Hi,
I have a setup, where user can dial-up into custom ipsec tunnel. The goal was to access it and receive IP from DHCP on tunnel interface, could not achieve this using GUI Wizard (dhcp option missing on created tunnel). Login part works well, tunnel is UP, dhcp gave the IP, on client I can see proper tunneling to designated subnet. Problem is in communitation, traffic doesnt go through even though I can see it in logs as implicit deny and there is a policy for it.
I think the problem is in user auth in system, so that policy can recognize who wants to make that connection - like in ssl vpn, when someone logs in to portal, gets an IP and is listed in firewall users with specific user group + IP. Then in policy you must set up source IP + user group. In log I see only source IP, no user bind. I have Xauth in phase 2 set up - user group made of local user or ldap user doesnt work.
Heres my setup:
edit "dhcp_vpn" set vdom "root" set ip 172.16.100.254 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 172.16.100.254 255.255.255.0 set snmp-index 59 set interface "port17"
config system dhcp server edit 1 set forticlient-on-net-status disable set dns-service default set default-gateway 172.16.100.254 set netmask 255.255.255.0 set interface "dhcp_vpn" config ip-range edit 1 set start-ip 172.16.100.10 set end-ip 172.16.100.20 next end set server-type ipsec
edit "dhcp_vpn" set type dynamic set interface "port17" set mode aggressive set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set dhgrp 5 set xauthtype auto set authusrgrp "ipsecvpn" set psksecret ENC... set dpd-retryinterval 60 next
edit "dhcp_vpn" set phase1name "dhcp_vpn" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set dhgrp 5 set dhcp-ipsec enable next
I have discovered one more thing. If I disable xauth in phase2, login is also succeseful based on peer id, so it probably doesnt even matter its there. Second - i managed to make the connection work. I removed the interface from source pool in policy, I could then add it without user group.
So the goal now is how to make the user authenticate against ldap, and be corelated with ip from dhcp like in ssl-vpn logs.
I figured it out. In phase 2 seetings, in xauth user group - must be set to inherited from policy. Then such user can be seen in firewall user monitor as it should.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.