IPsec/SSL VPN

Expand all | Collapse all

Pushing DNS servers to Dialup IPSec VPN clients

  • 1.  Pushing DNS servers to Dialup IPSec VPN clients

    Posted Apr 22, 2020 02:15 PM

    I'm experimenting with an L2TP / IPSec Telecommuter VPN service.  And I am having trouble telling the clients to use my internal DNS servers

    config vpn ipsec phase1-interface
       edit "L2TP-TeleVPN"
         set type dynamic
         set interface "port1"
         set local-gw a.b.c.d
        set peertype any
        set net-device enable
        set proposal aes256-sha1 3des-sha1
        set dpd on-idle
        set dhgrp 14
        set psksecret ENC {deleted}
        set dpd-retryinterval 60
       next
    end
    config vpn ipsec phase2-interface
       edit "L2TP-TeleVPN"
         set phase1name "L2TP-TeleVPN"
        set proposal aes256-md5 3des-sha1 aes192-sha1
        set pfs disable
        set encapsulation transport-mode
        set l2tp enable
      next
    end
    config vpn l2tp
       set eip 10.10.10.1
       set sip 10.10.10.254
       set status enable
       set usrgrp "LDAP-VPN-User"
    end


    I tried adding the following:
    config vpn ipsec phase1-interface
      edit "L2TP-TeleVPN"
         set type dynamic
         set interface "port1"
         set local-gw a.b.c.d
        set peertype any
        set net-device enable
        set mode-cfg enable
        set ipv4-dns-server1 10.10.45.90
        set ipv4-dns-server2 10.10.80.90
        set ipv4-dns-server3 10.10.110.90
        set proposal aes256-sha1 3des-sha1
        set dpd on-idle
        set dhgrp 14
        set assign-ip-from name
        set ipv4-netmask 255.255.255.0
        set ipv4-name "L2TP-VPN-Client-Range"
        set domain "company.com"
        set psksecret ENC {deleted}
        set dpd-retryinterval 60
       next

    config firewall address
       edit "L2TP-VPN-Client-Range"
       set uuid {deleted}
       set type iprange
       set color 4
       set start-ip 10.10.10.1
       set end-ip 10.10.10.254
    next

    But then clients don't connect at all ... diag debug app ike -1 shows me:
    [...]
    ike 0:L2TP-TeleVPN_0:222: peer has not completed Configuration Method
    ike 0:L2TP-TeleVPN_0: deleting
    [...]

    Is it possible to instruct the Fortigate to tell the Clients what to use, in terms of DNS servers and domain name?  Or does one have to configure these individually on the Clients?

    --sk



  • 2.  RE: Pushing DNS servers to Dialup IPSec VPN clients

    Posted Apr 23, 2020 05:15 AM
    OK, I understand now that 'set mode-cfg enable' applies only if I am using the FortiClient in IPSec mode.  At the moment, I want to support native OS L2TP/IPSec clients instead, so have disabled 'mode-cfg'

    It seems to me that that I can do this by adding a DHCP Server into the mix, either one built into the Fortigate or an external DHCP server.  For the moment, I am attempting to use the Fortigate's built-in DHCP Server

    config system dhcp server
        edit 1
           set domain "company.com"
           set default-gateway 10.10.10.1
           set netmask 255.255.255.0
           set interface "L2TP-TeleVPN"
           config ip-range
           edit 1
               set start-ip 10.71.10.2
               set end-ip 10.71.10.254
            next
        end
        set timezone-option default
        set server-type ipsec
        set dns-server1 10.10.45.80
        set dns-server2 10.10.90.80
        set dns-server3 10.10.110.80
        next
    end

    Clients are connecting fine ...but they receive the Fortinet DNS servers (208.91.112.53 & 208.91.112.52) rather than the 10.10.x.90 ones which I specify

    Is anyone else trying this?

    --sk



    config vpn ipsec phase2-interface
        edit "L2TP-TeleVPN"
            set phase1name "L2TP-TeleVPN"
            set proposal aes256-md5 3des-sha1 aes192-sha1
            set pfs disable
            set encapsulation transport-mode
            set l2tp enable
            set dhcp-ipsec enable
        next
    end

    --sk