IPsec/SSL VPN

Telecommuter VPN on Firewalls

  • 1.  Telecommuter VPN on Firewalls

    Posted Mar 05, 2020 06:27 AM
    I'm exploring using our Fortigate firewalls to terminate a Telecommuter (aka 'Dialup') remote access service

    Right now, I'm trying to develop an L2TP service which would simultaneously support Windows, OS X, and Linux clients.  I am running into bumps and am working a ticket with TAC

    What I'm looking for here is more of a conceptual overview -- I'm realizing that I don't have a mental model for understanding how FortiOS thinks about this service

    For example, what is the difference between an interface-based VPN service and a policy-based VPN service?
    * The Dialup Windows wizard creates an interface-based VPN service ... the Handbook tells me to create a policy-based service
    https://docs.fortinet.com/document/fortigate/6.0.0/handbook/299180/configuration-overview
    * Before I believe one or the other, I would like to understand what the difference is

    More broadly
    * As I trouble-shoot why the Wizard-created IPSec service doesn't work, I've found that my Win10 client wants a 28800s key lifetime whereas the Wizard has created a service which wants a 86400s key lifetime, with the result being a failed ISKMP SA proposal.  Fine, so I've changed the Fortigate to 28800s ...
    * This seems fragile to me -- is there no auto-negotiation feature in this exchange?  Do I really need to hard-code both sides to agree on these various parameters?  [Perhaps this is an argument for the FortiClient approach!]
    * Is it possible to construct an L2TP service which supports the vagaries of Windows, OS X, and Linux clients?  Or does one end up offering (3) separate services, terminated on (3) separate IP addresses?


    I am reading the Handbook:
    * https://docs.fortinet.com/document/fortigate/6.0.0/handbook/509218/fortigate-dialup-client-configuration
    * The Cookbook has a chapter addressing the FortiClient scenario but not L2TP -- I'll get to the FortiClient scenario eventually, but I'm not ready for this yet
    ==> Anyone have a suggestion for additional reading?

    --sk