FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
FortiClient dialup-client configurations<br />
Configuration overview<br />
Using virtual IP addresses<br />
Finally, the <strong>FortiGate</strong> unit searches the implicated <strong>IPSec</strong> firewall policies to<br />
determine which private network(s) the dialup clients may access. The rest of the<br />
<strong>VPN</strong> policy information is retrieved from the existing <strong>IPSec</strong> phase 1 and phase 2<br />
parameters in the dialup-client configuration.<br />
When the FortiClient host PC is located behind a NAT device, unintended IP<br />
address overlap issues may arise between the private networks at the two ends of<br />
the tunnel. For example, the client’s host might receive a private IP address from<br />
a DHCP server on its network that by co-incidence is the same as a private IP<br />
address on the network behind the <strong>FortiGate</strong> unit. A conflict will occur in the host’s<br />
routing table and the FortiClient Host Security application will be unable to send<br />
traffic through the tunnel. Configuring virtual IP (VIP) addresses for FortiClient<br />
applications prevents this problem.<br />
Using VIPs ensures that client IP addresses are in a predictable range. You can<br />
then define firewall policies that allow access only to that source address range. If<br />
you do not use VIP, the firewall policies must allow all source addresses because<br />
you cannot predict the IP address for a remote mobile user.<br />
The FortiClient application must not have the same IP address as any host on the<br />
private network behind the <strong>FortiGate</strong> unit or any other connected FortiClient<br />
application. You can ensure this by reserving a range of IP addresses on the<br />
private network for FortiClient users. Or, you can assign FortiClient VIPs from an<br />
un<strong>com</strong>monly used subnet such as 10.254.254.0/24 or 192.168.254.0/24.<br />
You can reserve a VIP address for a particular client according to its device MAC<br />
address and type of connection. The DHCP server then always assigns the<br />
reserved VIP address to the client. For more information about this feature, see<br />
the “dhcp reserved-address” section in the “system” chapter of the <strong>FortiGate</strong> CLI<br />
Reference.<br />
Note: To determine the VIP address that the FortiClient Host Security application is using,<br />
type ipconfig /all at the Windows Command Prompt on the FortiClient host. The<br />
output will also show the IP address that has been assigned to the host Network Interface<br />
Card (NIC).<br />
It is best to assign VIPs using DHCP over <strong>IPSec</strong>. The <strong>FortiGate</strong> dialup server can<br />
act as a DHCP server or relay requests to an external DHCP server. You can also<br />
configure VIPs manually on FortiClient applications, but it is more difficult to<br />
ensure that all clients use unique addresses.<br />
Note: If you assign a VIP on the private network behind the <strong>FortiGate</strong> unit and enable<br />
DHCP-IPsec (a phase 2 advanced option), the <strong>FortiGate</strong> unit acts as a proxy on the local<br />
private network for the FortiClient dialup client. Whenever a host on the network behind the<br />
dialup server issues an ARP request for the device MAC address of the FortiClient host, the<br />
<strong>FortiGate</strong> unit answers the ARP request on behalf of the FortiClient host and forwards the<br />
associated traffic to the FortiClient host through the tunnel. For more information, see<br />
“DHCP-<strong>IPSec</strong>” on page 145.<br />
Note: <strong>FortiGate</strong> units fully support RFC 3456, Dynamic Host Configuration Protocol<br />
(DHCPv4) Configuration of IPsec Tunnel Mode. The <strong>FortiGate</strong> DHCP over <strong>IPSec</strong> feature<br />
can be enabled to allocate VIP addresses to FortiClient dialup clients using a <strong>FortiGate</strong><br />
DHCP server if a policy-based <strong>VPN</strong> is configured. DHCP over <strong>IPSec</strong> is not <strong>com</strong>patible with<br />
<strong>FortiGate</strong> route-based <strong>VPN</strong>s.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
01-30005-0065-20070716 57