Embed Size (px)
Citation preview
1. Creating a user group for Android users
2. Adding firewall addresses for the user group and DMZ network
3. Configuring the FortiGate as an L2TP server
4. Configuring IPsec VPN using the VPN Wizard
5. Assigning an IP to the VPN interface (optional)
6. Creating a security policy for access to the internal network and the Internet
7. Configuring VPN on the Android device using FortiClient
8. Results
You must download the FortiClient application from the Play Store and install it on your Android device. Refer to the FortiClient for Android QuickStart Guide. This recipe was tested using Android version 4.3.
Connecting an Android to a FortiGate with IPsec VPNThis recipe describes how to provide a group of remote Android users with secure, encrypted access to the network using FortiClient.
InternetFortiGate
Internal Network
Remote User
WAN 1172.20.120.123
Port 1192.168.1.99/24
IPsec
(Android + FortiClient)
Creating a user group for Android usersGo to User & Device > User > User Definition and select Create new to start the user creation wizard.
Add a user for each remote client, specifying the user type and login credentials.
Provide extra information as required and press OK.
Go to User & Device > User > User Groups.
Create a user group for Android users and add the users you created.
Adding firewall addresses for the Android user group and the DMZ networkGo to Firewall Objects > Address > Addresses.
Select Create New and add a firewall address for the Android users.
Go to Firewall Objects > Address > Addresses.
Select Create New and add a firewall address for the DMZ network.
Configuring the FortiGate as an L2TP serverGo to System > Dashboard > Status and enter the following in the CLI Console:
Configuring IPsec VPN using the VPN WizardGo to VPN > IPSec > Auto Key (IKE) and select Create VPN Wizard.
Select Dial Up - FortiClient Windows, Mac and Android and follow the wizard, entering the information that it requests.
config vpn l2tp set sip 192.168.1.90 set eip 192.168.1.99 set status enable set usrgrp Android_Users end
The user group that you select determines who is allowed to connect to this VPN.
Enter the pre-shared key that will also be used on the Android device.
Clients will connect to the FortiGate unit through the WAN1 interface, which is connected to the Internet.
Address Range defines the IP address range to assign to clients.
The options on the final wizard page can make the VPN more convenient to use. They are disabled by default.
Go to VPN > IPsec > Auto Key (IKE) and edit the AndroidVPN Phase 1.
Set 1 - Encryption to AES128 with SHA1 authentication.
Set 2 - Encryption to 3DES with SHA1 authentication.
Go to VPN > IPsec > Auto Key (IKE) and edit the Android VPN Phase 2.
Set 1 - Encryption to AES128 with SHA1 authentication.
Set 2 - Encryption to 3DES with SHA1 authentication.
Enable Perfect Forward Secrecy (PFS) and set Keylife to 3600 seconds.
Assigning an IP to the VPN interface (optional)If you wish to control the IP address that will be assigned to any traffic egressing over the IPsec interface, you can assign an IP to the interface.
Go to System > Network > Interfaces. Expand your Internet-facing interface and edit the VPN interface.
Assign the IP and Remote IP addresses. These addresses should not be related to the IPs used for the internal network or the Internet-facing interface.
Creating a security policy for access to the internal network and the InternetGo to Policy > Policy > Policy.
Create a security policy allowing remote Android users to access the internal network.
The source interface is the AndroidVPN interface.
Configuring VPN using FortiClient on the Android deviceOn your Android device, open FortiClient and select Add IPsec VPN.
Enter an account name for the IPsec account and press OK.
The IPsec settings menu appears.
Begin by configuring the Phase 1 and Phase 2 encryption and authentication settings to match those of the FortiGate
Under Server Settings > Network Settings, enter the address of the FortiGate interface that is connected to the Internet.
Under Server Settings > Authentication Settings, enter the pre-shared key that you created during Phase 1 configuration on the FortiGate.
ResultsIn FortiClient, access the newly created VPN and enter the assigned username and password, then press Connect.
As the FortiClient attempts to connect to the VPN, a warning message prompts you to trust the application.
Once the FortiClient connects to the VPN, a connection status window indicates the traffic flow and duration of the connection.
If there are problems connecting, check the event log on the FortiGate unit by going to Log & Report > Log Access > Event Log. The logs will show if the connection was successful. You can also use the following command to get more details about where the connection attempt failed:
diag debug application ike -1
The output can indicate something as simple as a pre-shared key mismatch, caused by the Android user entering the password incorrectly.
To verify that the tunnel has come up, go to VPN > Monitor > IPsec Monitor.
The AndroidVPN tunnel should appear in the list.
