Configuring authenticated access

To configure authentication for a dialup IPsec VPN – CLI example:

The xauthtype and authusrgrp fields configure XAuth authentication.

config vpn ipsec phase1 edit office_vpn

set interface port1 set type dynamic

set psksecret yORRAzltNGhzgtV32jend set proposal 3des-sha1 aes128-sha1 set peertype dialup

set xauthtype pap set usrgrp Group1

end

Some parameters specific to setting up the VPN itself are not shown here. For detailed information about configuring IPsec VPNs, see the FortiOS Handbook IPsec VPN guide.

 

Configuring authentication of PPTP VPN users and user groups

Configuration of a PPTP VPN is possible only through the CLI. You can configure user groups and security policies using either CLI or web-based manager.

LDAP user authentication is supported for PPTP, L2TP, IPsec VPN, and firewall authentication.

However, with PPTP, L2TP, and IPsec VPN, PAP (Packet Authentication Protocol) is supported, while CHAP (Challenge Handshake Authentication Protocol) is not.

 

To configure authentication for a PPTP VPN

1. Configure the users who are permitted to use this VPN. Create a security user group and add them to it.

For more information, see Users and user groups on page 474.

2. Configure the PPTP VPN in the CLI as in this example.

config vpn pptp

set status enable

set sip 192.168.0.100 set eip 192.168.0.110 set usrgrp PPTP_Group

end

The sip and eip fields define a range of virtual IP addresses assigned to PPTP clients.

Configure a security policy. The source interface is the one through which the clients will connect. The source address is the PPTP virtual IP address range. The destination interface and address depend on the network to which the clients will connect. The policy action is ACCEPT.

 

Configuring authentication of L2TP VPN users/user groups

Configuration of a L2TP VPN is possible only through the CLI. You can configure user groups and security policies using either CLI or web-based manager.

LDAP user authentication is supported for PPTP, L2TP, IPsec VPN, and firewall authentication.

However, with PPTP, L2TP, and IPsec VPN, PAP (Packet Authentication Protocol) is supported, while CHAP (Challenge Handshake Authentication Protocol) is not.

 

To configure authentication for a L2TP VPN

1. Configure the users who are permitted to use this VPN. Create a user group and add them to it.

For more information, see Users and user groups on page 474.

2. Configure the L2TP VPN in the CLI as in this example.

config vpn l2tp

set status enable

set sip 192.168.0.100 set eip 192.168.0.110 set usrgrp L2TP_Group

end

The sip and eip fields define a range of virtual IP addresses assigned to L2TP clients.

3. Configure a security policy. The source interface is the one through which the clients will connect. The source address is the L2TP virtual IP address range. The destination interface and address depend on the network to which the clients will connect. The policy action is ACCEPT.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.