VPN Tunneled Internet Browsing

Tunneled Internet Browsing

This recipe provides an example configuration of tunneled internet browsing using a dialup VPN. To centralize network management and control, all branch office traffic is tunneling to HQ, including Internet browsing.

The following shows the sample network topology for this example:

To configure a dialup VPN to tunnel Internet browsing using the GUI:

  1. Configure the dialup VPN server FortiGate at HQ:
    1. Go to VPN > IPsec Wizard, enter a VPN name (HQ in this example), make the following selections, and then click Next:
      • Site to Site to Template Type l FortiGate to Remote Device Type
      • The remote side is behind NAT to NAT Configuration
    2. Make the following selections, and then click Next:
      • Incoming Interface to port9 l Authentication Method to Pre-Shared Key l Pre-shared Key to sample
    3. Make the following selections, and then click Create:
      • Local Interface to port10 l Local Subnets to 16.101.0 l Remote Subnets to 0.0.0.0/0 l Internet Access to Share Local l Shared WAN to port9
    4. Configure the dialup VPN client FortiGate at a branch:
    5. Go to VPN > IPsec Wizard, enter a VPN name (Branch1 or Branch2 in this example), make the following selections, then click Next:
      • Site to Site to Template Type l FortiGate to Remote Device Type l This side is behind NAT to NAT Configuration
    6. Make the following selections, and then click Next:
      • IP Address to Remote Device, then enter the IP address: 22.1.1.1 l Outgoing Interface to wan1 l Authentication Method to Pre-shared Key l Pre-shared Key to sample
    7. Make the following selections, and then click Create: l Local Interface to internal l Local Subnets to 1.100.0/192.1684.0 l Remote Subnets to 0.0.0.0/0 l Internet Access to Use Remote l Local Gateway to 15.1.1.1/13.1.1.1

To configure a dialup VPN to tunnel Internet browsing using the CLI:

  1. Configure the WAN interface and static route on the FortiGate at HQ:

config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0

next edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0

next

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

next

end

  1. Configure IPsec phase1-interface and phase2-interface configuration at HQ:

config vpn ipsec phase1-interface edit “HQ” set type dynamic set interface “port9” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set psksecret sample set dpd-retryinterval 60 next

end

config vpn ipsec phase2-interface edit “HQ” set phase1name “HQ”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Configure the firewall policy at HQ:

config firewall policy edit 1 set srcintf “HQ” set dstintf “port9” “port10” set srcaddr “10.1.100.0” “192.168.4.0” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end

  1. Configure the WAN interface and static route on the FortiGate at the branches:
  2. Branch1:

config system interface edit “wan1” set ip 15.1.1.2 255.255.255.0

next edit “internal” set ip 10.1.100.1 255.255.255.0

next

end

config router static edit 1 set gateway 15.1.1.1 set device “wan1”

next

end

  1. Branch2:

config system interface edit “wan1” set ip 13.1.1.2 255.255.255.0

next edit “internal” set ip 192.168.4.1 255.255.255.0

next

end

config router static edit 1 set gateway 13.1.1.1 set device “wan1”

next end

  1. Configure IPsec phase1-interface and phase2-interface configuration at the branches: a. Branch1:

config vpn ipsec phase1-interface edit “branch1” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5

next

end

config vpn ipsec phase2-interface edit “branch1” set phase1name “branch1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable set src-subnet 10.1.100.0 255.255.255.0

next

end

  1. Branch2:

config vpn ipsec phase1-interface edit “branch2” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5

next

end

config vpn ipsec phase2-interface edit “branch2” set phase1name “branch2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable set src-subnet 192.168.4.0 255.255.255.0

next

end

  1. Configure the firewall policy at the branches:
  2. Branch1:

config firewall policy edit 1 set name “outbound” set srcintf “internal” set dstintf “branch1” set srcaddr “all”

set dstaddr “all” set action accept set schedule “always” set service “ALL”

next edit 2

set name “inbound” set srcintf “branch1” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next

end

  1. Branch2:

config firewall policy edit 1

set name “outbound” set srcintf “internal” set dstintf “branch2” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next edit 2

set name “inbound” set srcintf “branch2” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure the static routes at the branches:
  2. Branch1:

config router static

edit 2

set dst 22.1.1.1/32 set gateway 15.1.1.1 set device “wan1” set distance 1

next edit 3

set device “branch1” set distance 5

next end

  1. Branch2:

config router static edit 2 set dst 22.1.1.1/32 set gateway 13.1.1.1 set device “wan1” set distance 1

next edit 3 set device “branch2” set distance 5

next

end

  1. Optionally, view the VPN tunnel list on a branch with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=branch1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0

bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=1 refcnt=19 ilast=0 olast=0 ad=r/2 stat: rxp=1 txp=1661 rxb=65470 txb=167314

dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=2986 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=branch1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=697/0B replaywin=1024 seqno=13a esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=2368/2400

dec: spi=c53a8f7e esp=aes key=16 ecee0cd48664d903d3d6822b1f902fd2 ah=sha1 key=20 2440a189126c222093ca9acd8b37127285f1f8a7

enc: spi=6e3636fe esp=aes key=16 fdaa20bcc96f74ae9885e824d3efa29d ah=sha1 key=20 70c0891c769ad8007ea1f31a39978ffbc73242d0

dec:pkts/bytes=0/16348, enc:pkts/bytes=313/55962

npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1

  1. Optionally, view static routing table on a branch with the get router info routing-table static command:

Routing table for VRF=0

S*     0.0.0.0/0 [5/0] is directly connected, branch1

S*      22.1.1.1/32 [1/0] via 15.1.1.1, wan1

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.