You are on page 1of 10

4/16/2017 IPsec VPN with FortiClient ­ Fortinet Cookbook

FortiOS 5.6 is now available: Release Notes | What's New | Upgrade Path

FORTICLIENT / FORTICLIENT 5.4 / FORTIGATE / FORTIOS 5.4 / FORTIOS 5.4.0 / FORTIOS 5.4.1 / FORTIOS
5.4.2 / FORTIOS 5.4.3 / VPNS

IPsec VPN with FortiClient
Posted on January 4, 2016 by Victoria Martin

Share this post:

In this example, you will allow remote users to access the corporate network using an IPsec VPN that
they connect to using FortiClient for Mac OS X, Windows, or Android. Trafៜ�c to the Internet will also
៙�ow through the FortiGate, to apply security scanning.

In this example, FortiClient 5.4.0.493 for Mac OS X is used.

http://cookbook.fortinet.com/ipsec­vpn­with­forticlient­54/ 1/10
4/16/2017 IPsec VPN with FortiClient ­ Fortinet Cookbook

Find this recipe for other FortiOS versions

5.2 | 5.4  

Watch the video

1. Creating a user group for remote users

Go to User & Device > User Deៜ�nition. Create a local user account
for an IPsec VPN user.

Go to User & Device > User Groups. Create a user group for IPsec
VPN users and add the new user account.  

2. Adding a firewall address for the local network

Go to Policy & Objects > Addresses and create an address for the
local network.

Set Type to IP/Netmask, Subnet/IP Range to the local subnet, and


Interface to an internal port.  

3. Configuring the IPsec VPN using the IPsec VPN Wizard

Go to VPN > IPsec Wizard and create a new tunnel using a pre-
existing template.

http://cookbook.fortinet.com/ipsec­vpn­with­forticlient­54/ 2/10
4/16/2017 IPsec VPN with FortiClient ­ Fortinet Cookbook

Name the VPN connection*. Set Template to Remote Access, and set


Remote Device Type to FortiClient VPN for OS X, Windows, and
Android.

Set the Incoming Interface to the internet-facing interface


and Authentication Method to Pre-shared Key.

 
Enter a pre-shared key* and select the new user group, then click
Next.

Set Local Interface to an internal interface (in the example, lan) and
set Local Address to the local LAN address.

Enter an Client Address Range for VPN users.*


 

Make sure Enable IPv4 Split Tunnel is not selected, so that all
Internet trafៜ�c will go through the FortiGate.*

Select Client Options as desired.

After you create the tunnel, a summary page appears listing the
objects which have been added to the FortiGate’s conៜ�guration by
the wizard.

4. Creating a security policy for access to the Internet

The IPsec wizard automatically created a security policy allowing IPsec VPN users to access the
internal network. However, since split tunneling is disabled, another policy must be created to
allow users to access the Internet through the FortiGate.

Go to Policy & Objects > IPv4 Policies and create a new policy. Set a
policy name that will identify what this policy is used for (in the
example, IPsec-VPN-Internet )

Set Incoming Interface to the tunnel interface and Outgoing


Interface to wan1. Set Source to the IPsec client address
range, Destination Address to all, Service to ALL, and enable NAT.

http://cookbook.fortinet.com/ipsec­vpn­with­forticlient­54/ 3/10
4/16/2017 IPsec VPN with FortiClient ­ Fortinet Cookbook

Conៜ�gure any remaining ៜ�rewall and security options as desired.

5. Configuring FortiClient

Open FortiClient, go to Remote Access and Add a new connection.

Set the Type to IPsec VPN and Remote Gateway to the FortiGate IP
address.

Set Authentication Method to Pre-Shared Key and enter the key


below.

6. Results

On FortiClient, select the VPN, enter the username and password,


and select Connect.

 
http://cookbook.fortinet.com/ipsec­vpn­with­forticlient­54/ 4/10
4/16/2017 IPsec VPN with FortiClient ­ Fortinet Cookbook

Once the connection is established, the FortiGate assigns the user an


IP address and FortiClient displays the status of the connection,
including the IP address, connection duration, and
bytes sent and received.

On the FortiGate unit, go to Monitor > IPsec Monitor and verify that
the tunnel Status is Up.  

Under Remote Gateway, the monitor shows the FortiClient user’s


assigned gateway IP address.

Browse the Internet, then go to FortiView > Policies and select the
now view. You can see trafៜ�c ៙�owing through the IPsec-VPN-  
Internet policy.

Right-click on the policy, then select Drill Down to Details. You can
see more information about the trafៜ�c.

Under Source, you can also see the IP address assigned to the  
FortiClient user (10.10.100.1).

Go to FortiView > VPN to see which users have connected to the


VPN.

About   Latest Posts

Victoria Martin
Technical Writer & Head Cookbook Chef at Fortinet

Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She
graduated with a Bachelor's degree from Mount Allison University, after which she
attended Humber College's book publishing program, followed by the more practical
technical writing program at Algonquin College. She does need glasses but also likes
wearing them, since glasses make you look smarter.

Was this helpful?  Yes      No

http://cookbook.fortinet.com/ipsec­vpn­with­forticlient­54/ 5/10
4/16/2017 IPsec VPN with FortiClient ­ Fortinet Cookbook

 dynamic VPN, FortiClient, IPsec VPN

Leave a Reply

14 Comments on "IPsec VPN with FortiClient"

Connect with:

Powered by OneAll Social Login

Notify of new follow-up comments Email ›

Join the discussion

Hugo

I followed this guide but i enconter a problem when editing the VPN policy, i need
to allow diferent access to diferent users in LDAP, when i setup the rule the VPN
tunnel works but when i try to PING something i found out that the user wasnt
authenticated (even after i loged in with Forticlient), turns out that when i tried to
access an internal web server i was redirect to the Fortinet Captive portal, after i
authenticated for the second time the ping and all others services worked in the
VPN. I think its a problem with SSO,… Read more »

 REPLY  April 5, 2017 3:06 pm

Luca Peppo

Hello, This manual works perfectly but I have one question.

I have 3 locations with 3 fortigate 90D.

Class 1 location: 192.168.200.X


Class 2 location: 192.168.150.X
Class 3 location: 192.168.100.X

I have conៜ�gured the VPN site to site and I see all three networks.

http://cookbook.fortinet.com/ipsec­vpn­with­forticlient­54/ 6/10
4/16/2017 IPsec VPN with FortiClient ­ Fortinet Cookbook

If I conៜ�gure the VPN dialup -Forticlient: if I do it from home ៜ�rst, I only see the
location 1 (and I can not even do the ping In other 2 seats), the same as if I
conៜ�gure the VPN dialup in the other two locations.

In a nutshell: I can not see simultaneously the three locations.

Thanks for your help

 REPLY  March 24, 2017 9:18 am

adnan sabir

i want to setup same but with little different topology. i have to internet
connections one with dynamic ip and other with static ip. i want to setup dialup
vpn using static ip and also want to use dynamic ip as well. as it has good internet
speed. how could i achieve this..if i use only static ip then it has limited bandwidth
(8Mbps). so my internet connection with dynamic ip has good speed.

 REPLY  March 6, 2017 6:41 am

Peter

How to conៜ�gure vpn on vdom? I’ve got no vpn menu on vdom (feature select ->
vpn is on), only on root, but interfaces wan1 and lan1 are in vdom.

 REPLY  January 25, 2017 4:33 am 

Keith Leroux

Hello Peter,

I can conៜ�gure VPNs via the VPN menu on both of my VDOMs (one in proxy
mode, the other in ៙�ow-based mode) on my 800D running FortiOS 5.4, as
well as in root. I recommend contacting support to determine the issue
with your device.

 REPLY  January 25, 2017 12:44 pm

http://cookbook.fortinet.com/ipsec­vpn­with­forticlient­54/ 7/10
4/16/2017 IPsec VPN with FortiClient ­ Fortinet Cookbook

Mick Richards Fortiview -> VPN does not exist with my 60D-
POE. I am running Firmware
Versionv5.4.1,build5447 (GA). Can you help with the missing view?

 REPLY  August 11, 2016 9:34 pm 

Keith Leroux

Hello Mick,

The FGT-60D only has basic feature support for FortiView, which does not
include VPN. Refer to the following doc for feature support info:
http://docs.fortinet.com/uploaded/ៜ�les/3108/fortiview-541.pdf

Cheers!

 REPLY  August 15, 2016 10:39 am

Francisco

Hello, I do not need Internet trafៜ�c through the FortiGate , what I need is with my
own Internet connection, but it does not work.

 REPLY  May 7, 2016 3:32 pm 

Keith Leroux

Hello Francisco,
In step 3 of the IPsec VPN wizard, try to enable IPv4 Split Tunneling.
Cheers!

 REPLY  May 9, 2016 10:35 am

santhosh

Which mode is used here its the route mode or Policy Mode .

http://cookbook.fortinet.com/ipsec­vpn­with­forticlient­54/ 8/10
4/16/2017 IPsec VPN with FortiClient ­ Fortinet Cookbook

 REPLY  January 25, 2016 7:12 am 

Victoria Martin

All VPNs made using the VPN wizard use route mode.

 REPLY  January 25, 2016 9:52 am 

alessandro Biasi

Hello Victoria,
i need help about this vpn, when forticlient connects to vpn and the
vpn goes up then i can not use the internal lan, i loose connection
with servers and printers but internet works.
What can be ?

 REPLY  March 20, 2017 5:48 am

Ivan Ivanov

Nice article, thanks!

But i don’t understand how can we log the activity of any dialup user per
username. For example “Clementine” isn’t shown in the monitoring tab or in
Fortiview.

 REPLY  January 21, 2016 9:31 am 

Victoria Martin

Hello Ivan,

I’ve added more information to the results section that includes the
FortiView VPN dashboard, which does display the names of VPN users for
both IPsec and SSL VPNs.

I hope that helps!

 REPLY  January 21, 2016 11:54 am

http://cookbook.fortinet.com/ipsec­vpn­with­forticlient­54/ 9/10
4/16/2017 IPsec VPN with FortiClient ­ Fortinet Cookbook

CONTACT |  DOCUMENTATION LIBRARY |  CLI PORTAL  |  FUSE |  VIDEOS |  SUPPORT |  CORPORATE |  LEGAL

© 2017 Fortinet

http://cookbook.fortinet.com/ipsec­vpn­with­forticlient­54/ 10/10