How to configure a Fortinet firewall for Forticlient vpn access
1) Create an AD group called ‘VPN Access’ 2) Configure LDAP on the Fortigate following these steps below where is the name of the AD group – ‘VPN Access’ config user ldap
edit “ldapusergroup” set server “” set cnid “sAMAccountName” set dn “OU=OU2,OU=OU1,DC=,DC=” set type regular set username “CN=,OU=,DC=,DC=” set password set group “CN=,OU=,DC=,DC=” set filter (&(objectcategory=group)(objectclass=group)(member=*))” next
end 3) Create a User Group on the fortinet called ‘IPSEC VPN’ and add the ‘VPN Access’ group as a member.
config user group
edit “IPSEC VPN” set profile “unfiltered” set member “IPSECusers” next
end
4) Create a VPN IPSEC phase 1 called ‘Dailup vpn – P1’ with XAUTH enabled as server and select the ‘IPSEC VPN’ user group. 5) Created a VPN IPSEC phase 2 called ‘Dialup vpn – P2’ with ‘Dialup vpn – P1’ selected for the Phase 1. 6) Create a DHCP server under System -> DHCP on the Wan interface called ‘dhcp ipsec’ using an address range which cannot overlap with the internal address range. (E.G. internal = 10.10.10.X, VPN users = 10.100.10.X) config system dhcp server
edit “dhcp ipsec” set dns-server1 10.10.10.11 set domain “paxvax.corp” set end-ip 10.100.10.120 set interface “wan1″ set netmask 255.255.255.0 set server-type ipsec set start-ip 10.100.10.101 next
end
7) Created an address group under firewall -> address for the vpn users address range called ‘dhcp ipsec’ where the type = IPSEC. No gateway needs to be specified. Be sure to plug in the appropriate domain name.
config firewall address
edit “dhcp ipsec” set type iprange set end-ip 10.100.10.120 set start-ip 10.100.10.101 next
end
Created an address group under firewall -> address for the internal users address range called ‘%companyname% lan’
config firewall address
edit “%companyname% lan” set subnet 10.10.10.0 255.255.255.0 next
9) Create a firewall policy at the top of the ‘Internal -> Wan’ section where Source = All, Destination = All, Service = Any, Action = IPSEC, VPN Tunnel = ‘Dialup VPN – P1’ and check ‘allow inbound’ and ‘allow outbound’. Optionally apply a protection profile after functionality is confirmed.
config firewall policy sho
edit XX (XX = next available number set srcintf “internal” set dstintf “wan1″ set srcaddr “all” set dstaddr “all” set action ipsec set schedule “always” set service “ANY” set profile-status enable set profile “AV_IPS_IM” set inbound enable set outbound enable set vpntunnel “dialup vpn” next
10) Create a firewall policy at the bottom of the ‘wan -> Internal’ section where source = ‘dhcp ipsec’, Destination = ‘%companyname% lan’, Service = any, Action = Accept with the NAT check box checked. Optionally apply a protection profile after functionality is confirmed.
Config firewall policy sho
edit XX (XX = next available number set srcintf “wan1″ set dstintf “internal” set srcaddr “ipsec dhcp” set dstaddr “%companyname% lan” set action accept set schedule “always” set service “ANY” set profile-status enable set profile “AV_IPS_IM” set nat enable next
end
1) Create an AD group called ‘VPN Access’ 2) Configure LDAP on the Fortigate following these steps below where is the name of the AD group – ‘VPN Access’ config user ldap
edit “ldapusergroup” set server “” set cnid “sAMAccountName” set dn “OU=OU2,OU=OU1,DC=,DC=” set type regular set username “CN=,OU=,DC=,DC=” set password set group “CN=,OU=,DC=,DC=” set filter (&(objectcategory=group)(objectclass=group)(member=*))” next
end 3) Create a User Group on the fortinet called ‘IPSEC VPN’ and add the ‘VPN Access’ group as a member.
config user group
edit “IPSEC VPN” set profile “unfiltered” set member “IPSECusers” next
end
4) Create a VPN IPSEC phase 1 called ‘Dailup vpn – P1’ with XAUTH enabled as server and select the ‘IPSEC VPN’ user group. 5) Created a VPN IPSEC phase 2 called ‘Dialup vpn – P2’ with ‘Dialup vpn – P1’ selected for the Phase 1. 6) Create a DHCP server under System -> DHCP on the Wan interface called ‘dhcp ipsec’ using an address range which cannot overlap with the internal address range. (E.G. internal = 10.10.10.X, VPN users = 10.100.10.X) config system dhcp server
edit “dhcp ipsec” set dns-server1 10.10.10.11 set domain “paxvax.corp” set end-ip 10.100.10.120 set interface “wan1″ set netmask 255.255.255.0 set server-type ipsec set start-ip 10.100.10.101 next
end
7) Created an address group under firewall -> address for the vpn users address range called ‘dhcp ipsec’ where the type = IPSEC. No gateway needs to be specified. Be sure to plug in the appropriate domain name.
config firewall address
edit “dhcp ipsec” set type iprange set end-ip 10.100.10.120 set start-ip 10.100.10.101 next
end
Created an address group under firewall -> address for the internal users address range called ‘%companyname% lan’
config firewall address
edit “%companyname% lan” set subnet 10.10.10.0 255.255.255.0 next
9) Create a firewall policy at the top of the ‘Internal -> Wan’ section where Source = All, Destination = All, Service = Any, Action = IPSEC, VPN Tunnel = ‘Dialup VPN – P1’ and check ‘allow inbound’ and ‘allow outbound’. Optionally apply a protection profile after functionality is confirmed.
config firewall policy sho
edit XX (XX = next available number set srcintf “internal” set dstintf “wan1″ set srcaddr “all” set dstaddr “all” set action ipsec set schedule “always” set service “ANY” set profile-status enable set profile “AV_IPS_IM” set inbound enable set outbound enable set vpntunnel “dialup vpn” next
10) Create a firewall policy at the bottom of the ‘wan -> Internal’ section where source = ‘dhcp ipsec’, Destination = ‘%companyname% lan’, Service = any, Action = Accept with the NAT check box checked. Optionally apply a protection profile after functionality is confirmed.
Config firewall policy sho
edit XX (XX = next available number set srcintf “wan1″ set dstintf “internal” set srcaddr “ipsec dhcp” set dstaddr “%companyname% lan” set action accept set schedule “always” set service “ANY” set profile-status enable set profile “AV_IPS_IM” set nat enable next
end
0 comments:
Post a Comment