IPsec VPN with FortiClient

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This recipe uses the IPsec VPN Wizard to provide a group of remote users with secure, encrypted access to the corporate network.

The tunnel provides group members with access to the internal network, but forces them through the FortiGate unit when accessing the Internet. When the tunnel is configured, you will connect using the FortiClient application.

 

1. Creating a user group for remote users

Go to User & Device > User > User Definition.

Create a new Local User with the User Creation Wizard.

Proceed through each step of the wizard, carefully entering the appropriate information.

 

Go to User & Device > User > User Groups.

Create a user group for remote users and add the user you created.

 

2. Adding a firewall address for the local network

Go to Policy & Objects > Objects > Addresses.

Add a firewall address for the Local LAN, including the subnet and local interface.

 

3. Configuring the IPsec VPN using the IPsec VPN Wizard

Go to VPN > IPSec > Wizard.

Name the VPN connection and select Dial Up – FortiClient (Windows, Mac OS, Android) and click Next.

 

Set the Incoming Interface to the internet-facing interface.

Select Pre-shared Key for the Authentication Method.

Enter a pre-shared key and select the new user group, then click Next.

 

Set Local Interface to an internal interface (in the example, port 1) and set Local Address to the local LAN address.

Enter an IP range for VPN users in the Client Address Range field.

 

Click Next and select Client Options as desired.

 

4. Creating a security policy for access to the Internet

Go to Policy & Objects > Policy > IPv4.

Create a security policy allowing remote users to access the Internet securely through the FortiGate unit.

Set Incoming Interface to the tunnel interface and set Source Address to all.

Set Outgoing Interface to wan1 and Destination Address to all.

Set Service to ALL and ensure that you enable NAT.

 

5. Configuring FortiClient

Open FortiClient, go to Remote Access and Add a new connection.

 

Provide a Connection Name and set the Type to IPsec VPN.

Set Remote Gateway to the FortiGate IP address.

Set Authentication Method to Pre-Shared Key and enter the key below.

 

Select the new connection, enter the username and password, and click Connect.

 

6. Results

Once the connection is established, the FortiGate assigns the user an IP address and FortiClient displays the status of the connection, including the IP address, connection duration, and
bytes sent and received.

 

On the FortiGate unit, go to VPN > Monitor > IPsec Monitor and verify that the tunnel Status is Up.

 

Go to Log & Report > Traffic Log > Forward Traffic to view the traffic.

Verify that the Sent/Received column displays traffic successfully flowing through the tunnel.

 

For further reading, check out IPsec VPN in the web-based manager in the FortiOS 5.2 Handbook.

Keith Leroux

Keith Leroux

Technical Writer at Fortinet
Keith Leroux is a writer on the FortiOS 'techdocs' team in Ottawa, Ontario. He obtained a Bachelor's degree from Queen's University in English Language and Literature, and a graduate certificate in Technical Writing from Algonquin College. He spent a year teaching ESL in South Korea. Annyeong!
Keith Leroux

Latest posts by Keith Leroux (see all)

  • Was this helpful?
  • Yes   No
The tunnel name may not have any spaces in it.
The pre-shared key is a credential for the VPN and should differ from the user’s password.

The IP range you enter here prompts FortiOS to create a new firewall object for the VPN tunnel using the name of your tunnel followed by the _range suffix (in this case, ipsecvpn_range).

In addition, FortiOS automatically creates a security policy to allow remote users to access the internal network.

  • Keith Leroux

    Hi Santosh,

    Please contact support@fortinet.com to resolve your issue, and please also refer to the following Comment Policy page as to why your question has not been answered here: http://cookbook.fortinet.com/comment-policy/

  • Brenda Stovall

    Can you add the steps with OUT the Wizard please? So we can see what it actually looks like to create this?

  • Josh Bibler

    In step 3 you listed the subnet mask as 255.255.255.255 i’m curious about that… I created a new tunnel and applied my subnet mask (255.255.254.0) but when clients connect and get an ip address it shows their gateway (on the client side) as the next available IP address in the VPN range. For example the range is 192.168.10.1 – 192.168.10.100 they are assigned 192.168.10.1 but gateway is listed as 192.168.10.2 which just seems crazy to me. Any insight?

  • Luis Enrique Gastelum

    Hello
    I need make two IPsec tunnels but when i try connect in the second tunnel i don’t can make it work.
    only works the first tunnel.

  • Payal Singh

    Hello!
    I installed and connected to it yesterday , worked all day on it in the evening disconnected it, Next day I wasnt able to connect to it again.Sae happened with my fellow collegue. Please help.

    • Keith Leroux

      Hello Payal, for these types of inquiries, please contact Fortinet Support.

  • Azla

    Hello !
    Im trying to find the maximum number of concurrent vpn ipsec user for 100D i found it for SSL but not the ipsec RU.Any help will be appriciated

  • belal

    i have issue as vpn remote access and connection down after 4 minutes please help me to solve this issue

  • ラテ

    Is NAT traversal setting needed on client side, so I could not find that setting. I use it for MAC.

  • Luca Peppo

    Hello, This manual works perfectly but I have one question.

    I have 3 locations with 3 fortigate 90D.

    Class 1 location: 192.168.200.X
    Class 2 location: 192.168.150.X
    Class 3 location: 192.168.100.X

    I have configured the VPN site to site and I see all three networks.

    If I configure the VPN dialup -Forticlient: if I do it from home first, I only see the location 1 (and I can not even do the ping In other 2 seats), the same as if I configure the VPN dialup in the other two locations.

    In a nutshell: I can not see simultaneously the three locations.

    Thanks for your help

    • xGreg

      Hi Luca.

      I have the same problem. Did find any solution?

      • Kerrie Newton

        Hello Luca and Greg,

        To reach multiple networks via IPSec dailup VPN you will need to do the following:

        >set the quick mode selectors to 0.0.0.0/0
        > specify routes for all the required networks
        > ensure the policy has all the desired networks specified

        Kerrie

        • Luca Peppo

          Dear Kerrie Newton, thank you for your answer but I don’t understand.

          I have to change my VPN connection between 3 sites ?

          Or I have to modify the Dialup – FortiClient (Windows, Mac OS, Android)?

  • Arun

    I want to send LAN message to my office colleague when i am using VPN.

  • Daniel Suarez

    Thanks for the info. I have a couple of questions:

    Step #2: When “Adding a firewall address for the local network”, you mean setting up the actual segment of my LAN, right? For instance 192.168.1.0/255.255.255.0

    Step #3: When “Entering an IP range for VPN users in the Client Address Range field”. Should I have any particular consideration in mind when setting this up? For instance…could it be 192.168.10.0/255.255.255.0 (if that’s the case…I think the wizard will create a route from 192.168.1.x to 192.168.10.x. Right?
    Step #4: In case I just want remote users to access my LAN (and not the Internet) I would simply not set up the WAN access rule. Right?
    Thanks in advance for your help.

    • Keith Leroux

      Hello Daniel,

      If I understand correctly, you are right on all three steps.

      Cheers!

      • Daniel Suarez

        Thanks for your reply. I will give it a try. Thanks!

  • Rajeev

    I want to purchase fortigate 60d. Please suggest me how many VPN client should i able to add without purchase licence?

    • Keith Leroux

      Hello Rajeev,

      You should be able to configure up to 500 Client-to-Gateway IPsec VPN tunnels with 1Gbps throughput, even without a license.

  • nice

    I’ve follow this document with fortigate 60d and the vpn work fine.

    When vpn in, I can ssh into the box and it work as expected. I also can access other computer in the same network and everything is fine.

    But when I try to access the fortinet web ui via vpn it become very slow and not usable (It sometime show login page and even allow me to login sometime, but mostly it just keep loading until timeout). Any advice would be appreciated. Thanks.

  • Sunil Panchal

    i have fortigate 140D with 5.4 os. i create L2TP/IPSEC connection with forticlient, it is working with some ISP well mostly Mobile ISP (4G) , but with some it is not working (Cable ISP), when i disable DPD in forticlient then only its work , so can u tell me why this problem is problem from device or ISP .

    we have one branch with 100D ,i want to create site to site VPN between 100D and 140D i use wizard to create VPN but from one side(140D ) it is showing up and successfull but from another side(100D)phase 1 failure or negotiation.

    please help me out with this problems.

  • Jim Bo

    I have set this up with automatic redial so users VPNs are always up. This doesn’t work in situations where the user is trying to connect via public wifi because they can’t access the webpage without the VPN. How can I keep the VPN but let users access the wifi webpage without VPN?

    • Keith Leroux

      Hi Jim Bo,

      I don’t think this will work if the FortiGate gateway IP isn’t publicly accessible. I recommend contacting support.fortinet.com to discuss a potential solution or workaround.

  • Ty Lor

    Hello, I would like to create multiple inbound policies, one for Employee1, and one Employee2 and one for Contractor, how can I achieve that. I tried but only the first Remote policy created work, the subsequent one created will not work unless the first one is disable even though inbound is created with different IP ranges. Is there a way to create multiple VPN client groups that work separately?

    • Keith Leroux

      Hello Ty,
      Are you limited to IPsec VPN? You could try SSL VPN Realms to create different levels of access for different users/user groups.

      • Preston Strait III

        Different policies with different users works well with SSL VPN but is there a way to make it work with IPSec? I am also running in to an issue with this setup conflicting with another IPSec dial up connection I already had configured.

  • Santosh Sharma

    Hi this is superd document

    and thanks for giving PDF also.

    please tell me this is route based IPSEC or policy based ipsec ?
    and also mention about split tunnel because when selecting ip subnet for split tunnel some error comes.

    is there any cookbook document on IPSEC site to site ?

    • Victoria Martin

      Hi Santosh, This IPsec is also route-based. If the IPsec is policy-based, it will be noted in the recipe, since that feature must be enabled in the GUI before the tunnel can be made.