPSEC VPN Route-based configuration:
     
    config vpn ipsec phase1-interface
    edit "Full"
    set type dynamic
    set interface "wan"
    set mode aggressive
    set peertype any
    set mode-cfg enable
    set comments "VPN: Full (Created by VPN wizard)"
    set wizard-type dialup-forticlient
    set xauthtype auto
    set authusrgrp "VPN users"
    set ipv4-start-ip 10.20.3.0
    set ipv4-end-ip 10.20.3.250
    set dns-mode auto
    set save-password enable
    set psksecret ENC **removed**
    next
    end
     
    In the policy "FULL -> Internal" is allowed on all protocols and vice versa.
    This way laptop has full access to local network and even can connect to the internet after configuring proxy settings. 
     
    this is IP configuration from windows client:
     
    Ethernet adapter Ethernet 2:
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Fortinet Virtual Ethernet Adapter (NDIS 6.30)
    Physical Address. . . . . . . . . : 00-09-0F-FE-00-01
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::1143:fdc3:7b21:8a2f%8(Preferred)
    IPv4 Address. . . . . . . . . . . : 10.20.3.200(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Lease Obtained. . . . . . . . . . : 05 July 2018 12:11:32
    Lease Expires . . . . . . . . . . : 11 August 2154 20:56:32
    Default Gateway . . . . . . . . . : 10.20.3.201
    DHCP Server . . . . . . . . . . . : 10.20.3.201
    DHCPv6 IAID . . . . . . . . . . . : 671090959
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-17-67-CE-78-2B-CB-7A-82-2D
    DNS Servers . . . . . . . . . . . : 10.20.1.18
    10.20.1.12
    NetBIOS over Tcpip. . . . . . . . : Enabled
     
     
    Is there a way to assign gateway in phase1 or phase2 configuration?
    Checked all cli options but none of them seems to do what i want
     
    i partially resolved the issue by adding a static route to another internal network:
     
    config router static
    edit 2
    set status enable
    set dst 192.168.100.0 255.255.255.0
    set gateway 10.20.1.254
    set distance 10
    set weight 0
    set priority 0
    set device "internal"
    set comment ''
    set blackhole disable
    set dynamic-gateway disable
    set virtual-wan-link disable
    set link-monitor-exempt disable
    next
    end
     
    but ideally i would like the fortigate to assign 10.20.1.254 as default gateway not the IP incremented by 1 
     
    #3
    AK
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/07/05 05:54:59
    • Location: Germany
    • Status: offline
    Re: Full access and RDP only access on FortiGate 200E 2018/07/05 07:51:01 (permalink)
    0
    config vpn ipsec phase1-interface
     
    edit "Full"
     
    use "get" to see all possible entries.
     
    set default-gw 10.20.1.254
    end
     
    Regards
    Andreas
    #4
    ede_pfau
    Expert Member
    • Total Posts : 5832
    • Scores: 423
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Full access and RDP only access on FortiGate 200E 2018/07/05 08:17:21 (permalink)
    0
    Is it truly "10.20.0.0/22"? Then all subnets used (10.20.0.x, 10.20.1.x, 10.20.3.x) would be in ONE subnet and thus cannot be specified on different FGT ports. If "/24", then yes.
    If you wouldn't use Mode Config, but DHCP over IPsec, you would be having full control on the setting of gateway, NTP server, lease duration etc. etc.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #5
    cashbuddy
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/26 01:53:23
    • Status: offline
    Re: Full access and RDP only access on FortiGate 200E 2018/07/05 11:48:01 (permalink)
    0
    akrohn
    config vpn ipsec phase1-interface
     
    edit "Full"
     
    use "get" to see all possible entries.
     
    set default-gw 10.20.1.254
    end
     
    Regards
    Andreas


    Tried this before and it doesn't work. Client still gets 10.20.3.201 as gateway and DHCP server.
    Below is a output command of get:
     
    name : Full
    type : dynamic
    interface : wan
    ip-version : 4
    ike-version : 1
    local-gw : 0.0.0.0
    keylife : 86400
    authmethod : psk
    mode : aggressive
    peertype : any
    exchange-interface-ip: disable
    mode-cfg : enable
    ipv4-wins-server1 : 0.0.0.0
    ipv4-wins-server2 : 0.0.0.0
    proposal : aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
    add-route : enable
    localid :
    localid-type : auto
    negotiate-timeout : 30
    fragmentation : enable
    dpd : on-demand
    forticlient-enforcement: disable
    comments : VPN: Full (Created by VPN wizard)
    npu-offload : enable
    dhgrp : 14 5
    suite-b : disable
    wizard-type : dialup-forticlient
    xauthtype : auto
    reauth : disable
    authusrgrp : VPN users
    idle-timeout : disable
    ha-sync-esp-seqno : enable
    auto-discovery-sender: disable
    auto-discovery-receiver: disable
    auto-discovery-forwarder: disable
    nattraversal : enable
    rekey : enable
    enforce-unique-id : disable
    default-gw : 10.20.1.254
    default-gw-priority : 0
    net-device : disable
    tunnel-search : selectors
    assign-ip : enable
    assign-ip-from : range
    ipv4-start-ip : 10.20.3.200
    ipv4-end-ip : 10.20.3.250
    ipv4-netmask : 255.255.255.255
    dns-mode : auto
    ipv4-exclude-range:
    ipv4-split-include :
    split-include-service:
    ipv6-start-ip : ::
    ipv6-end-ip : ::
    ipv6-prefix : 128
    ipv6-exclude-range:
    ipv6-split-include :
    unity-support : enable
    domain :
    banner :
    include-local-lan : disable
    save-password : enable
    client-auto-negotiate: disable
    client-keep-alive : disable
    backup-gateway :
    psksecret : *
    keepalive : 10
    distance : 15
    priority : 0
    dpd-retrycount : 3
    dpd-retryinterval : 20
     
    ede_pfau
    Is it truly "10.20.0.0/22"? Then all subnets used (10.20.0.x, 10.20.1.x, 10.20.3.x) would be in ONE subnet and thus cannot be specified on different FGT ports. If "/24", then yes.
    If you wouldn't use Mode Config, but DHCP over IPsec, you would be having full control on the setting of gateway, NTP server, lease duration etc. etc.


    Yes, i was trying to set up dhcp over IPSec but when i was putting e.g 10.20.3.x it was saying it's already use in "internal" network. 
    Could you please provide example or solution as i already tried to set it up and failed.
    i will google it in the mean time
     
    Kind Regards,
    Andrzej
    #6
    cashbuddy
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/26 01:53:23
    • Status: offline
    Re: Full access and RDP only access on FortiGate 200E 2018/07/06 00:08:17 (permalink)
    0
    Hi,
     
    I believe this has been fixed by adding Policy Route 
     
    VPN interface : vpn_Full_range -> INTERNAL interface : all
     
    Is that a correct solution?
     
    #7
    AK
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/07/05 05:54:59
    • Location: Germany
    • Status: offline
    Re: Full access and RDP only access on FortiGate 200E 2018/07/06 02:38:53 (permalink)
    0
    Now i see your problem.
    You have configured, that every traffic (0.0.0.0/0) goes through the tunnel.
     
    IPv4 Address. . . . . . . . . . . : 10.20.3.200(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . : 10.20.3.201

     
    In this case, your client get an IP Address with a /32 mask. And the Fortigate writes itself as default gateway IP+1.
    This is normal.
     
    show on your client a "route print".
    You must see a 0.0.0.0/0 with next hop 10.20.3.201. This is your default gateway, when the client is connected.
     
    But the question from ede_pfau is important.
    You have the same subnet on 3 interfaces configuried. This only works in transparent mode.
     
    Regards
    Andreas
    #8
    cashbuddy
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/26 01:53:23
    • Status: offline
    Re: Full access and RDP only access on FortiGate 200E 2018/07/06 04:07:28 (permalink)
    0
    akrohn
    Now i see your problem.
    You have configured, that every traffic (0.0.0.0/0) goes through the tunnel.

    Yes, for RDP users we want to have very strict access - only RDP is allowed for that clients
    Full profile will give users full access to LAN and internet but only through another UTM appliance which is on 10.20.1.254. We don't want users to use split tunnel. 
     
    akrohn
    IPv4 Address. . . . . . . . . . . : 10.20.3.200(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . : 10.20.3.201

     
    In this case, your client get an IP Address with a /32 mask. And the Fortigate writes itself as default gateway IP+1.
    This is normal.

    Subnet mask was a mistake, it's 255.255.252.0 now. I'm not sure whether it was me typing it or Fortigate assigned that mask automatically. Does it mean each client will consume two IP addresses?
     
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Fortinet Virtual Ethernet Adapter (NDIS 6.30)
    Physical Address. . . . . . . . . : 00-09-0F-FE-00-01
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::1143:fdc3:7b21:8a2f%8(Preferred)
    IPv4 Address. . . . . . . . . . . : 10.20.3.200(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.252.0
    Lease Obtained. . . . . . . . . . : 06 July 2018 11:06:59
    Lease Expires . . . . . . . . . . : 12 August 2154 17:37:00
    Default Gateway . . . . . . . . . : 10.20.3.201
    DHCP Server . . . . . . . . . . . : 10.20.3.201
    DHCPv6 IAID . . . . . . . . . . . : 671090959
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-17-67-CE-78-2B-CB-7A-82-2D
    DNS Servers . . . . . . . . . . . : 10.20.1.18
    10.20.1.12
    NetBIOS over Tcpip. . . . . . . . : Enabled
     
    akrohn
    show on your client a "route print".
    You must see a 0.0.0.0/0 with next hop 10.20.3.201. This is your default gateway, when the client is connected.

    This is what route print command gives me:
     
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.144.1 192.168.144.101 55
    0.0.0.0 0.0.0.0 10.20.3.201 10.20.3.200 2
    10.20.0.0 255.255.252.0 On-link 10.20.3.200 257
    10.20.3.200 255.255.255.255 On-link 10.20.3.200 257
    10.20.3.255 255.255.255.255 On-link 10.20.3.200 257
    10.20.4.1 255.255.255.255 10.20.3.201 10.20.3.200 1
    87.*.*.* 255.255.255.255 192.168.144.1 192.168.144.101 55
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    192.168.144.0 255.255.255.0 On-link 192.168.144.101 311
    192.168.144.101 255.255.255.255 On-link 192.168.144.101 311
    192.168.144.255 255.255.255.255 On-link 192.168.144.101 311
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
    224.0.0.0 240.0.0.0 On-link 10.20.3.200 257
    224.0.0.0 240.0.0.0 On-link 192.168.144.101 311
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    255.255.255.255 255.255.255.255 On-link 10.20.3.200 257
    255.255.255.255 255.255.255.255 On-link 192.168.144.101 311
     
    10.20.4.1 is IP address of FULL tunnel interface
     
    akrohn
    But the question from ede_pfau is important.
    You have the same subnet on 3 interfaces configuried. This only works in transparent mode.

    No, i think it's misunderstanding. 
     
    fgt_wan: 87.x.x.x/30
    fgt_lan: 10.20.1.9/22
    fgt_ins: 192.168.x.x (this is a gateway for UTM ) 
    fgt_full(tunnel): 10.20.4.1/24 (assigned this when i was testing DHCP over IPSEC) 
     
    fgt_lan is connected to a LAN network and there's another physical UTM appliance (10.20.1.254) which serves as a gateway/proxy. Workstations/laptops connected physically to the office network gets their IP from internal DHCP server on 10.20.1.18 
     
    Made another diagram to clarify. The network is much more complicated as we use three different providers. 
     
     
     
     
     




    Attached Image(s)

    #9
    AK
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/07/05 05:54:59
    • Location: Germany
    • Status: offline
    Re: Full access and RDP only access on FortiGate 200E 2018/07/06 07:57:29 (permalink)
    0
    What i mean is, when you don't use Split Tunnel, the Forticlient overwrite the normal default route.
    0.0.0.0 0.0.0.0 10.20.3.201 10.20.3.200 2
    This route has a better metric as your normal default route
    0.0.0.0 0.0.0.0 192.168.144.1 192.168.144.101 55
    2 better as 55
    This is the way, a VPN Client works.
    All Traffic goes through the tunnel to the Fortigate. 
    At the Fortigate, the Routing Table decide the way forward.
     
    Does it mean each client will consume two IP addresses? Yes
     
    If I understood correctly, your FULL User use your UTM as default gateway to Internet ?
    But for what do you need the VPN Remote Access ?
     
    #10
    cashbuddy
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/26 01:53:23
    • Status: offline
    Re: Full access and RDP only access on FortiGate 200E 2018/07/06 08:27:19 (permalink)
    0
    akrohnIf I understood correctly, your FULL User use your UTM as default gateway to Internet ?

    Yes, it's a gateway/proxy to internet and also a gateway to a production systems through a separate fiber line. 
    akrohnBut for what do you need the VPN Remote Access ?

    RDP profile is to allow people work from home. They need to access their workstations from their home PCs, nothing else. 
    FULL is for Laptop users, so no matter where they are they can work as they are in the office. There are different subnets from other site-to-site VPNs and connection to two data centers 
     
    post edited by cashbuddy - 2018/07/06 08:32:37
    #11
    scerazy
    Gold Member
    • Total Posts : 160
    • Scores: 2
    • Reward points: 0
    • Joined: 2009/12/22 14:09:01
    • Status: offline
    Re: Full access and RDP only access on FortiGate 200E 2019/03/17 03:10:03 (permalink)
    0
    Honestly, Fortigate is extremely terrible when one compares it to bog standard Windows Server VPN (especially AlwaysON VPN) setup.
     
    Just deploy Windows VPN & you will have zero problems
    I done that I never looked back at Fortigate issues
     
    Seb
    #12
    Jump to:
    © 2019 APG vNext Commercial Version 5.5