- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Full access and RDP only access on FortiGate 200E
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Full access and RDP only access on FortiGate 200E
Hi Guys,
We need to create two profiles for Remote VPN access on Fortigate
FULL access:
Laptop users have all ports open to LAN (for RDP/SMB/HTTP(s) traffic to servers) and uses UTM-10.20.1.254 as a gateway
the problem is when i configured VPN profile there was no way to assign gateway, how i can do this?
At the moment laptop gets 10.20.3.2 and his gateway is 10.20.3.3
RDP access:
Users has only access to their workstations in the office. This is somehow already sorted by allowing only RDP and DNS in the Remote to Local policy
No gateway to be assigned, currently it automatically assign 10.20.3.3
Please see attached diagram
Kind Regards
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you use SSLVPN or IPSec VPN for Remote Access ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I use IPSEC VPN Route-based configuration:
config vpn ipsec phase1-interface edit "Full" set type dynamic set interface "wan" set mode aggressive set peertype any set mode-cfg enable set comments "VPN: Full (Created by VPN wizard)" set wizard-type dialup-forticlient set xauthtype auto set authusrgrp "VPN users" set ipv4-start-ip 10.20.3.0 set ipv4-end-ip 10.20.3.250 set dns-mode auto set save-password enable set psksecret ENC **removed** next end
In the policy "FULL -> Internal" is allowed on all protocols and vice versa.
This way laptop has full access to local network and even can connect to the internet after configuring proxy settings.
this is IP configuration from windows client:
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Fortinet Virtual Ethernet Adapter (NDIS 6.30) Physical Address. . . . . . . . . : 00-09-0F-FE-00-01 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::1143:fdc3:7b21:8a2f%8(Preferred) IPv4 Address. . . . . . . . . . . : 10.20.3.200(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Lease Obtained. . . . . . . . . . : 05 July 2018 12:11:32 Lease Expires . . . . . . . . . . : 11 August 2154 20:56:32 Default Gateway . . . . . . . . . : 10.20.3.201 DHCP Server . . . . . . . . . . . : 10.20.3.201 DHCPv6 IAID . . . . . . . . . . . : 671090959 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-17-67-CE-78-2B-CB-7A-82-2D DNS Servers . . . . . . . . . . . : 10.20.1.18 10.20.1.12 NetBIOS over Tcpip. . . . . . . . : Enabled
Is there a way to assign gateway in phase1 or phase2 configuration?
Checked all cli options but none of them seems to do what i want
i partially resolved the issue by adding a static route to another internal network:
config router static edit 2 set status enable set dst 192.168.100.0 255.255.255.0 set gateway 10.20.1.254 set distance 10 set weight 0 set priority 0 set device "internal" set comment '' set blackhole disable set dynamic-gateway disable set virtual-wan-link disable set link-monitor-exempt disable next end
but ideally i would like the fortigate to assign 10.20.1.254 as default gateway not the IP incremented by 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
config vpn ipsec phase1-interface
edit "Full"
use "get" to see all possible entries.
set default-gw 10.20.1.254
end
Regards
Andreas
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it truly "10.20.0.0/22"? Then all subnets used (10.20.0.x, 10.20.1.x, 10.20.3.x) would be in ONE subnet and thus cannot be specified on different FGT ports. If "/24", then yes.
If you wouldn't use Mode Config, but DHCP over IPsec, you would be having full control on the setting of gateway, NTP server, lease duration etc. etc.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
akrohn wrote:Tried this before and it doesn't work. Client still gets 10.20.3.201 as gateway and DHCP server.config vpn ipsec phase1-interface
edit "Full"
use "get" to see all possible entries.
set default-gw 10.20.1.254
end
Regards
Andreas
Below is a output command of get:
name : Full type : dynamic interface : wan ip-version : 4 ike-version : 1 local-gw : 0.0.0.0 keylife : 86400 authmethod : psk mode : aggressive peertype : any exchange-interface-ip: disable mode-cfg : enable ipv4-wins-server1 : 0.0.0.0 ipv4-wins-server2 : 0.0.0.0 proposal : aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1 add-route : enable localid : localid-type : auto negotiate-timeout : 30 fragmentation : enable dpd : on-demand forticlient-enforcement: disable comments : VPN: Full (Created by VPN wizard) npu-offload : enable dhgrp : 14 5 suite-b : disable wizard-type : dialup-forticlient xauthtype : auto reauth : disable authusrgrp : VPN users idle-timeout : disable ha-sync-esp-seqno : enable auto-discovery-sender: disable auto-discovery-receiver: disable auto-discovery-forwarder: disable nattraversal : enable rekey : enable enforce-unique-id : disable default-gw : 10.20.1.254 default-gw-priority : 0 net-device : disable tunnel-search : selectors assign-ip : enable assign-ip-from : range ipv4-start-ip : 10.20.3.200 ipv4-end-ip : 10.20.3.250 ipv4-netmask : 255.255.255.255 dns-mode : auto ipv4-exclude-range: ipv4-split-include : split-include-service: ipv6-start-ip : :: ipv6-end-ip : :: ipv6-prefix : 128 ipv6-exclude-range: ipv6-split-include : unity-support : enable domain : banner : include-local-lan : disable save-password : enable client-auto-negotiate: disable client-keep-alive : disable backup-gateway : psksecret : * keepalive : 10 distance : 15 priority : 0 dpd-retrycount : 3 dpd-retryinterval : 20
ede_pfau wrote:Is it truly "10.20.0.0/22"? Then all subnets used (10.20.0.x, 10.20.1.x, 10.20.3.x) would be in ONE subnet and thus cannot be specified on different FGT ports. If "/24", then yes.
If you wouldn't use Mode Config, but DHCP over IPsec, you would be having full control on the setting of gateway, NTP server, lease duration etc. etc.
Yes, i was trying to set up dhcp over IPSec but when i was putting e.g 10.20.3.x it was saying it's already use in "internal" network. Could you please provide example or solution as i already tried to set it up and failed.
i will google it in the mean time
Kind Regards,
Andrzej
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I believe this has been fixed by adding Policy Route
VPN interface : vpn_Full_range -> INTERNAL interface : all
Is that a correct solution?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now i see your problem.
You have configured, that every traffic (0.0.0.0/0) goes through the tunnel.
IPv4 Address. . . . . . . . . . . : 10.20.3.200(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 10.20.3.201
In this case, your client get an IP Address with a /32 mask. And the Fortigate writes itself as default gateway IP+1.
This is normal.
show on your client a "route print".
You must see a 0.0.0.0/0 with next hop 10.20.3.201. This is your default gateway, when the client is connected.
But the question from ede_pfau is important.
You have the same subnet on 3 interfaces configuried. This only works in transparent mode.
Regards
Andreas
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
akrohn wrote:Now i see your problem.
You have configured, that every traffic (0.0.0.0/0) goes through the tunnel.
Yes, for RDP users we want to have very strict access - only RDP is allowed for that clients
Full profile will give users full access to LAN and internet but only through another UTM appliance which is on 10.20.1.254. We don't want users to use split tunnel.
akrohn wrote:IPv4 Address. . . . . . . . . . . : 10.20.3.200(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 10.20.3.201
In this case, your client get an IP Address with a /32 mask. And the Fortigate writes itself as default gateway IP+1.
This is normal.
Subnet mask was a mistake, it's 255.255.252.0 now. I'm not sure whether it was me typing it or Fortigate assigned that mask automatically. Does it mean each client will consume two IP addresses?
Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Fortinet Virtual Ethernet Adapter (NDIS 6.30) Physical Address. . . . . . . . . : 00-09-0F-FE-00-01 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::1143:fdc3:7b21:8a2f%8(Preferred) IPv4 Address. . . . . . . . . . . : 10.20.3.200(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.252.0 Lease Obtained. . . . . . . . . . : 06 July 2018 11:06:59 Lease Expires . . . . . . . . . . : 12 August 2154 17:37:00 Default Gateway . . . . . . . . . : 10.20.3.201 DHCP Server . . . . . . . . . . . : 10.20.3.201 DHCPv6 IAID . . . . . . . . . . . : 671090959 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-17-67-CE-78-2B-CB-7A-82-2D DNS Servers . . . . . . . . . . . : 10.20.1.18 10.20.1.12 NetBIOS over Tcpip. . . . . . . . : Enabled
akrohn wrote:show on your client a "route print".
You must see a 0.0.0.0/0 with next hop 10.20.3.201. This is your default gateway, when the client is connected.
This is what route print command gives me:
Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.144.1 192.168.144.101 55 0.0.0.0 0.0.0.0 10.20.3.201 10.20.3.200 2 10.20.0.0 255.255.252.0 On-link 10.20.3.200 257 10.20.3.200 255.255.255.255 On-link 10.20.3.200 257 10.20.3.255 255.255.255.255 On-link 10.20.3.200 257 10.20.4.1 255.255.255.255 10.20.3.201 10.20.3.200 1 87.*.*.* 255.255.255.255 192.168.144.1 192.168.144.101 55 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 192.168.144.0 255.255.255.0 On-link 192.168.144.101 311 192.168.144.101 255.255.255.255 On-link 192.168.144.101 311 192.168.144.255 255.255.255.255 On-link 192.168.144.101 311 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 10.20.3.200 257 224.0.0.0 240.0.0.0 On-link 192.168.144.101 311 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 10.20.3.200 257 255.255.255.255 255.255.255.255 On-link 192.168.144.101 311
10.20.4.1 is IP address of FULL tunnel interface
akrohn wrote:But the question from ede_pfau is important.
You have the same subnet on 3 interfaces configuried. This only works in transparent mode.
No, i think it's misunderstanding.
fgt_wan: 87.x.x.x/30
fgt_lan: 10.20.1.9/22
fgt_ins: 192.168.x.x (this is a gateway for UTM )
fgt_full(tunnel): 10.20.4.1/24 (assigned this when i was testing DHCP over IPSEC)
fgt_lan is connected to a LAN network and there's another physical UTM appliance (10.20.1.254) which serves as a gateway/proxy. Workstations/laptops connected physically to the office network gets their IP from internal DHCP server on 10.20.1.18
Made another diagram to clarify. The network is much more complicated as we use three different providers.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What i mean is, when you don't use Split Tunnel, the Forticlient overwrite the normal default route.
0.0.0.0 0.0.0.0 10.20.3.201 10.20.3.200 2
This route has a better metric as your normal default route
0.0.0.0 0.0.0.0 192.168.144.1 192.168.144.101 55
2 better as 55
This is the way, a VPN Client works.
All Traffic goes through the tunnel to the Fortigate.
At the Fortigate, the Routing Table decide the way forward.
Does it mean each client will consume two IP addresses? Yes
If I understood correctly, your FULL User use your UTM as default gateway to Internet ?
But for what do you need the VPN Remote Access ?
Related Posts
Labels
-
FortiGate
6,439 -
FortiClient
1,282 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
330 -
FortiAP
325 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
64 -
4.0MR3
64 -
Wireless Controller
57 -
SSL-VPN
52 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
17 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
NAT
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiAuthenticator
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.