Use PFSense as a Dial-In IPSEC client to Fortigate Firewall
I am trying to connect to a Fortigate firewall with a IPSEC dial-in setup. Normally users dial in to the fortigate using a Cisco VPN client using a PSK setup + their AD account through Radius.
Before anyone starts complaining.. Yes i am one of the actual sysadmins for the fortigate setup, and yes i could create a dedicated setup for this link. My experience with Fortigates and IPSEC is limited however, and just as a challenge for myself i am trying to connect to the Dial-Up setup using my PFSense firewall..
So here's the thing..
The Dial-Up setup on the fortigate provides the Cisco VPN clients calling in with a private IP adress from a small /26 pool set on the fortigate as "client range".
Phase 1 is setup using fixed peer ID's and a PSK (i'll leave out the encryption settings, but i used the same on both sides)
Then there's a XAuth phase where the user supplies his userdomain\username + password, which is verified by radius connected to his AD account. (On the fortigate it is set to Xauth type "auto server" and linked to the radius user group)
This is followed with a phase 2 setting, again using the same encryption and authentication settings on both sides and PFS enabled.
I have the PSK key and account available to me. The Cisco VPN client profiles hardly showed anything useful. But hey, i can access all the settings on the fortigate to compare. so.. should be easy i thought..
On the PFSebse box i tried various ways to create a fitting profile but i cant figure out how to get it to work..The German article on this forum show a basic IPSEC setup between a Fortigate and PFSense using a dedicated setup.. But not like i described above..
Phase 1 is easy enough to setup with all the data i have.. But how do i tell PFSense to be a client, and use the IP address assigned to me by the fortigate ? I tried using the WAN interface, should work for setting up the connection, but how do i handle the private IP assigned by the fortigate ?
- I tried creating a new interface and connect it to the IPSEC tunnel, like i sometimes do when using OpenVPN. Cant be done
- A VIP ? All fixed IP's, cant figure out how to use that either.
Then the Xauth part ? cant find any mention of that.. I googled a bit and found some old post where someone mentioned selecting Mutual PSK + XAuth as phase 1 authentication method, but i can only select Mutual PSK or Mutual RSA.
Then i figured that maybe i should be using the "Mobile clients" part of the IPSEC settings, but to me those settings apear to be for mobile clients connecting to the PFSense firewall.. Not for connecting to another firewall using the PFSense as a client.
The Phase 2 settings look pretty much the same on both the fortigate and pfsense machines.. Apart from the fact that on the fortigate another user group of allowed users has been specified.
This setup probably wont allow me to route my internet network to the other side, but i figured i can handle that using NAT.\
Anybody ever got this combination to work ? Is this possible at all ? Or am i trying something that cannot be done ?
That's not possible without significant source code hacking.