Tunneled Internet Browsing
This recipe provides an example configuration of tunneled internet browsing using a dialup VPN. To centralize network management and control, all branch office traffic is tunneling to HQ, including Internet browsing.
The following shows the sample network topology for this example:
To configure a dialup VPN to tunnel Internet browsing using the GUI:
- Configure the dialup VPN server FortiGate at HQ:
- Go to VPN > IPsec Wizard, enter a VPN name (HQ in this example), make the following selections, and then click Next:
- Site to Site to Template Type l FortiGate to Remote Device Type
- The remote side is behind NAT to NAT Configuration
- Make the following selections, and then click Next:
- Incoming Interface to port9 l Authentication Method to Pre-Shared Key l Pre-shared Key to sample
- Make the following selections, and then click Create:
- Local Interface to port10 l Local Subnets to 16.101.0 l Remote Subnets to 0.0.0.0/0 l Internet Access to Share Local l Shared WAN to port9
- Configure the dialup VPN client FortiGate at a branch:
- Go to VPN > IPsec Wizard, enter a VPN name (Branch1 or Branch2 in this example), make the following selections, then click Next:
- Site to Site to Template Type l FortiGate to Remote Device Type l This side is behind NAT to NAT Configuration
- Make the following selections, and then click Next:
- IP Address to Remote Device, then enter the IP address: 22.1.1.1 l Outgoing Interface to wan1 l Authentication Method to Pre-shared Key l Pre-shared Key to sample
- Make the following selections, and then click Create: l Local Interface to internal l Local Subnets to 1.100.0/192.1684.0 l Remote Subnets to 0.0.0.0/0 l Internet Access to Use Remote l Local Gateway to 15.1.1.1/13.1.1.1
- Go to VPN > IPsec Wizard, enter a VPN name (HQ in this example), make the following selections, and then click Next:
To configure a dialup VPN to tunnel Internet browsing using the CLI:
- Configure the WAN interface and static route on the FortiGate at HQ:
config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0
next edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0
next
end
config router static edit 1 set gateway 22.1.1.2 set device “port9”
next
end
- Configure IPsec phase1-interface and phase2-interface configuration at HQ:
config vpn ipsec phase1-interface edit “HQ” set type dynamic set interface “port9” set peertype any set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set psksecret sample set dpd-retryinterval 60 next
end
config vpn ipsec phase2-interface edit “HQ” set phase1name “HQ”
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305 next
end
- Configure the firewall policy at HQ:
config firewall policy edit 1 set srcintf “HQ” set dstintf “port9” “port10” set srcaddr “10.1.100.0” “192.168.4.0” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable
next
end
- Configure the WAN interface and static route on the FortiGate at the branches:
- Branch1:
config system interface edit “wan1” set ip 15.1.1.2 255.255.255.0
next edit “internal” set ip 10.1.100.1 255.255.255.0
next
end
config router static edit 1 set gateway 15.1.1.1 set device “wan1”
next
end
- Branch2:
config system interface edit “wan1” set ip 13.1.1.2 255.255.255.0
next edit “internal” set ip 192.168.4.1 255.255.255.0
next
end
config router static edit 1 set gateway 13.1.1.1 set device “wan1”
next end
- Configure IPsec phase1-interface and phase2-interface configuration at the branches: a. Branch1:
config vpn ipsec phase1-interface edit “branch1” set interface “wan1” set peertype any set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5
next
end
config vpn ipsec phase2-interface edit “branch1” set phase1name “branch1”
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305 set auto-negotiate enable set src-subnet 10.1.100.0 255.255.255.0
next
end
- Branch2:
config vpn ipsec phase1-interface edit “branch2” set interface “wan1” set peertype any set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5
next
end
config vpn ipsec phase2-interface edit “branch2” set phase1name “branch2”
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm
aes256gcm chacha20poly1305 set auto-negotiate enable set src-subnet 192.168.4.0 255.255.255.0
next
end
- Configure the firewall policy at the branches:
- Branch1:
config firewall policy edit 1 set name “outbound” set srcintf “internal” set dstintf “branch1” set srcaddr “all”
set dstaddr “all” set action accept set schedule “always” set service “ALL”
next edit 2
set name “inbound” set srcintf “branch1” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”
next
end
- Branch2:
config firewall policy edit 1
set name “outbound” set srcintf “internal” set dstintf “branch2” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”
next edit 2
set name “inbound” set srcintf “branch2” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”
next
end
- Configure the static routes at the branches:
- Branch1:
config router static
edit 2
set dst 22.1.1.1/32 set gateway 15.1.1.1 set device “wan1” set distance 1
next edit 3
set device “branch1” set distance 5
next end
- Branch2:
config router static edit 2 set dst 22.1.1.1/32 set gateway 13.1.1.1 set device “wan1” set distance 1
next edit 3 set device “branch2” set distance 5
next
end
- Optionally, view the VPN tunnel list on a branch with the diagnose vpn tunnel list command:
list all ipsec tunnel in vd 0
—-
name=branch1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1
proxyid_num=1 child_num=1 refcnt=19 ilast=0 olast=0 ad=r/2 stat: rxp=1 txp=1661 rxb=65470 txb=167314
dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=2986 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=branch1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=697/0B replaywin=1024 seqno=13a esn=0 replaywin_lastseq=00000000 itn=0
life: type=01 bytes=0/0 timeout=2368/2400
dec: spi=c53a8f7e esp=aes key=16 ecee0cd48664d903d3d6822b1f902fd2 ah=sha1 key=20 2440a189126c222093ca9acd8b37127285f1f8a7
enc: spi=6e3636fe esp=aes key=16 fdaa20bcc96f74ae9885e824d3efa29d ah=sha1 key=20 70c0891c769ad8007ea1f31a39978ffbc73242d0
dec:pkts/bytes=0/16348, enc:pkts/bytes=313/55962
npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1
- Optionally, view static routing table on a branch with the get router info routing-table static command:
Routing table for VRF=0
S* 0.0.0.0/0 [5/0] is directly connected, branch1
S* 22.1.1.1/32 [1/0] via 15.1.1.1, wan1