This tutorial is to show you how to enable PPTP VPN feature on Fortigate devices running FortiOS 4.0+.
After upgrading your Fortibox to the OS 4.0, the theme color changed (too visual, right), and the VPN PPTP for clients is gone. There is no PPTP option in the VPN section (GUI interface).
This is what you don’t want because there are so many existing remote users who need PPTP VPN to connect to work. With PPTP, Windows users, Linux users, and MacOS users could easily create a VPN connections and connect to the corporate network.
To enable PPTP VPN on Fortigate OS 4.0, you must enable it using CLI (Command line interface). CLI connection to a Fortigate device could be established by Serial Port, Telnet, or SSH. Telnet is less secure than SSH because Telnet is sending everything in plain text, even your password.
To successfully connect to VPN using PPTP, end users must have a valid credentials (username and password). The account could be on local Fortigate database or Active Directory. In this tutorial, I assume that you are going to use local user database to authenticate VPN users.
Create new user account
Follow these steps while you are in SSH session to create a user account:
FORTIGATEW01 # config user local
FORTIGATEW01 (local) # edit vpn_client01
new entry ‘vpn_client01' added
FORTIGATEW01 (vpn_client01) # set status enable
FORTIGATEW01 (vpn_client01) # set type password
FORTIGATEW01 (vpn_client01) # set passwd vpn_password01
FORTIGATEW01 (vpn_client01) # end
Create group for VPN PPTP
Follow these steps to create a new group, add member to this group, set type of this group to use for VPN authentication:
FORTIGATEW01 # config user group
FORTIGATEW01 (group) # edit VPN-Users
FORTIGATEW01 (VPN-Users) # set member vpn_client01
FORTIGATEW01 (VPN-Users) # set group-type firewall
Enabling and configuring PPTP VPN
To enable PPTP VPN on FortiOS 4.x, follow these steps:
FORTIGATEW01 (pptp) # config vpn pptp
FORTIGATEW01 (pptp) # set sip 192.168.220.160
FORTIGATEW01 (pptp) # set eip 192.168.220.170
FORTIGATEW01 (pptp) # set ip-mode range
FORTIGATEW01 (pptp) # set status enable
FORTIGATEW01 (pptp) # set usrgrp VPN-Users
FORTIGATEW01 (pptp) # end
“sip” and “eip” are the IP range of LOCAL NETWORK that you want to assign to PPTP VPN clients.
set ip-mode range is to tell Fortinet to use the sip and eip defined above.
set usrgrp VPN-Users – Here is what we configured above. The group name VPN-Users we just created is added to PPTP VPN settings. vpn_client01, as a VPN-Clients group member, is now able to connect to the box using PPTP VPN.
Now, your box is ready to accept PPTP requests from client, but you need to remember to add this range-ip to Policy because without this you can connect to PPTP VPN but you cannot access any ip inside the network.
For do this, you have to go to Policy -> Policy -> New:
Source Interface: wan
Source Address: 192.168.220.[160-169]
Destination Interface: internal
Destination Address: All
Schedule: Always
Service: ANY (here you can modify services for accept only some type of service)
Action: ACCEPT
And if you want to try if PPTP works, you can enable “L2TP/PPTP/PPPoE service event” in Log&Report->Log Config->Log Setting and see what happen in Log&Report->Log & Archive Access -> Event Log when you try to access from a client.