FortiClient WAN optimization over IPsec VPN configuration example
This example shows how to add WAN optimization to a FortiClient IPsec VPN. The IPsec VPN tunnel allows remote FortiClient users to connect to the internal network behind the FortiGate unit as shown in
Figure 340.
To configure the FortiGate unit
Because computers running FortiClient can have IP addresses that change often, it is usually not practical to add FortiClient peers to the FortiGate WAN optimization peer list. Instead, a FortiGate unit that accepts WAN optimization tunnel requests from FortiClient is usually configured to accept any peer (see
“Accepting any peers”). This example does this by adding a WAN optimization authentication group with
Peer acceptance set to
Accept Any Peer.
In addition this example includes a wanopt to internal policy to allow WAN optimization traffic reach the internal network. Finally passive WAN optimization is added to the ssl.root policy because WAN optimization is accepting traffic from the IPsec VPN tunnel.
1. Go to WAN Opt. & Cache > WAN Opt. Peers > Authentication Groups and select Create New.
2. Configure the WAN optimization authentication group:
Name | auth-fc |
Authentication Method | Certificate |
Certificate | Fortinet_Firmware |
Peer Acceptance | Accept Any Peer |
3. Select OK.
4. Go to WAN Opt. & Cache > WAN Opt. Profiles > Profiles and select Create New (select the + button).
5. Add a profile for FortiClient WAN optimization sessions:
Name | Fclient_Pro |
Transparent Mode | Select |
Authentication Group | auth-fc |
6. Select any Protocols and any settings for each protocol.
7. Select OK.
8. Go to Policy& Objects > Objects > Addresses and select Create New to add a firewall address for the internal network that FortiClient users can access.
Category | Address |
Address Name | Internal-Server-Net |
Type | IP Range |
Subnet / IP Range | 192.168.10.0/24 |
Interface | internal |
9. Enter the following CLI command to add an explicit proxy policy to accept WAN optimization tunnel connections.
configure firewall explicit-proxy-policy
edit 0
set proxy wanopt
set dstintf internal
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
next
end
To set up IPsec VPN to support WAN optimization
1. Go to VPN > IPsec > Wizard, enter a Name for the IPsec VPN and select Dialup - FortiClient (Windows, Mac OS, Android).
2. Follow the wizard steps to configure the VPN. No special WAN optimization settings are required.
3. Go to Policy & Objects > Policy > IPv4 and edit the policy created by the wizard.
This policy has the IPsec VPN interface created by the wizard as the source interface.
4. Turn on WAN Optimization and configure the following settings:
Enable WAN Optimization | passive |
Passive Option | default |
5. Select OK.
To configure FortiClient and start the WAN optimization SSL VPN connection
1. Open FortiClient, configure Advanced settings, and select Enable WAN optimization.
2. Add a new IPsec VPN connection.
Set the Server to the WAN1 IP address of the FortiGate unit (172.20.120.30 in this example).
No other settings are required for this example. You can add authentication in the form of a user name and password if required by the FortiGate unit.
3. Start the IPsec VPN tunnel.
You should be connected to the IPsec VPN tunnel and traffic in it should be optimized.
