Author Topic: Fortinet VPN client  (Read 22128 times)

v_for_vendetta

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Fortinet VPN client
« on: June 10, 2008, 01:35:38 am »
Hi Guys,

I need your advice for a matter. I work for an IT solutions provider. My company provides customers with Juniper Netscreen 5GT firewalls. I have a customer who has a site-to-site VPN setup on the Juniper in his premise to the Juniper in another office. The VPN sessions work fine with no issues. The only problem is when he uses an application known as Fortinet VPN client to VPN to a remote server in another location. Somehow the Juniper seems to block the application from connecting as when he by-passes the Juniper and connects directly to the modem/router, he is able to use the application. The application requires the opening of ports 500, 4500 and 8990. I have enabled the VIP service on the Juniper as well as created a policy to allow access to the remote server but the issue still remains. Going through the firewall is a no-no but by-passing it doesn't cause problems. All advices on the matter are most appreciated.

Thanks.


ric0

  • Full Member
  • ***
  • Posts: 183
  • Karma: +0/-0
    • View Profile
Re: Fortinet VPN client
« Reply #1 on: June 10, 2008, 04:05:57 am »
I'm not to sure what the FortiClient needs. Have you verified that you opened UDP ports?

4500 is probably used for ESP in UDP.
JNCIA-FWV - JNCIA-IDP

v_for_vendetta

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Fortinet VPN client
« Reply #2 on: June 10, 2008, 07:37:21 am »
Just to add the application is known as Fortigate VPN client and it is an L2TP application. I have added the ports in UDP and TCP as well. I hope the extra info would be helpful well

sebastan_bach

  • Sr. Member
  • ****
  • Posts: 349
  • Karma: +0/-0
    • View Profile
Re: Fortinet VPN client
« Reply #3 on: June 10, 2008, 04:18:43 pm »
hi if u are using the forti client for a L2tp tunnel. then u need to open ike that is udp 500 and esp protocol no 50. cause L2tp uses these ports to tunnel.it also uses udp 1703 but that is inside the esp tunnel. so as far as the esp and ike are permitted things should work out smoothly.

hope this helps.

regards

sebastan

v_for_vendetta

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Fortinet VPN client
« Reply #4 on: June 10, 2008, 08:06:13 pm »
Since I am not that experienced, may I know what is the protocol 50? currently all ports have been allowed.

alan

  • Hero Member
  • *****
  • Posts: 796
  • Karma: +0/-0
    • View Profile
    • paleale
Re: Fortinet VPN client
« Reply #5 on: June 10, 2008, 09:40:01 pm »
IP protocol 50 is ESP and IP protocol 51 is AH.
These are not ports but protocols in the IP suite.
To pass IPsec you allow ESP (or AH depending) and UDP/500 (IKE)
UDP/4500 is for NAT-T (NAT Traversal) which solves ESP (or AH) going through NAT

IPsec/ESP/AH
http://en.wikipedia.org/wiki/Ipsec
NAT-T
http://en.wikipedia.org/wiki/NAT_traversal


v_for_vendetta

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Fortinet VPN client
« Reply #6 on: June 10, 2008, 10:25:02 pm »
Thanks for all the input so far. Where do I set the protocols that have been suggested? Also setting up an ike, there is no option for port setting, only the pre-shared key but the application doesn't use a key.

alan

  • Hero Member
  • *****
  • Posts: 796
  • Karma: +0/-0
    • View Profile
    • paleale
Re: Fortinet VPN client
« Reply #7 on: June 10, 2008, 10:49:56 pm »
Policy > Policy Elements > Custom > Other > 50 (or 51)
IKE is already defined as IKE-NAT

You'll end up with something like..(lock this down better than ANY/ANY)
set service "ESP-custom" protocol 50 src-port 0-65535 dst-port 0-65535
set policy id 23 from "Untrust" to "Trust"  "Any" "Any" "ESP-custom" permit log
set policy id 23
set service "IKE-NAT"
exit
[add UDP/4500 and UDP?/8990 per the above]

v_for_vendetta

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Fortinet VPN client
« Reply #8 on: June 10, 2008, 11:57:37 pm »
Hi alan,

Thanks for all the guidance so far. I guess I didn't mention something clearly here, the device is a Juniper NS5GT. There is no option to create custom policies. The firewall currently runs on 5.3.0r10.0 (Firewall+VPN) version firmware. I hope you can advice a method that is applicable to a NS5GT.

Thanks