Wednesday, May 30, 2018

NCP entry vpn macosx and DHCP-ipsec

In this blog, I will show how  basic fortigate configuration and with  DHCP was enabled for FortiOSv6.0


{ here's the cfg, ignore the ipv6   for now}

config system interface
    edit "DYNAMIC"
        set vdom "root"
        set type tunnel
        set snmp-index 8
        set interface "wan1"
    next
end
config system dhcp server
    edit 3
        set domain "socpuppets.com"
        set wins-server1 192.168.1.201
        set wins-server2 192.168.1.202
        set default-gateway 10.11.1.1
        set netmask 255.255.255.0
        set interface "DYNAMIC"
        set timezone-option specify
        set timezone 24
        set server-type ipsec
        set dns-server1 8.8.8.8
        set dns-server2 8.8.4.4
        set dns-server3 8.8.6.6
    next
end
config system dhcp6 server
    edit 1
        set subnet 2001:db8:99:100::/64
        set interface "DYNAMIC"
    next
end

config firewall address
    edit "DYNAMIC_range"
        set uuid a7a40fbc-6381-51e8-4997-9d6734e501f7
        set type iprange
        set comment "VPN: DYNAMIC (Created by VPN wizard)"
        set start-ip 10.11.1.1
        set end-ip 10.11.1.100
    next
end
config firewall addrgrp
    edit "DYNAMIC_split"
        set uuid a68a98d0-6381-51e8-ec77-cae52f49aee9
        set member "NET_192_168_1" "NET_192_168_2"
        set comment "VPN NETWORKS TO ALLOW"
    next
end
config vpn ipsec phase1-interface
    edit "DYNAMIC"
        set type dynamic
        set interface "wan1"
        set mode aggressive
        set peertype any
        set proposal aes128-sha1 aes128-md5 aes128-sha256
        set localid "brooklyn.socpuppets.com"
        set dpd on-idle
        set comments "VPN: DYNAMIC (Created by VPN wizard)"
        set dhgrp 5
        set wizard-type dialup-cisco
        set xauthtype auto
        set authusrgrp "Guest-group"
        set idle-timeout enable
        set psksecret   d!onthackme12345!
        set dpd-retrycount 10
        set dpd-retryinterval 120
    next
end
config vpn ipsec phase2-interface
    edit "DYNAMIC"
        set phase1name "DYNAMIC"
        set proposal aes256-sha256 aes256-md5 aes256-sha1
        set pfs disable
        set keepalive enable
        set comments "PHASE2-IPSEC-PROFILE"
    next
    edit "DYNAMIC_ipv6"
        set phase1name "DYNAMIC"
        set proposal aes256-sha256 aes256-md5 aes256-sha1
        set pfs disable
        set keepalive enable
        set src-addr-type name6
        set dst-addr-type name6
        set keylifeseconds 3600
        set src-name6 "IPV6"
        set dst-name6 "all"
    next
end
config firewall policy
    edit 2
        set name "DYNAMIC_remote"
        set uuid a7e11da8-6381-51e8-0bad-bbae1f5ebd7c
        set srcintf "DYNAMIC"
        set dstintf "internal"
        set srcaddr "DYNAMIC_range"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "ALLOW TRAFFIC TO INTERNAL NETWORK"
        set nat enable
    next
end
config firewall policy6
    edit 1
        set uuid caf67dac-6457-51e8-0ad7-1f663adda99a
        set srcintf "DYNAMIC"
        set dstintf "internal"
        set srcaddr "IPV6"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end



The NCP client  that's running on this MACOSX machine  version 10.10.5 with NCP client  3.0.0 build 38902

Now in my  example, the  DHCP-server is locally but we could have used a  dhcp-relay also


Once the client has pass phase1/2 the firewall provide the DHCP assigned address


 









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
 



No comments:

Post a Comment