Internet Through IPSEC Tunnel

Internet-browsing configuration

This section explains how to support secure web browsing performed by dialup VPN clients, and/or hosts behind a remote VPN peer. Remote users can access the private network behind the local FortiGate unit and browse the Internet securely. All traffic generated remotely is subject to the security policy that controls traffic on the private network behind the local FortiGate unit.

The following topics are included in this section:

Configuration overview

Routing all remote traffic through the VPN tunnel

Configuration overview

A VPN provides secure access to a private network behind the FortiGate unit. You can also enable VPN clients to access the Internet securely. The FortiGate unit inspects and processes all traffic between the VPN clients and hosts on the Internet according to the Internet browsing policy. This is accomplished even though the same FortiGate interface is used for both encrypted VPN client traffic and unencrypted Internet traffic.

In the figure below, FortiGate_1 enables secure Internet browsing for FortiClient Endpoint Security users such as Dialup_1 and users on the Site_2 network behind FortiGate_2, which could be a VPN peer or a dialup client.

Example Internet-browsing configuration

You can adapt any of the following configurations to provide secure Internet browsing:

  • A gateway-to-gateway configuration (see Gateway-to-gateway configurations on page 1) l A FortiClient dialup-client configuration (see FortiClient dialup-client configurations on page 1) l A FortiGate dialup-client configuration (see FortiGate dialup-client configurations on page 1)

The procedures in this section assume that one of these configurations is in place, and that it is operating properly.

To create an internet-browsing configuration based on an existing gateway-to-gateway configuration, you must edit the gateway-to-gateway configuration as follows:

  • On the FortiGate unit that will provide Internet access, create an Internet browsing security policy. See Configuration overview on page 151, below. l Configure the remote peer or client to route all traffic through the VPN tunnel. You can do this on a FortiGate unit or on a FortiClient Endpoint Security application. See Configuration overview on page 151.

Creating an Internet browsing security policy

On the FortiGate unit that acts as a VPN server and will provide secure access to the Internet, you must create an Internet browsing security policy. This policy differs depending on whether your gateway-to-gateway configuration is policy-based or route-based.

Creating an Internet browsing policy – policy-based VPN

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and then select OK:
Name Enter an appropriate name for the policy.
Incoming Interface The interface to which the VPN tunnel is bound.
Outgoing Interface The interface to which the VPN tunnel is bound.
Source The internal range address of the remote spoke site.
Destination Address all
Action Select IPsec. Under VPN Tunnel, select the tunnel that provides access to the private network behind the FortiGate unit. Select Allow traffic to be initiated from the remote site.
NAT Enable NAT.

Creating an Internet browsing policy – route-based VPN

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Enter the following information and then select OK:
Name Enter an appropriate name for the policy.

Internet-browsing configuration                                                          Routing all remote traffic through the VPN tunnel

Incoming Interface The IPsec VPN interface.
Outgoing Interface The interface that connects to the Internet. The virtual IPsec interface is configured on this physical interface.
Source The internal range address of the remote spoke site.
Destination Address all
Action ACCEPT
NAT Enable NAT.

The VPN clients must be configured to route all Internet traffic through the VPN tunnel.

Routing all remote traffic through the VPN tunnel

To make use of the Internet browsing configuration on the VPN server, the VPN peer or client must route all traffic through the VPN tunnel. Usually, only the traffic destined for the private network behind the FortiGate VPN server is sent through the tunnel.

The remote end of the VPN can be a FortiGate unit that acts as a peer in a gateway-to-gateway configuration, or a FortiClient application that protects an individual client PC.

  • To configure a remote peer FortiGate unit for Internet browsing via VPN, see Configuring a FortiGate remote peer to support Internet browsing on page 153.
  • To configure a FortiClient Endpoint Security application for Internet browsing via VPN, see Configuring a FortiClient application to support Internet browsing on page 154.

These procedures assume that your VPN connection to the protected private network is working and that you have configured the FortiGate VPN server for Internet browsing as described in Configuration overview on page 151.

Configuring a FortiGate remote peer to support Internet browsing

The configuration changes to send all traffic through the VPN differ for policy-based and route-based VPNs.

Routing all traffic through a policy-based VPN

  1. At the FortiGate dialup client, go to Policy & Objects > IPv4 Policy.
  2. Select the IPsec security policy and then select Edit.
  3. From the Destination Address list, select all.
  4. Select OK.

Packets are routed through the VPN tunnel, not just those destined for the protected private network.

Routing all traffic through a route-based VPN

  1. At the FortiGate dialup client, go to Network > Static Routes.
  2. Select the default route (destination IP 0.0.0.0) and then select Edit. If there is no default route, select Create New. Enter the following information and select OK:

 

Destination IP/Mask Set to Subnet and enter 0.0.0.0/0.0.0.0 in the field provided.
Device Select the IPsec virtual interface.
Administrative Distance Leave at default.

All packets are routed through the VPN tunnel, not just packets destined for the protected private network.

Configuring a FortiClient application to support Internet browsing

By default, the FortiClient application configures the PC so that traffic destined for the remote protected network passes through the VPN tunnel but all other traffic is sent to the default gateway. You need to modify the FortiClient settings so that it configures the PC to route all outbound traffic through the VPN.

Routing all traffic through VPN – FortiClient application
  1. At the remote host, start FortiClient.
  2. Go to Remote Access.
  3. Select the definition that connects FortiClient to the FortiGate dialup server, select the Settings icon, and select Edit the selected connection.
  4. In the Edit VPN Connection dialog box, select Advanced Settings.
  5. In the Remote Network group, select Add.
  6. In the IP and Subnet Mask fields, type 0.0.0/0.0.0.0 and select OK.

The address is added to the Remote Network list. The first destination IP address in the list establishes a VPN tunnel. The second destination address (0.0.0.0/0.0.0.0 in this case) forces all other traffic through the VPN tunnel.

  1. Select OK.
This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Internet Through IPSEC Tunnel

  1. Mark

    Hi Mike
    In version 6.0.9 of the Forticlient where is the Remote Network group. It seems to have been removed?

    thanks
    Mark

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.