FortiGate Cookbook - IPsec VPN with FortiClient (5.4)

FortiGate Cookbook – IPsec VPN with FortiClient (5.4)

in this video you will learn how to create an IPSec tunnel for remote users to connect to using 40 client this will allow remote users to access the corporate network using an IPSec VPN that they connect to using 40 client for Mac OS X Windows or Android traffic to the internet will also flow through the FortiGate to apply security scanning 40 client 5.4 for Mac OS X is used in this recording go to user and device user definition and create a local user account for an IPSec VPN user enter a username password email address and enable the user account then go to user and device user groups and create an IPSec VPN user group add remaining to the user group you next go to VPN IPSec wizard and create a new tunnel using a pre-existing template name the VPN connection remember the name can't contain any spaces and should not exceed 13 characters in length set template to remote access and set remote device type to 40 client VPN for OS X Windows and Android set incoming interface to the internet facing interface and authentication method to pre shared key enter pre shared key and select the IPSec users group and then click Next set local interface to an internal interface and set local address to the local land address and create an address for the local network name the local network set type to ip net mask subnet IP range to the local subnet an interface to an internal port on the local area network enter a client address range for VPN users your FortiGate then automatically creates an object address using this range it's named after the VPN name followed by underscore range enter a subnet mask make sure that the ipv4 split tunnel is not enabled this means that all Internet traffic will go through the FortiGate and be subject to security profiles select your preferred client options auto connect initiates the phase 2's a negotiation automatically repeating every five seconds until the SI is established it's useful when one of the VPN is a dial-up peer since it allows users at the other pair to initiate traffic as well keepalive ensures that a new SI is negotiated even if there's no traffic so that your VPN tunnel stays up after you create the tunnel a summary page will list the objects that have been created by the VPN wizard the IPSec wizard automatically created a security policy allowing IPSec VPN users to access the internal network however since split tunneling is disabled you need to create another policy to allow users to access the internet through the FortiGate go to policy and objects ipv4 policies and create a new internet access policy name the policy and set incoming interface to the tunnel interface outgoing interface to when one source to all address to all service to all and enable net don't forget to configure the security profile options according to your preferences you from a computer outside of the internal network open 40 client if you haven't downloaded 40 client yet go to the link below go to remote access and add a new connection set the type to IPSec VPN and remote gateway to the FortiGate IP address set authentication method to pre shared key and enter the key below click Add on 40 client select the VPN enter the username and password and select connect once the connection is established the FortiGate assigns the user an IP address and 40 client displays the status of the connection including the IP address connection duration and bytes sent and received open a browser and make sure to generate some web traffic to test that your internet is working also open up your CLI console and ping the IP address of the computer that's behind the corporate FortiGate on the FortiGate unit go to monitor IPSec monitor and verify that the tunnel status is up you can also see the remote gateway assigned for the 40 client user then go to 40 view policies and select the now view you can see that the pings are reaching the internal network and that web traffic is flowing through the IPSec VPN internet policy right click on the policy and select drill down to details more information about the traffic is available and you can see the users assigned IP address go to four to view VPN to see which users have connected to the VPN thanks for watching and don't forget to subscribe you can also see a text version of this video on the Fortinet cookbook website

8 thoughts on “FortiGate Cookbook – IPsec VPN with FortiClient (5.4)

  1. Hi, this is all good but what I'm trying to find in this FortiOS version is where on the Fortigate to configure a profile for the IPSec VPN to auto-configure when the users Forticlient registers with the Fortigate router. We had the setup previously and now I can't find where to configure the IPSec VPN configuration to push to end users. This video shows you going into the Forticlient on the end users computer and manually configuring it. We don't want to do this, it should configure the VPN when the Forticleint registers with the Fortigate. The two profiles I previously configured are still there but the "Remote Access/VPN" configuration part is gone from the profiles. There is Anit-Virus, Web Filter, Application Firewall and Compliance but no area for configuring an IPSec VPN profile.

  2. Great video! Super helpful. Although I require a FQDN or IP address when connecting to an internal resource while connected to VPN.

  3. why in my case I don't received any IP from the ipsec_users ip range? but I can connect to the vpn, also, when connected to the vpn i don't have internet access

  4. This video is spot on but making a video on setting up LDAP and creating LDAP users would have been usefull. that is where i got stuck

  5. 3:07

    Out of curiosity, if it knows split tunnelling is disabled, why would it not create the VPN->WAN1 policy automatically like it does for the LAN policy?

Leave a Reply

Your email address will not be published. Required fields are marked *