Specify the range of addresses that are assigned to PPTP clients when connecting; Configure the security policy. Configuring user authentication for PPTP clients. To enable authentication for PPTP clients, you must create user accounts and a user group to identify the PPTP clients that need access to the network behind the FortiGate unit.
![How Activate Pptp In Fortinet How Activate Pptp In Fortinet](/uploads/1/2/5/5/125501521/491886670.png)
PPTP and L2TPA virtual private network (VPN) is a way to use a public network, such as the Internet, as a vehicle to provide remote offices or individual users with secure access to private networks. FortiOS supports the Point-to-Point Tunneling Protocol (PPTP), which enables interoperability between FortiGate units and Windows or Linux PPTP clients. Because FortiGate units support industry standard PPTP VPN technologies, you can configure a PPTP VPN between a FortiGate unit and most third-party PPTP VPN peers.This section describes how to configure PPTP and L2TP VPNs as well as PPTP passthrough.This section includes the topics:.How PPTP VPNs workThe Point-to-Point Tunneling Protocol enables you to create a VPN between a remote client and your internal network. Because it is a Microsoft Windows standard, PPTP does not require third-party software on the client computer.
As long as the ISP supports PPTP on its servers, you can create a secure connection by making relatively simple configuration changes to the client computer and the FortiGate unit.PPTP uses Point-to-Point protocol (PPP) authentication protocols so that standard PPP software can operate on tunneled PPP links. PPTP packages data in PPP packets and then encapsulates the PPP packets within IP packets for transmission through a VPN tunnel.When the FortiGate unit acts as a PPTP server, a PPTP session and tunnel is created as soon as the PPTP client connects to the FortiGate unit. More than one PPTP session can be supported on the same tunnel. FortiGate units support PAP, CHAP, and plain text authentication. PPTP clients are authenticated as members of a user group.Traffic from one PPTP peer is encrypted using PPP before it is encapsulated using Generic Routing Encapsulation (GRE) and routed to the other PPTP peer through an ISP network.
PPP packets from the remote client are addressed to a computer on the private network behind the FortiGate unit. PPTP packets from the remote client are addressed to the public interface of the FortiGate unit. Seethe figure below.PPTP control channel messages are not authenticated, and their integrity is not protected. Furthermore, encapsulated PPP packets are not cryptographically protected and may be read or modified unless appropriate encryption software such as Secure Shell (SSH) or Secure File Transfer Protocol (SFTP) is used to transfer data after the tunnel has been established.As an alternative, you can use encryption software such as Microsoft Point‑to‑Point Encryption (MPPE) to secure the channel. MPPE is built into Microsoft Windows clients and can be installed on Linux clients.
FortiGate units support MPPE.Packet encapsulationShown above, traffic from the remote client is addressed to a computer on the network behind the FortiGate unit. When the PPTP tunnel is established, packets from the remote client are encapsulated and addressed to the FortiGate unit. The FortiGate unit forwards disassembled packets to the computer on the internal network.When the remote PPTP client connects, the FortiGate unit assigns an IP address from a reserved range of IP addresses to the client PPTP interface.
The PPTP client uses the assigned IP address as its source address for the duration of the connection.When the FortiGate unit receives a PPTP packet, the unit disassembles the PPTP packet and forwards the packet to the correct computer on the internal network. The security policy and protection profiles on the FortiGate unit ensure that inbound traffic is screened and processed securely.PPTP clients must be authenticated before a tunnel is established. The authentication process relies on FortiGate user group definitions, which can optionally use established authentication mechanisms such as RADIUS or LDAP to authenticate PPTP clients. All PPTP clients are challenged when a connection attempt is made.FortiGate unit as a PPTP serverIn the most common Internet scenario, the PPTP client connects to an ISP that offers PPP connections with dynamically-assigned IP addresses. The ISP forwards PPTP packets to the Internet, where they are routed to the FortiGate unit.
FortiGate unit as a PPTP serverIf the FortiGate unit will act as a PPTP server, there are a number of steps to complete:. Configure user authentication for PPTP clients. Enable PPTP. Specify the range of addresses that are assigned to PPTP clients when connecting. Configure the security policy.Configuring user authentication for PPTP clientsTo enable authentication for PPTP clients, you must create user accounts and a user group to identify the PPTP clients that need access to the network behind the FortiGate unit. Within the user group, you must add a user for each PPTP client.You can choose to use a plain text password for authentication or forward authentication requests to an external RADIUS, LDAP, or TACACS+ server.
If password protection will be provided through a RADIUS, LDAP, or TACACS+ server, you must configure the FortiGate unit to forward authentication requests to the authentication server.This example creates a basic user/password combination. Configuring a user account To add a local user - GUI. Go to User & Device User Definition and select Create New. Select Local User.
Enter a User Name. Enter a Password for the user. The password should be at least six characters. Select OK.To add a local user - CLIconfig user localedit set type passwordset passwd end Configuring a user groupTo ease configuration, create user groups that contain users in similar categories or departments. To create a user group - GUI. Go to User & Device User Group and select Create New. Enter a Name for the group.
Select the Type of Firewall. From the Available Users list, select the required users and select the right-facing arrow to add them to the Members list. Select OK.To create a user group - CLIconfig user groupedit set group-type firewallset member end Enabling PPTP and specifying the PPTP IP address rangeThe PPTP address range specifies the range of addresses reserved for remote PPTP clients. When a PPTP client connects to the FortiGate unit, the client is assigned an IP address from this range.
Afterward, the FortiGate unit uses the assigned address to communicate with the PPTP client.The address range that you reserve can be associated with private or routable IP addresses. If you specify a private address range that matches a network behind the FortiGate unit, the assigned address will make the PPTP client appear to be part of the internal network.PPTP requires two IP addresses, one for each end of the tunnel. The PPTP address range is the range of addresses reserved for remote PPTP clients.
When the remote PPTP client establishes a connection, the FortiGate unit assigns an IP address from the reserved range of IP addresses to the client PPTP interface or retrieves the assigned IP address from the PPTP user group. If you use the PPTP user group, you must also define the FortiGate end of the tunnel by entering the IP address of the unit in Local IP (web‑based manager) or local‑ip (CLI). The PPTP client uses the assigned IP address as its source address for the duration of the connection.PPTP configuration is only available through the CLI. In the example below, PPTP is enabled with the use of an IP range of 192.168.1.1 to 192.168.1.10 for addressing and the user group is hrstaff.FortiOS 5.4.0 and later versions allow the start and end IPs in the PPTP address range to be in the same 16-bit subnet.
Beginning with version 4.0, Fortinet, for some reason, removed the PPTP VPN option from the GUI interface.If the vpn was configured, prior to the firmware was updated to version 4.0+, the PPTP vpn server would have continued to function, without the option to make changes from the GUI.In a freshly installed device or in a new device with a pre-installed firmware version greater than version 4.0, this option is disabled by default and for some reason, you need to enable this option.The only way to do that, is to go to the CLI and enable it from there.