Providing secure remote access to a network for an iOS device This recipe uses the VPN Wizard to provide a group of remote iOS users with secure, encrypted access to the corporate network. The example enables group members to access the internal network and forces them through the FortiGate unit when accessing the Internet. The example uses an iPad 2 running iOS 6.1.2 (menu options may vary for different iOS versions and devices). 1. Creating a user group for iOS users 2. Adding addresses for the local LAN and remote users 3. Configuring IPsec VPN phases using the VPN Wizard 4. Creating security policies for access to the internal network and the Internet 5. Configuring VPN on the iOS device 6. Results WAN 1 172.20.120.123 FortiGate Port 1 192.168.1.99/24 Internal Network Internet IPsec Remote User (iPad) Creating a user group for iOS users Go to User & Device > User > User Definition. Create a new user. Go to User & Device > User > User Groups. Create a user group for iOS users and add the user you created. Adding addresses for the local LAN and remote users Go to Firewall Objects > Address > Addresses. Add the address for the local network, including the subnet and local interface. Go to Firewall Objects > Address > Addresses. Add the address for the remote user, including the IP range. Configuring the IPsec VPN phases using the VPN Wizard Go to VPN > IPSec > Auto Key (IKE). Select Create VPN Wizard. Name the VPN connection and select Dial Up - iPhone / iPad Native IPsec Client. Click Next. Enter your pre-shared key and select the iOS user group, then click Next. Note that the pre-shared key is a credential for the VPN and should differ from the user’s password. Select your Internet-facing interface for the Local Outgoing Interface, and enter the IP range from the address range you created. 330 The FortiGate Cookbook 5.0.5 Assigning an IP to the VPN interface (optional) If you wish to control the IP address that will be assigned to any traffic egressing over the IPsec interface, you can assign an IP to the interface. Go to System > Network > Interfaces. Expand your Internet-facing interface and edit the VPN interface. Assign the IP and Remote IP addresses. These addresses should not be related to the IPs used for the internal network or the Internet-facing interface. Creating security policies for access to the internal network and the Internet Go to Policy > Policy > Policy. Create a security policy allowing remote iOS users to access the internal network. Go to Policy > Policy > Policy. Create a security policy allowing remote iOS users to access the Internet securely through the FortiGate unit. Ensure that Enable NAT is checkmarked. Configuring VPN on the iOS device On the iPad, go to Settings > General > VPN and select Add VPN Configuration. Enter the VPN address, user account, and password in their relevant fields. Enter the pre-shared key in the Secret field. In order to connect to the VPN tunnel, a Group Name may be required. If you are unable to connect, add this field to the VPN client to determine if the blank field is the cause. Results On the FortiGate unit, go to VPN > Monitor > IPsec Monitor and view the status of the tunnel. Users on the internal network will be accessible using the iOS device. Go to Log & Report > Traffic Log > Forward Traffic to view the traffic. Select an entry to view more information. Remote iOS users can also access the Internet securely via the FortiGate unit. Go to Log & Report > Traffic Log > Forward Traffic to view the traffic. Select an entry to view more information. View the status of the tunnel on the iOS device. On the iPad, go to Settings > General > VPN and view the Status of the connection. Using a Ping tool, send a ping packet directly to an IP address on the LAN behind the FortiGate unit to verify the connection through the VPN tunnel..
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project