IPsec VPN with FortiClient Internet Remote FortiClient user IPsec VPN Ml Internal Network In this example, you will allow remote users to access the corporate network using an IPsec VPN that they connect to using FortiClient for Mac OS X, Windows, or Android. Traffic to the Internet will also flow through the FortiGate, to apply security scanning, In this example, FortiClient 5.4.0.493 for Mac OS X is used. VPNs1. Creating a user group for remote users Go to User & Device > User Definition. Create a local user account for an IPsec VPN user. Go to User & Device > User Groups. Create a user group for IPsec VPN users and add the new user account. VPNs Remote RADIUS User Remote TACACS+ User Remote LDAP User Oars UserName [elementine Password En Email Address | clementine@example.com| a Enable User Account © “Two-factor Authentication CD User Group, Q 1382. Adding a firewall address for the local network Go to Policy & Objects > Addresses and create an address for the local network. ‘Set Type to IP/Netmark, Subnet/IP Range to the local subnet, and Interface to an internal por. Name Locat-network Type [ 1P/Netmasi Subnet /IP Range 192,168,100.07255.2552550 Interface {tan Show in Address List © Static Route Conhiguration > Comments J ons 3. Configuring the IPsec VPN using the IPsec VPN Wizard Goto VPN > IPsec Wizard and create a new tunnel using a pre-existing template, Name the VPN connection. The tunnel name may not have any ‘spaces init and should not exceed 13 characters. ‘Set Template to Remote Access, and set Remote Device Type to FortiClient VPN for OS X, Windows, and Android. Set the Incoming Interface to the intemet-facing interface and Authentication Method to Pre-shared Key. Enter a pre-shared key and select the new user group, then click Next. The pre-shared key is a credential for the VPN and should differ from the user's password. 139 Name | TemoiteType ——steto Ste EERE cust RemateDevce Type BOsNatne AndrciaNatve Inconinginerce = Owant SSS *di autnentaconettod ESESEETE sitive Preshared Key +e Usercroup Birsecuses > VeNeSet Local Interface to an intemal interface (in the example, Jan) and set Local Address to the local LAN address, Enter an Client Address Range for VPN users, The IP range you enter here prompts FortiOS to create a new firewall object for the VPN tunnel using the name of your tunnel followed by the _range suftix (in the example, IPsec-FCT_range). Make sure Enable IPv4 Split Tunnel is not selected, so that all Internet traffic will go through the FortiGate, If you do select Enable Split Tunneling, traffic not intended for the corporate network will not flow through the FortiGate or be subject to the corporate security profiles. Select Client Options as desired, After you create the tunnel, a summary page appears listing the objects which have been added to the FortiGate's configuration by the wizard, VPNs CE Loca netace ten : Loca Adress lent AsressRange sox090.-1010100254 4 Suet Ma 255 255255255 *| DNSSener FEEDS sci Enable Pv4Split Tunnel > ‘Allow Endpoint Registration © inctee moe | ‘Set RREA Cs 65st Ssunmaryof Created Objects Phase lintertace ——[PsecFCT Aatnoes RemotetoLocal Policy ven |Psec-FCT remote Endpoint Registration IPsec FCT range Grrl Force VPN Setup nsirctons 1404. Creating a security policy for access to the Internet ‘The IPsec wizard automatically created a security policy allowing IPsec VPN users to access the internal network. However, since split tunneling is disabled, another policy must be created to allow users to access the Internet through the FortiGate. Go to Policy & Objects > IPv4 Policies and create a new policy. Set a policy Nome IPsec VPN internet name that wllidentfy what this policy is 'eminginerace x used for(in the example, IPsec-VPN- | utgoinginteface @ want x Internet) Source Ba x SetIncoming Interface tothe tunnel | Destnaonddress |) a x interface and Outgoing Interface to | schedule shes . wan't. Set Source tothe IPsec client Secrese range, Destination Adérase to | °° Wau # all, Service {oALL, andenable NAT, | Aeon Contigure any remaining firewall and | Feewal/Network Options secutty options as desired. hae < FuedPot = 1P Pool Coniuration Use Dynamic P Pol Security Profiles Antivir a WeoFiter © | EI defaut 7 Dnsrites = ‘Application Control > Proxy Options Ealera x SSUSSH Ispection © [E@lcenatelnspecion Losing Options Log Alawed Tae © ‘Sessions Capture Packets Comments [Writes Enable this policy © sat VeNe5. Configuring FortiClient Open FortiClient, go to Remote Access and Add a new connection, ‘Set the Type to IPsec VPN and Remote Gateway to the FortiGate IP address. VPN > Add Connection ‘Set Authentication Method to Pre- me Oaelonern Shared Key and enter the key below. Comestion Nome or Deserpton Remoteateway —172.20.12187 ‘Authentication Method —_Pre-Shred Key Pre shares Koy ‘uteatication Auth) Canes! ds VPNs 126. Results On FortiClient, select the VPN, enter the usemame and password, and select Connect. ‘Once the connection is established, the FortiGate assigns the user an IP address and FortiClient displays the status of the connection, including the IP address, connection duration, and bytes sent and received 143 VPNName | WerlcvPN Username | clemertine Paseword [sere Connect * < ‘Werk-VPN ‘Ga, 10.10.100.1 clementine © Duration 1 Bytes Received le Bytes Sent Disconnect 20:00:12 77.415 K 86.359 K VeNe(On the FortiGate unit, go to Monitor > IPsec Monitor and verity that the tunnel Status is Up. The monitor also shows the IP address of the FortiGlient user, under Remote Gateway. Browse the Internet, then goto FortiView > Policies and select thenow view. You can see traffic flowing through the IPsec-VPN- Internet policy Right-click on the policy, then select Drill Down to Details. You can see more information about the traffic. Go to FortiView > VPN to see which users have connected to the VPN. VPNs ec FELD EIOaip Feri Wie NieO ) RZOSIA Ow pewter et ——Site-to-site IPsec VPN with two FortiGates HQ wari want Branch im ir2zoiziae rrazoieo135 TN iI FortiGate FortiGate Jan 1300 Uy Ha Branch Internal Network Internal Network In this example, you will allow transparent communication between two networks that are located behind different FortiGates at different offices using route-based IPsec VPN. The VPN will be created on both FortiGates by using the VPN Wizard's Site to Site - FortiGate template. In this example, one office will be referred to as HQ and the other will be referred to as Branch. VPNs 1481. Configuring the HQ IPsec VPN On the H@ FortiGate, goto VPN> IPsec [ Yavcesinwnewe Wizard. CEEOL Select the Site to Site template, and Nene HQie-Brach 1 select FortiGate. “Templete Type ET aes neces Caster femteoorcetine EEN cco TT te Nest once! Inthe Authentication step, set IP Address to the IP of the Branch FortiGate (in the example, Omer 172.20. 120.135). After you enter the ie gateway, an available interface will be a assigned as the Outgoing Interface. If a you wish to use a different interface, select Change. Preshweker Set a secure Pre-shared Key. atentcsion tod Ovsns Sartre Hote Brae stetoste-Fartcate VPNs