Configure the server to accept FortiGate dialup-client connections
Before you begin, optionally reserve a unique identifier (peer ID) for the FortiGate dialup client. The dialup client will supply this value to the FortiGate dialup server for authentication purposes during the IPsec phase 1 exchange. In addition, the value will enable you to distinguish FortiGate dialup-client connections from FortiClient dialup-client connections. The same value must be specified on the dialup server and on the dialup client.
1. At the FortiGate dialup server, define the phase 1 parameters needed to authenticate the FortiGate dialup client and establish a secure connection. See
“Auto Key phase 1 parameters”. Enter these settings in particular:
Name | Enter a name to identify the VPN tunnel. This name appears in phase 2 configurations, security policies and the VPN monitor. |
Remote Gateway | Select Dialup User. |
Local Interface | Select the interface through which clients connect to the FortiGate unit. |
Mode | If you will be assigning an ID to the FortiGate dialup client, select Aggressive. |
Peer Options | If you will be assigning an ID to the FortiGate dialup client, select Accept this peer ID and type the identifier that you reserved for the FortiGate dialup client into the adjacent field. |
Enable IPsec Interface Mode | You must select Advanced to see this setting. If IPsec Interface Mode is enabled, the FortiGate unit creates a virtual IPsec interface for a route-based VPN. Disable this option if you want to create a policy-based VPN. After you select OK to create the phase 1 configuration, you cannot change this setting. |
2. Define the phase 2 parameters needed to create a VPN tunnel with the FortiGate dialup client. See
“Phase 2 parameters”. Enter these settings in particular:
Name | Enter a name to identify this phase 2 configuration. |
Phase 1 | Select the name of the phase 1 configuration that you defined. |
3. Define names for the addresses or address ranges of the private networks that the VPN links. See
“Defining policy addresses”. Enter these settings in particular:
• Define an address name for the server, host, or network behind the FortiGate dialup server.
• Define an address name for the private network behind the FortiGate dialup client.
4. Define the security policies to permit communications between the private networks through the VPN tunnel. Route-based and policy-based VPNs require different security policies. For detailed information about creating security policies, see
“Defining VPN security policies”.