Configuring FortiGate unit VPN settings
To configure FortiGate unit VPN settings to support FortiClient users, you need to:
• configure the FortiGate Phase 1 VPN settings
• configure the FortiGate Phase 2 VPN settings
• add the security policy
1. On the local FortiGate unit, define the phase 1 configuration needed to establish a secure connection with the FortiClient peer. See
“Auto Key phase 1 parameters”. Enter these settings in particular:
Name | Enter a name to identify the VPN tunnel. This name appears in phase 2 configurations, security policies and the VPN monitor. |
Remote Gateway | Select Dialup User. |
Local Interface | Select the interface through which clients connect to the FortiGate unit. |
Mode | Select Main (ID Protection). |
Authentication Method | Select Pre-shared Key. |
Pre-shared Key | Enter the pre-shared key. This must be the same preshared key provided to the FortiClient users. |
Peer option | Select Accept any peer ID. |
Enable IPsec Interface Mode | You must select Advanced to see this setting. If IPsec Interface Mode is enabled, the FortiGate unit creates a virtual IPsec interface for a route-based VPN. |
2. Define the phase 2 parameters needed to create a VPN tunnel with the FortiClient peer. See
“Phase 2 parameters”. Enter these settings in particular:
Name | Enter a name to identify this phase 2 configuration. |
Phase 1 | Select the name of the phase 1 configuration that you defined. |
Advanced | Select to configure the following optional setting. |
DHCP-IPsec | Select if you provide virtual IP addresses to clients using DHCP. |
3. Define names for the addresses or address ranges of the private networks that the VPN links. These addresses are used in the security policies that permit communication between the networks. For more information, see
“Defining policy addresses”.
Enter these settings in particular:
• Define an address name for the individual address or the subnet address that the dialup users access through the VPN.
• If FortiClient users are assigned VIP addresses, define an address name for the subnet to which these VIPs belong.
4. Define security policies to permit communication between the private networks through the VPN tunnel. Route-based and policy-based VPNs require different security policies. For detailed information about creating security policies, see
“Defining VPN security policies”.
If the security policy, which grants the VPN Connection is limited to certain services, DHCP must be included, otherwise the client won’t be able to retrieve a lease from the FortiGate’s (IPSec) DHCP server, because the DHCP Request (coming out of the tunnel) will be blocked.