Professional Documents
Culture Documents
FortiOS 5.6 is now available: Release Notes | What's New | Upgrade Path
FORTICLIENT / FORTICLIENT 5.4 / FORTIGATE / FORTIOS 5.4 / FORTIOS 5.4.0 / FORTIOS 5.4.1 / FORTIOS
5.4.2 / FORTIOS 5.4.3 / VPNS
IPsec VPN with FortiClient
Posted on January 4, 2016 by Victoria Martin
In this example, you will allow remote users to access the corporate network using an IPsec VPN that
they connect to using FortiClient for Mac OS X, Windows, or Android. Trafៜ�c to the Internet will also
៙�ow through the FortiGate, to apply security scanning.
http://cookbook.fortinet.com/ipsecvpnwithforticlient54/ 1/10
4/16/2017 IPsec VPN with FortiClient Fortinet Cookbook
5.2 | 5.4
1. Creating a user group for remote users
Go to User & Device > User Deៜ�nition. Create a local user account
for an IPsec VPN user.
Go to User & Device > User Groups. Create a user group for IPsec
VPN users and add the new user account.
2. Adding a firewall address for the local network
Go to Policy & Objects > Addresses and create an address for the
local network.
3. Configuring the IPsec VPN using the IPsec VPN Wizard
Go to VPN > IPsec Wizard and create a new tunnel using a pre-
existing template.
http://cookbook.fortinet.com/ipsecvpnwithforticlient54/ 2/10
4/16/2017 IPsec VPN with FortiClient Fortinet Cookbook
Enter a pre-shared key* and select the new user group, then click
Next.
Set Local Interface to an internal interface (in the example, lan) and
set Local Address to the local LAN address.
Make sure Enable IPv4 Split Tunnel is not selected, so that all
Internet trafៜ�c will go through the FortiGate.*
After you create the tunnel, a summary page appears listing the
objects which have been added to the FortiGate’s conៜ�guration by
the wizard.
4. Creating a security policy for access to the Internet
The IPsec wizard automatically created a security policy allowing IPsec VPN users to access the
internal network. However, since split tunneling is disabled, another policy must be created to
allow users to access the Internet through the FortiGate.
Go to Policy & Objects > IPv4 Policies and create a new policy. Set a
policy name that will identify what this policy is used for (in the
example, IPsec-VPN-Internet )
http://cookbook.fortinet.com/ipsecvpnwithforticlient54/ 3/10
4/16/2017 IPsec VPN with FortiClient Fortinet Cookbook
5. Configuring FortiClient
Set the Type to IPsec VPN and Remote Gateway to the FortiGate IP
address.
6. Results
http://cookbook.fortinet.com/ipsecvpnwithforticlient54/ 4/10
4/16/2017 IPsec VPN with FortiClient Fortinet Cookbook
On the FortiGate unit, go to Monitor > IPsec Monitor and verify that
the tunnel Status is Up.
Browse the Internet, then go to FortiView > Policies and select the
now view. You can see trafៜ�c ៙�owing through the IPsec-VPN-
Internet policy.
Right-click on the policy, then select Drill Down to Details. You can
see more information about the trafៜ�c.
Under Source, you can also see the IP address assigned to the
FortiClient user (10.10.100.1).
About Latest Posts
Victoria Martin
Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She
graduated with a Bachelor's degree from Mount Allison University, after which she
attended Humber College's book publishing program, followed by the more practical
technical writing program at Algonquin College. She does need glasses but also likes
wearing them, since glasses make you look smarter.
http://cookbook.fortinet.com/ipsecvpnwithforticlient54/ 5/10
4/16/2017 IPsec VPN with FortiClient Fortinet Cookbook
Leave a Reply
Connect with:
Powered by OneAll Social Login
Join the discussion
Hugo
I followed this guide but i enconter a problem when editing the VPN policy, i need
to allow diferent access to diferent users in LDAP, when i setup the rule the VPN
tunnel works but when i try to PING something i found out that the user wasnt
authenticated (even after i loged in with Forticlient), turns out that when i tried to
access an internal web server i was redirect to the Fortinet Captive portal, after i
authenticated for the second time the ping and all others services worked in the
VPN. I think its a problem with SSO,… Read more »
Luca Peppo
I have conៜ�gured the VPN site to site and I see all three networks.
http://cookbook.fortinet.com/ipsecvpnwithforticlient54/ 6/10
4/16/2017 IPsec VPN with FortiClient Fortinet Cookbook
If I conៜ�gure the VPN dialup -Forticlient: if I do it from home ៜ�rst, I only see the
location 1 (and I can not even do the ping In other 2 seats), the same as if I
conៜ�gure the VPN dialup in the other two locations.
adnan sabir
i want to setup same but with little different topology. i have to internet
connections one with dynamic ip and other with static ip. i want to setup dialup
vpn using static ip and also want to use dynamic ip as well. as it has good internet
speed. how could i achieve this..if i use only static ip then it has limited bandwidth
(8Mbps). so my internet connection with dynamic ip has good speed.
Peter
How to conៜ�gure vpn on vdom? I’ve got no vpn menu on vdom (feature select ->
vpn is on), only on root, but interfaces wan1 and lan1 are in vdom.
Keith Leroux
Hello Peter,
I can conៜ�gure VPNs via the VPN menu on both of my VDOMs (one in proxy
mode, the other in ៙�ow-based mode) on my 800D running FortiOS 5.4, as
well as in root. I recommend contacting support to determine the issue
with your device.
http://cookbook.fortinet.com/ipsecvpnwithforticlient54/ 7/10
4/16/2017 IPsec VPN with FortiClient Fortinet Cookbook
Mick Richards Fortiview -> VPN does not exist with my 60D-
POE. I am running Firmware
Versionv5.4.1,build5447 (GA). Can you help with the missing view?
Keith Leroux
Hello Mick,
The FGT-60D only has basic feature support for FortiView, which does not
include VPN. Refer to the following doc for feature support info:
http://docs.fortinet.com/uploaded/ៜ�les/3108/fortiview-541.pdf
Cheers!
Francisco
Hello, I do not need Internet trafៜ�c through the FortiGate , what I need is with my
own Internet connection, but it does not work.
Keith Leroux
Hello Francisco,
In step 3 of the IPsec VPN wizard, try to enable IPv4 Split Tunneling.
Cheers!
santhosh
Which mode is used here its the route mode or Policy Mode .
http://cookbook.fortinet.com/ipsecvpnwithforticlient54/ 8/10
4/16/2017 IPsec VPN with FortiClient Fortinet Cookbook
Victoria Martin
All VPNs made using the VPN wizard use route mode.
alessandro Biasi
Hello Victoria,
i need help about this vpn, when forticlient connects to vpn and the
vpn goes up then i can not use the internal lan, i loose connection
with servers and printers but internet works.
What can be ?
Ivan Ivanov
But i don’t understand how can we log the activity of any dialup user per
username. For example “Clementine” isn’t shown in the monitoring tab or in
Fortiview.
Victoria Martin
Hello Ivan,
I’ve added more information to the results section that includes the
FortiView VPN dashboard, which does display the names of VPN users for
both IPsec and SSL VPNs.
http://cookbook.fortinet.com/ipsecvpnwithforticlient54/ 9/10
4/16/2017 IPsec VPN with FortiClient Fortinet Cookbook
CONTACT | DOCUMENTATION LIBRARY | CLI PORTAL | FUSE | VIDEOS | SUPPORT | CORPORATE | LEGAL
© 2017 Fortinet
http://cookbook.fortinet.com/ipsecvpnwithforticlient54/ 10/10