IPSec Internet-browsing configuration

Internet-browsing configuration

This section explains how to support secure web browsing performed by dialup VPN clients, and/or hosts behind a remote VPN peer. Remote users can access the private network behind the local FortiGate unit and browse the Internet securely. All traffic generated remotely is subject to the security policy that controls traffic on the private network behind the local FortiGate unit.

The following topics are included in this section:

Configuration overview

Routing all remote traffic through the VPN tunnel

Configuration overview

A VPN provides secure access to a private network behind the FortiGate unit. You can also enable VPN clients to access the Internet securely. The FortiGate unit inspects and processes all traffic between the VPN clients and hosts on the Internet according to the Internet browsing policy. This is accomplished even though the same FortiGate interface is used for both encrypted VPN client traffic and unencrypted Internet traffic.

In the figure below, FortiGate_1 enables secure Internet browsing for FortiClient Endpoint Security users such as Dialup_1 and users on the Site_2 network behind FortiGate_2, which could be a VPN peer or a dialup client.

Example Internet-browsing configuration

Internet-browsing configuration                                                                                              Configuration overview

You can adapt any of the following configurations to provide secure Internet browsing:

  • A gateway-to-gateway configuration (see Gateway-to-gateway configurations on page 1)
  • A FortiClient dialup-client configuration (see FortiClient dialup-client configurations on page 1)
  • A FortiGate dialup-client configuration (see FortiGate dialup-client configurations on page 1)

The procedures in this section assume that one of these configurations is in place, and that it is operating properly.

To create an internet-browsing configuration based on an existing gateway-to-gateway configuration, you must edit the gateway-to-gateway configuration as follows:

  • On the FortiGate unit that will provide Internet access, create an Internet browsing security policy. See Configuration overview on page 153, below.
  • Configure the remote peer or client to route all traffic through the VPN tunnel. You can do this on a FortiGate unit or on a FortiClient Endpoint Security application. See Configuration overview on page 153.

Creating an Internet browsing security policy

On the FortiGate unit that acts as a VPN server and will provide secure access to the Internet, you must create an Internet browsing security policy. This policy differs depending on whether your gateway-to-gateway configuration is policy-based or route-based.

Creating an Internet browsing policy – policy-based VPN

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and then select OK:
Name Enter an appropriate name for the policy.
Incoming Interface The interface to which the VPN tunnel is bound.
Outgoing Interface The interface to which the VPN tunnel is bound.
Source The internal range address of the remote spoke site.
Destination Address all
Action Select IPsec. Under VPN Tunnel, select the tunnel that provides access to the private network behind the FortiGate unit. Select Allow traffic to be initiated from the remote site.
NAT Enable NAT.

Creating an Internet browsing policy – route-based VPN

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and then select OK:
Name Enter an appropriate name for the policy.

Routing all remote traffic through the VPN tunnel                                                          Internet-browsing configuration

Incoming Interface The IPsec VPN interface.
Outgoing Interface The interface that connects to the Internet. The virtual IPsec interface is configured on this physical interface.
Source The internal range address of the remote spoke site.
Destination Address all
Action ACCEPT
NAT Enable NAT.

The VPN clients must be configured to route all Internet traffic through the VPN tunnel.

Routing all remote traffic through the VPN tunnel

To make use of the Internet browsing configuration on the VPN server, the VPN peer or client must route all traffic through the VPN tunnel. Usually, only the traffic destined for the private network behind the FortiGate VPN server is sent through the tunnel.

The remote end of the VPN can be a FortiGate unit that acts as a peer in a gateway-to-gateway configuration, or a FortiClient application that protects an individual client PC.

  • To configure a remote peer FortiGate unit for Internet browsing via VPN, see Configuring a FortiGate remote peer to support Internet browsing on page 155.
  • To configure a FortiClient Endpoint Security application for Internet browsing via VPN, see Configuring a FortiClient application to support Internet browsing on page 156.

These procedures assume that your VPN connection to the protected private network is working and that you have configured the FortiGate VPN server for Internet browsing as described in Configuration overview  on page 153.

Configuring a FortiGate remote peer to support Internet browsing

The configuration changes to send all traffic through the VPN differ for policy-based and route-based VPNs.

Routing all traffic through a policy-based VPN

  1. At the FortiGate dialup client, go to Policy & Objects > IPv4 Policy.
  2. Select the IPsec security policy and then select Edit.
  3. From the Destination Address list, select all.
  4. Select OK.

Packets are routed through the VPN tunnel, not just those destined for the protected private network.

Routing all traffic through a route-based VPN

  1. At the FortiGate dialup client, go to Network > Static Routes.
  2. Select the default route (destination IP 0.0.0.0) and then select Edit. If there is no default route, select Create New. Enter the following information and select OK:

155

 

Internet-browsing configuration                                                        Routing all remote traffic through the VPN tunnel

Destination IP/Mask Set to Subnet and enter 0.0.0.0/0.0.0.0 in the field provided.
Device Select the IPsec virtual interface.
Administrative Distance Leave at default.

All packets are routed through the VPN tunnel, not just packets destined for the protected private network.

Configuring a FortiClient application to support Internet browsing

By default, the FortiClient application configures the PC so that traffic destined for the remote protected network passes through the VPN tunnel but all other traffic is sent to the default gateway. You need to modify the FortiClient settings so that it configures the PC to route all outbound traffic through the VPN.

Routing all traffic through VPN – FortiClient application
  1. At the remote host, start FortiClient.
  2. Go to Remote Access.
  3. Select the definition that connects FortiClient to the FortiGate dialup server, select the Settings icon, and select Edit the selected connection.
  4. In the Edit VPN Connection dialog box, select Advanced Settings.
  5. In the Remote Network group, select Add.
  6. In the IP and Subnet Mask fields, type 0.0.0/0.0.0.0 and select OK.

The address is added to the Remote Network list. The first destination IP address in the list establishes a VPN tunnel. The second destination address (0.0.0.0/0.0.0.0 in this case) forces all other traffic through the VPN tunnel.

  1. Select OK.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Name *
Email *
Website