AnsweredHot!Two dialup VPN tunnels to use the same interfaces

Page: 12 > Showing page 1 of 2
Author
itemanuel
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/31 08:59:16
  • Status: offline
2020/03/31 09:40:57 (permalink) 6.2
0

Two dialup VPN tunnels to use the same interfaces

Hi

We are running a FortiGate 60E using a single WAN-Connection (set of public IPs) and a straight C-Class private LAN. We have some services in our LAN that my colleagues and me are using every day. Basically everything works just nicely.

I have set up a dialup VPN Tunnel (IPsec) to provide access from remote networks. This VPN Tunnel is set to have "Enable IPv4 Split Tunnel" checked as normally we would like have internet traffic not to take the VPN route, but to go there directly. This tunnel works great and we are happy with bandwith and performance.

Now in addition to that, we need to have a VPN-Tunnel with "IPv4 Split Tunnel" disabled. In some cases we need to have all traffic go through that tunnel and for internet traffic we'd like to have a different public IP address being used than the one generally defined for WAN1. So appart from the "Split Tunnel" feature and a different Client Address Range, there should not be a difference. But the thing is, this second dialup VPN tunnel doesn't work.

In https://forum.fortinet.com/tm.aspx?m=174231 ede_pfau recommends using VDOMs for this kind of setup. But this seems way too complicated to me. Especially as there is no need the securely separate the traffic between the two or to have two different LANs to be reached by the VPN Tunnels. So the typical use case for VDOMs is not given.

Does anybody know how to tackle this in the sense of "best practice"?

Any help and support is appreciated.
itemanuel    
#1
Toshi Esumi
Expert Member
  • Total Posts : 2087
  • Scores: 190
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/03/31 12:54:54 (permalink)
0
Try this one:
https://kb.fortinet.com/kb/documentLink.do?externalID=10114
I think the KB is a little old. So the GUI menu might not match yours. I almost never use GUI to create IPSec so I don't now for sure, but I think it now show it as "Local ID" instead of "Peer ID" when you choose "Custom" in the wizard.
Then the client can choose which dialup Phase1-interface to connect to.
#2
itemanuel
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/31 08:59:16
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/01 05:53:47 (permalink)
0
Thanks!
Sounds like a good idea. Thing is, that I can't find a way to have my FortiGate 60E (FortiOS 6.2.3) show the IKE and Peer Options part in the section "Authentication". Tried to enable the feature in System > Feature visibility by checking "Policy-based IPsec VPN". Do you have a hint how I can manage to use edit my VPN tunnels to use Peer IDs in the GUI of my FortiGate?
#3
Toshi Esumi
Expert Member
  • Total Posts : 2087
  • Scores: 190
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/01 08:08:39 (permalink)
0
This is a part of regular interface-based IPsec's features. You don't have toenable policy-based IPsec in GUI visibility.
Once you choose "Custom" IPsec, then choose "Agressive" mode, the Peer Options config part should show up in your screen.
#4
itemanuel
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/31 08:59:16
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/01 10:27:23 (permalink)
0
Ok, I see. So I converted the two tunnels to "custom" ones. Still have to sort out something, as connections are failing in phase 2. Just curious: I guess, the actual Peer ID can be anything, right? The just need to be different. I have tried "dialup1" and "dialup2" though...
#5
Toshi Esumi
Expert Member
  • Total Posts : 2087
  • Scores: 190
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/01 10:54:50 (permalink)
0
The IDs themselves should be fine as long as you can configure them on the client side. The original dialup IPsec was working fine with one phase1-interface before, right? I would suggest going back to the original working set up, then take a config snapshot of phase1-interface and phase2-interface in CLI (config vpn ipsec phase1-interface/config vpn ipsec phase2-interface, then just "show"). Only thing should change is "set localid "dialupX"" in the phase1-interface config.
#6
Jan_1966
New Member
  • Total Posts : 12
  • Scores: 2
  • Reward points: 0
  • Joined: 2020/02/11 19:16:30
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/01 14:52:48 (permalink)
0
Hi,
I think this is the same config that I have. Each VPN tunnel needs a PeerID in the Authentication settings:
Accept types: Specific Peer ID
Peer ID: Whatever_name
 
Then on the Client side in the Phase 1 local ID for each Tunnel you want them to connect to you have to have the matching LocalID.
 
I created this with help from this forum https://forum.fortinet.com/tm.aspx?tree=true&m=184280&mpage=1 and I use it to segregate Corporate and BYOD computers. 
#7
Toshi Esumi
Expert Member
  • Total Posts : 2087
  • Scores: 190
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/01 15:22:27 (permalink)
0
I was thinking the article I referred to providing config to have a few dialup termination points on the FGT side and many clients can dialup to the same termination points. But I was wrong. Forticlient can be configured only with "local ID" not "peer/remote ID". So you need to create one phase1-interface config for each client, which is not going to scale.
If it's FGT to FGT dialup IPsec you should be able to do what I was thinking originally, or other vendor's FWs, which can specify peer ID. I'm not sure why we can't specify peer ID at the FortiClient.
#8
Jan_1966
New Member
  • Total Posts : 12
  • Scores: 2
  • Reward points: 0
  • Joined: 2020/02/11 19:16:30
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/01 15:46:37 (permalink)
0
As said, I have to VPN tunnel interfaces. Each with multiple users concurrent.
Just different PeerID.
Works perfectly. I have at least 40 Users over the 2 tunnels. 
#9
Toshi Esumi
Expert Member
  • Total Posts : 2087
  • Scores: 190
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/01 15:53:13 (permalink)
0
So if above is the fact and can't change, only options for you would be:
1) have two different interfaces for two different dialup IPsec termination points (or separate vdoms, which would do similar)
or,
2) go to SSL VPN instead and separate user groups then set separate policies, or simply use "realm" to separate "portal" for each user group.
#10
Toshi Esumi
Expert Member
  • Total Posts : 2087
  • Scores: 190
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/01 15:54:35 (permalink)
0
Wait, what was the problem then?
 
 
#11
itemanuel
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/31 08:59:16
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/02 04:19:51 (permalink)
0
Thanks again, Toshi
I did exactly what you proposed. I'm perfectly able to connect using my first tunnel. In the IPsec Monitor the PeerID shows up nicely. But the connection to my second tunnel still doesn't work. I'm getting "The preshared key is not correct". What happens is that not the second tunnel is tried to connect to, but the first. And as have chosen a different preshared key to tell them appart, the key obviously doesn't match. The cause is kind of a strict relation between the WAN1 interface and the first IPsec Tunnel, thus leading to the fact that no other IPsec Tunnel can claim to use WAN1. That's why using separate VDOMs would solve this. But I'm not giving up on finding the right solution without the work of setting up another VDOM.
 
So I'm wondering how Jan_1966 has found a way to have it work. Does he have two WAN connections, one for each tunnel?
#12
sw2090
Platinum Member
  • Total Posts : 594
  • Scores: 39
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/02 06:36:09 (permalink)
0
you have to limit the 2nd tunnel to a specific peer id too. This is what Jan_1966 did.
#13
Toshi Esumi
Expert Member
  • Total Posts : 2087
  • Scores: 190
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/02 08:17:35 (permalink)
0
Ok, thanks. I didn't know the same "local ID" for a group of clients would connect to a single of dialup at the FGT with the same "peer ID". Then, you just need to have two setups in the same way w/ different local/peer IDs for two groups of clients.
#14
itemanuel
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/31 08:59:16
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/02 11:09:31 (permalink)
0
That's what I did too. I've got two unique peer id for each tunnel setting.
If I put the same preshared key of tunnel 1 in tunnel 2, the connection works. But then tunnel 1 is used, however the peer id of tunnel 2 shows up in the IPsec Monitor.
 
So I'm still stuck with that.
Sorry Toshi. Wanted to post that right after sw_2090's message. But was stopped some other stuff.
#15
Jan_1966
New Member
  • Total Posts : 12
  • Scores: 2
  • Reward points: 0
  • Joined: 2020/02/11 19:16:30
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/02 14:09:47 (permalink)
0
Correct.
 
So I created 2 Remote Access VPN tunnels with the Wizard (different IP range), then in the Authentication section of each you define the PeerID that is accepted on this Tunnel. 
On the Client you define the local ID for the tunnel it needs to connect to. 
This way I segregated Corporate laptops from BYOD devices so they could use different Security policies and BYOD is using split tunneling, while the corporate all traffic is directed over the VPN tunnel.
 
In the Monitor I see generally about 8 Users on one tunnel and about 30 on the other.
 
Hope this helps.
 
Jan
#16
itemanuel
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/31 08:59:16
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/03 03:44:06 (permalink)
0
Thanks Jan
I think I did the same. I started off with the wizard. Then added the localid using command line as Toshi had proposed. I paste my config here. Would you mind to compare this to yours or to post it here? I suppose you know how to use CLI to get the list.
 
gate (phase1-interface) # show
config vpn ipsec phase1-interface
    edit "access_dw"
        set type dynamic
        set interface "wan1"
        set mode aggressive
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 192.168.10.8
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set localid "withdw"
        set dpd on-idle
        set comments "VPN: access_dw (Created by VPN wizard)"
        set wizard-type dialup-forticlient
        set xauthtype auto
        set authusrgrp "dwi-VPN-access"
        set ipv4-start-ip 172.16.10.20
        set ipv4-end-ip 172.16.10.39
        set ipv4-split-include "access_dw_split"
        set save-password enable
        set psksecret ENC [[my-secret-hash-1]]
        set dpd-retryinterval 60
    next
    edit "through_dw"
        set type dynamic
        set interface "wan1"
        set mode aggressive
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 192.168.10.8
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set localid "throughdw"
        set dpd on-idle
        set comments "VPN: through_dw (Created by VPN wizard)"
        set wizard-type dialup-forticlient
        set xauthtype auto
        set authusrgrp "dwi-VPN-access"
        set ipv4-start-ip 10.0.10.20
        set ipv4-end-ip 10.0.10.39
        set save-password enable
        set psksecret ENC [[my-secret-hash-2]]
        set dpd-retryinterval 60
    next
end


#17
OrtegaPedro
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/04/03 04:19:30
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/03 04:42:18 (permalink) ☼ Best Answerby itemanuel 2020/04/03 12:05:33
0
Hi
 
To use more than 1 IPSec Tunnel in the same interface you must specify unique Peer ID in each VPN tunnel (Authentication section) and the same in Local ID (Phase1 Section).
In Forticlient VPN set the Local ID under Advanced Settings > Phase1
#18
itemanuel
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/31 08:59:16
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/03 12:05:23 (permalink)
0
That's it, Pedro. You are absolutely right! Now both tunnels are accessible.
The only thing is, that for some reason we can't reach anything, neither in our LAN nor in the Internet. The IPv4 Policy is still the one that was created by the wizard and I don't see what could or should be different than the one for the split tunnel. But thanks anyway!
#19
Jan_1966
New Member
  • Total Posts : 12
  • Scores: 2
  • Reward points: 0
  • Joined: 2020/02/11 19:16:30
  • Status: offline
Re: Two dialup VPN tunnels to use the same interfaces 2020/04/05 14:09:05 (permalink)
0
Hi,
 
I am not going to paste the whole configuration, but your configuration states PeerID Any. On the Fortigate side it's not the localID, but the Peer ID you need to change:
 
set peertype one
set peerid "Noncorporate"
 
It's in the Authentication section of the VPN tunnel
Accept type: Specific Peer ID
PeerID: "whatever the name is you accept on this tunnel"
 
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2020 APG vNext Commercial Version 5.5