Chapter 3 Authentication for FortiOS 5.0 : Users and user groups : User groups : Firewall user groups : IPsec VPN access
  
IPsec VPN access
A firewall user group can provide access for dialup users of an IPsec VPN. In this case, the IPsec VPN phase 1 configuration uses the Accept peer ID in dialup group peer option. The user’s VPN client is configured with the username as peer ID and the password as pre-shared key. The user can connect successfully to the IPsec VPN only if the username is a member of the allowed user group and the password matches the one stored on the FortiGate unit.
 
A user group cannot be used as a dialup group if any member of the group is authenticated using an external authentication server.
For more information, see the FortiOS Handbook IPsec VPN chapter.