IPsec VPN with FortiClient

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will allow remote users to access the corporate network using an IPsec VPN that they connect to using FortiClient for Mac OS X, Windows, or Android. Traffic to the Internet will also flow through the FortiGate, to apply security scanning.

In this example, FortiClient 5.4.0.493 for Mac OS X is used.

Watch the video

1. Creating a user group for remote users

Go to User & Device > User Definition. Create a local user account for an IPsec VPN user.

 
   
   
   
Go to User & Device > User Groups. Create a user group for IPsec VPN users and add the new user account.  

2. Adding a firewall address for the local network

Go to Policy & Objects > Addresses and create an address for the local network.

Set Type to IP/NetmaskSubnet/IP Range to the local subnet, and Interface to an internal port.

 

3. Configuring the IPsec VPN using the IPsec VPN Wizard

Go to VPN > IPsec Wizard and create a new tunnel using a pre-existing template.

Name the VPN connection. Set Template to Remote Access, and set Remote Device Type to FortiClient VPN for OS X, Windows, and Android.

 

Set the Incoming Interface to the internet-facing interface and Authentication Method to Pre-shared Key.

Enter a pre-shared key and select the new user group, then click Next.

 

Set Local Interface to an internal interface (in the example, lan) and set Local Address to the local LAN address.

Enter an Client Address Range for VPN users.

Make sure Enable IPv4 Split Tunnel is not selected, so that all Internet traffic will go through the FortiGate.

 

Select Client Options as desired.

 

After you create the tunnel, a summary page appears listing the objects which have been added to the FortiGate’s configuration by the wizard.

 

4. Creating a security policy for access to the Internet

The IPsec wizard automatically created a security policy allowing IPsec VPN users to access the internal network. However, since split tunneling is disabled, another policy must be created to allow users to access the Internet through the FortiGate.

Go to Policy & Objects > IPv4 Policies and create a new policy. Set a policy name that will identify what this policy is used for (in the example, IPsec-VPN-Internet)

Set Incoming Interface to the tunnel interface and Outgoing Interface to wan1. Set Source to the IPsec client address range, Destination Address to all, Service to ALL, and enable NAT.

Configure any remaining firewall and security options as desired.

 

5. Configuring FortiClient

Open FortiClient, go to Remote Access and Add a new connection.

 

Set the Type to IPsec VPN and Remote Gateway to the FortiGate IP address.

Set Authentication Method to Pre-Shared Key and enter the key below.

 

6. Results

On FortiClient, select the VPN, enter the username and password, and select Connect.

 

Once the connection is established, the FortiGate assigns the user an IP address and FortiClient displays the status of the connection, including the IP address, connection duration, and
bytes sent and received.

 

On the FortiGate unit, go to Monitor > IPsec Monitor and verify that the tunnel Status is Up.

Under Remote Gateway, the monitor shows the FortiClient user’s assigned gateway IP address.

 

Browse the Internet, then go to FortiView > Policies and select the now view. You can see traffic flowing through the IPsec-VPN-Internet policy.


 

Right-click on the policy, then select Drill Down to Details. You can see more information about the traffic.

Under Source, you can also see the IP address assigned to the FortiClient user (10.10.100.1).

 

Go to FortiView > VPN to see which users have connected to the VPN.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
The tunnel name may not have any spaces in it and should not exceed 13 characters.
The pre-shared key is a credential for the VPN and should differ from the user’s password.
The IP range you enter here prompts FortiOS to create a new firewall object for the VPN tunnel using the name of your tunnel followed by the _range suffix (in the example, IPsec-FCT_range).
If you do select Enable Split Tunneling, traffic not intended for the corporate network will not flow through the FortiGate or be subject to the corporate security profiles.
  • sujeto117

    I’m using firmware 5.6 and forticlient 5.6 as well.
    I followed this guide but always the forticlient stay in “Connectin” but nothing happend, not errors not connection. I don’t knwo what is happening.

  • Nilanga Chandrasekara

    Is this valid for firmware 5.6 on fortigate 90D?

    • Victoria Martin

      Hi Nilanga,

      This recipe was written using 5.4; however, the steps are very similar so you should be able to follow them using 5.6 as well. An updated version of the recipe should also be published soon.

      • Nilanga Chandrasekara

        Hi Victoria, Thank you so much for replying. If I may bother you with one more question? I can only see IPSec Tunnel under VPN Feature. Do not see any other options. I have vPN Option Turned on on features menu. Please help?

  • Mike

    Is there a way to push the preshared key to all of the computers without having to give it to the users? I just imagine they will have issues remembering it when I send them directions to setup Forticlient.

  • Hugo

    I followed this guide but i enconter a problem when editing the VPN policy, i need to allow diferent access to diferent users in LDAP, when i setup the rule the VPN tunnel works but when i try to PING something i found out that the user wasnt authenticated (even after i loged in with Forticlient), turns out that when i tried to access an internal web server i was redirect to the Fortinet Captive portal, after i authenticated for the second time the ping and all others services worked in the VPN. I think its a problem with SSO, can someone help me? Its anoying to access a random internal address in the browser everytime to authenticate in the VPN, im using FortiOS 5.4.4.

  • Luca Peppo

    Hello, This manual works perfectly but I have one question.

    I have 3 locations with 3 fortigate 90D.

    Class 1 location: 192.168.200.X
    Class 2 location: 192.168.150.X
    Class 3 location: 192.168.100.X

    I have configured the VPN site to site and I see all three networks.

    If I configure the VPN dialup -Forticlient: if I do it from home first, I only see the location 1 (and I can not even do the ping In other 2 seats), the same as if I configure the VPN dialup in the other two locations.

    In a nutshell: I can not see simultaneously the three locations.

    Thanks for your help

  • adnan sabir

    i want to setup same but with little different topology. i have to internet connections one with dynamic ip and other with static ip. i want to setup dialup vpn using static ip and also want to use dynamic ip as well. as it has good internet speed. how could i achieve this..if i use only static ip then it has limited bandwidth (8Mbps). so my internet connection with dynamic ip has good speed.

  • Peter

    How to configure vpn on vdom? I’ve got no vpn menu on vdom (feature select -> vpn is on), only on root, but interfaces wan1 and lan1 are in vdom.

    • Keith Leroux

      Hello Peter,

      I can configure VPNs via the VPN menu on both of my VDOMs (one in proxy mode, the other in flow-based mode) on my 800D running FortiOS 5.4, as well as in root. I recommend contacting support to determine the issue with your device.

  • Mick Richards

    Fortiview -> VPN does not exist with my 60D-POE. I am running Firmware Versionv5.4.1,build5447 (GA). Can you help with the missing view?

  • Francisco

    Hello, I do not need Internet traffic through the FortiGate , what I need is with my own Internet connection, but it does not work.

    • Keith Leroux

      Hello Francisco,
      In step 3 of the IPsec VPN wizard, try to enable IPv4 Split Tunneling.
      Cheers!

  • santhosh

    Which mode is used here its the route mode or Policy Mode .

    • Victoria Martin

      All VPNs made using the VPN wizard use route mode.

      • alessandro Biasi

        Hello Victoria,
        i need help about this vpn, when forticlient connects to vpn and the vpn goes up then i can not use the internal lan, i loose connection with servers and printers but internet works.
        What can be ?

  • Ivan Ivanov

    Nice article, thanks!

    But i don’t understand how can we log the activity of any dialup user per username. For example “Clementine” isn’t shown in the monitoring tab or in Fortiview.

    • Victoria Martin

      Hello Ivan,

      I’ve added more information to the results section that includes the FortiView VPN dashboard, which does display the names of VPN users for both IPsec and SSL VPNs.

      I hope that helps!