How to Configure IPsec VPN Remote Access on FortiGate Firewall FortiOS 7

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi guys this is d igora tech today we are going to configure ipsec vpn on fordigate 40 os version 7. ipsec vpn will allow remote users to connect to the fortigate device to access the internal network using ford client for android ios windows and even some linux operating system internet traffic can also flow to the fortigate for security scanning we have two options option one is we will only allow remote users to connect to the network and access the internal network 192.168.1.0 with slash 24 subnet the next option we will allow remote users to access the internal network and also we will allow internet traffic to pass through the fortigate for security scanning this will based on your topology or on your preferences if you are new to my channel please don't forget to like share subscribe and click on the notification bell for more amazing tutorials thank you for this demo we are going to use 4dos version 7.0.1 first is we're going to create ipsec vpn user go to user and authentication user definition create new to add new user under user type select local user which is already selected by default click next enter your desired ipsec vpn username and password click next we are not going to enable two-factor authentication so click next user account status is already enabled and we are not yet going to add in a group so click submit you can now see the created user which is jack next is we are going to create ipsec vpn user group go to user groups click create new enter your desired user group we will give a name of ipsec users to make it simple type is firewall for the members we will add the user we just created which is jack you can add multiple users if you want click ok to apply you can see the user group that has been created from here you can also see the members of that group next is we are going to configure fortigate ipsec bpn go to vpn ipsec wizard enter the ipsec vpn tunnel name we will give a name of ipsec vpn to make it simple for the template type we will choose remote access you can see that the forde client is available for windows mac os android and even some linux operating system for the remote device type leave it to default which is client based for the client click next for the incoming interface you will choose your internet-facing interface or your one in my case it's the maxis the public ip address of this interface will be used by the ipsec vpn users to connect to this network for the authentication method we will use pre-shared key which is already selected now enter the pre-shared key you must remember the pre-shared key this will be used by the ipsec vpn user to configure the ford client and the pre-shared key must match for the user group click on it to expand and select the ipsec users we just created you can point your cursor to view the members of that group click next for the local interface select your lan interface in my case it's the internal you can see the ip netmask configured for the lan address i already created local lan if you don't have network address created for your lan then choose create choose address enter the address name we will name it lan local type is subnet ip netmask would be lan address which is 192.168.1.0 with slash 24 subnet for the interface you can select the internal or leave it as any click ok to apply now add the created address for the client address range this would be the range of ip address that will be received by the ipsec vpn users let's set address range from 10.100.100.1 to 10.100.100.50. an object address will be automatically created for this range for the ipv4 split tunnel if you leave this enabled then the ipsec vpn users can only access the remote network but they will use their own connection to access the internet but if you want ipsec vpn users to access the internal network and also the internet through the fortigate for security scanning then you need to disable the split tunneling we will do the second option first disable the ipv4 split tunneling i will show you how to enable and configure the ipv4 split tunnel afterwards click next for the client options you will choose based on your preference enable save password if you want remote users to have the option to save their own password enable auto connect if you want remote users to have the option to auto connect to this network lastly always up or keep alive this ensures that the vpn won't disconnect even if there's no traffic or the device went idle click next you will see the object summary now click create you can see the vpn status is down since there's no remote users currently connected to view the ipsec vpn object address go to policy and object addresses notice the ipsec vpn range address that has been automatically created next is we are going to configure the firewall policy go to firewall policy notice that there's an ipsec vpn policy that has been automatically created you can see the policy name the source which is the ipsec vpn address destination is the lan scheduled to always and services to all since this policy is for internal network access and don't need to access internet then we will disable the nat next is we are going to create a policy for ipsec vpn users to access the internet through this network we can simply copy and edit the current policy right click on it choose copy now right-click again and choose paste we have two options to choose to either paste above or below right-click again then choose edit or simply double-click on it to edit the policy enter your desired policy name we will give it ipsec vpn to internet to make it simple incoming interface will be the ipsec vpn outgoing interface will be the internet-facing interface or the one which in my case is the maxis source will be the ipsec vpn range destination would be all scheduled to always and services to all since this policy is for internet access then we need to enable the nat next is the security profiles you can enable all available policy for better security this all based on your preference enable the antivirus and select your preferred profile same goes with the web filter dns filter application control ips and also the email filter again this all based on your preferences for log allowed traffic you can choose all sessions for you to monitor all logs for this policy lastly make sure to enable the policy once done click ok notice the policy that has been created this policy means ipsec vpn users can access internet through this network anytime can use any protocols applications and web access will be based on the security profiles enabled starting from 40 os version 7 you can simply open the policy and edit in cli if you prefer to configure or edit it through cli let's check the ipsec vpn status go to vpn ipsec tunnels you can see the vpn status is down now open the 4d client i'm currently using version 7 for this demo if you don't have this application then you can check the link on the description below on how to download it for free and installation guide you can also check the link on the description below on how to configure ssl vpn now let's go to ipsec vpn enter your desired connection name we will give office for this demo description is optional for the remote gateway you can enter the public ip address or dynamic dns of the remote site authentication method is pre-shared key now enter the pre-shared key that has been configured on the fortigate you can save login enter your username in my case we added jack click save before we log in we will first check what is my public ip address take note of my current public ip address now let's connect to the remote site enter the password then click connect simply double click on the 4d client to show the window from here you can see the vpn name the first available ip address which has been configured on the fortigate the username time duration bytes received and bytes sent now since i'm connected to the network let's check again my public ip address take note on the current one now i will refresh the page you can see that my ip address has been changed i'm now using the remote site connection for internet access now let's refresh the ipsec tunnels you can now see it's up and also you can see that it has one dial-up connection currently connected let's check the policy go to policy and objects firewall policy you can now see that there is traffic for ipsec vpn to internet policy we can also test to ping the lan gateway go to network interfaces you can see the gateway is 192.168.1.1 now open the command prompt and test ping the gateway ping 192.168.1.1 which we can next is we are going to enable the ipv4 split tunnel this is if you want to access the remote site but you want to use your own connection for internet access first is we will disconnect the ipsec vpn simply click on disconnect you can see the ipsec tunnel status is down next is we are going to delete the ipsec vpn policy go to policy and objects firewall policy we must delete the ipsec vpn to internet policy or else we cannot enable the ipv4 split tunnel right click on it then click delete policy click ok to verify now go to vpn ipsec tunnels double click on the ipsec vpn to edit the configuration under network click edit check the box to enable ipv4 split tunnel under accessible networks choose lan local which is the lan subnet click ok to apply the changes before we connect let's check again my public ip address take note of the public ip address let's now connect to the network open the forde client you can see the three options we have enabled during the configuration now enter the password then click connect again you can see the connection details let's refresh the ipsec tunnel status the status has been changed to up now let's check my public ip address notice that i'm using my connection to access internet but i'm connected to the network we can do a ping test to the remote siteland gateway notice the ping results i'm now connected to the network again but i'm using my own connection for internet access next is we will check the ipsec vpn monitoring go to dashboard click on the plus sign or add monitor under network click ipsec click add monitor go back to dashboard you can see the ipsec monitor has been added click on it you can see the connection details the remote user public ip address the incoming and outgoing data well that's all for today's demonstration and i really hope you liked this video if you are new to my channel please don't forget to like share subscribe and click on the notification bell for more amazing tutorials thank you and see you in the next video

Info

Channel: D' IgoroTech

Views: 6,127

Rating: undefined out of 5

Keywords: how to configure ipsec vpn on fortigate - google.com, how to configure ipsec vpn on fortigate - youtube.com, how to configure ipsec vpn remote access on fortigate - google.com, ipsec vpn remote access configuration, configure ipsec vpn on firtios 7, fortigate ipsec vpn configuration, fortigate remote access ipsec vpn configuration, fortigate remote access, ipsec vpn configuration, how to configure ipsec vpn on fortios 7, ipsec vpn remote access fortigate - google.com, ipsec vpn

Id: diRUIQGnWqs

Channel Id: undefined

Length: 15min 28sec (928 seconds)

Published: Mon Aug 02 2021