Wednesday, October 23, 2019

Fortigate dialup vpn ipsec from a 2nd Fortigate

FortiOS supports IPSEC dialup where a Fortigate is the dialup device that uses  a username/password with the PSK

The ciscoASA had this function for many years under easyVPN


Here's a basic view;




The light-blue firewall is connecting to the firewall on the left both of these are fortigates but in reality it could have been a FGT to any other dynamic dialup.


Here's the dark blue firewall cfg





We have a user defined and local usergroup named remote-fgts


FWF  # show user group remote-fgts 
config user group
    edit "remote-fgts"
        set member "remote-fgt"
    next
end

FWF # show user local remote-fgt 
config user local
    edit "remote-fgt"
        set type password
        set passwd-time 2019-08-11 18:01:01
        set passwd ENC bK70ALGrYzvTd/7+Das6DdQZpGUaUuq9+wZQGVb6P8A5xfQbrcBKPBlyGs4WrQ3NfGCUMPZsB4adzXg706DgkN3OYryXHub2eb1uvHO62m5M7F7n6AyKUmUPILCeFVyXNsMb1QShc5OqRx9oH2xNoUodDHeZWr6ca6cu1RZ84XM1/O/hxDm+DK1mMkSdFeaYD8x70g==
    next

end



The remote firewall configuration of the firewall in the right of the screenshot will use the correct username/password in its configuration







Note: always double-check the username and password for correctness if you see authentication error or using an external authenticator.


The cmd:   diag vpn ike gateway will show you details and the user that did authenticate






As you can see username "remote-fgt" authenticated. We can also double-check the phase2 details





to secure the dialup firewalls it best to set localid and peerids for both of the peers, in the below example we are defining a fqdn type set a ipsecremotes for the localid and remote peerid.


















NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

No comments:

Post a Comment