IPsec VPN with FortiClient

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This recipe uses the IPsec VPN Wizard to provide a group of remote users with secure, encrypted access to the corporate network.

The tunnel provides group members with access to the internal network, but forces them through the FortiGate unit when accessing the Internet. When the tunnel is configured, you will connect using the FortiClient application.

 

1. Creating a user group for remote users

Go to User & Device > User > User Definition.

Create a new Local User with the User Creation Wizard.

Proceed through each step of the wizard, carefully entering the appropriate information.

 

Go to User & Device > User > User Groups.

Create a user group for remote users and add the user you created.

 

2. Adding a firewall address for the local network

Go to Policy & Objects > Objects > Addresses.

Add a firewall address for the Local LAN, including the subnet and local interface.

 

3. Configuring the IPsec VPN using the IPsec VPN Wizard

Go to VPN > IPSec > Wizard.

Name the VPN connection and select Dial Up – FortiClient (Windows, Mac OS, Android) and click Next.

 

Set the Incoming Interface to the internet-facing interface.

Select Pre-shared Key for the Authentication Method.

Enter a pre-shared key and select the new user group, then click Next.

 

Set Local Interface to an internal interface (in the example, port 1) and set Local Address to the local LAN address.

Enter an IP range for VPN users in the Client Address Range field.

 

Click Next and select Client Options as desired.

 

4. Creating a security policy for access to the Internet

Go to Policy & Objects > Policy > IPv4.

Create a security policy allowing remote users to access the Internet securely through the FortiGate unit.

Set Incoming Interface to the tunnel interface and set Source Address to all.

Set Outgoing Interface to wan1 and Destination Address to all.

Set Service to ALL and ensure that you enable NAT.

 

5. Configuring FortiClient

Open FortiClient, go to Remote Access and Add a new connection.

 

Provide a Connection Name and set the Type to IPsec VPN.

Set Remote Gateway to the FortiGate IP address.

Set Authentication Method to Pre-Shared Key and enter the key below.

 

Select the new connection, enter the username and password, and click Connect.

 

6. Results

Once the connection is established, the FortiGate assigns the user an IP address and FortiClient displays the status of the connection, including the IP address, connection duration, and
bytes sent and received.

 

On the FortiGate unit, go to VPN > Monitor > IPsec Monitor and verify that the tunnel Status is Up.

 

Go to Log & Report > Traffic Log > Forward Traffic to view the traffic.

Verify that the Sent/Received column displays traffic successfully flowing through the tunnel.

 

For further reading, check out IPsec VPN in the web-based manager in the FortiOS 5.2 Handbook.

Keith Leroux

Keith Leroux

Technical Writer at Fortinet
Keith Leroux is a writer on the FortiOS 'techdocs' team in Ottawa, Ontario. He obtained a Bachelor's degree from Queen's University in English Language and Literature, and a graduate certificate in Technical Writing from Algonquin College. He spent a year teaching ESL in South Korea. Annyeong!
Keith Leroux

Latest posts by Keith Leroux (see all)

  • Was this helpful?
  • Yes   No
The tunnel name may not have any spaces in it.
The pre-shared key is a credential for the VPN and should differ from the user’s password.

The IP range you enter here prompts FortiOS to create a new firewall object for the VPN tunnel using the name of your tunnel followed by the _range suffix (in this case, ipsecvpn_range).

In addition, FortiOS automatically creates a security policy to allow remote users to access the internal network.