Enabling VPN access with user accounts and pre-shared keys
You can permit access only to remote peers or dialup clients that have pre-shared keys and/or peer IDs configured in user accounts on the FortiGate unit.
If you want two VPN peers (or a FortiGate unit and a dialup client) to accept reciprocal connections based on peer IDs, you must enable the exchange of their identifiers when you define the Phase 1 parameters.
The following procedures assume that you already have an existing Phase 1 configuration (see
“Authenticating the FortiGate unit with digital certificates”). Follow the procedures below to add ID checking to the existing configuration.
Before you begin, you must obtain the identifier (local ID) of the remote peer or dialup client. If you are using the FortiClient Endpoint Security application as a dialup client, refer to the
Authenticating FortiClient Dialup Clients Technical Note to view or assign an identifier. To assign an identifier to a FortiGate dialup client or a FortiGate unit that has a dynamic IP address and subscribes to a dynamic DNS service, see
“To assign an identifier (local ID) to a FortiGate unit”.
If required, a dialup user group can be created from existing user accounts for dialup clients. To create the user accounts and user groups, see the User Authenticationchapter of The Handbook.
The following procedure supports FortiGate/FortiClient dialup clients that use unique preshared keys and/or peer IDs. The client must have an account on the FortiGate unit and be a member of the dialup user group.
The dialup user group must be added to the FortiGate configuration before it can be selected. For more information, see the User Authenticationchapter of The Handbook.
The FortiGate dialup server compares the local ID that you specify at each dialup client to the FortiGate user-account user name. The dialup-client preshared key is compared to a FortiGate user-account password.
To authenticate dialup clients using unique preshared keys and/or peer IDs
1. At the FortiGate VPN server, go to VPN > IPsec > Tunnels and create the new custom tunnel or edit an existing tunnel.
2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
3. If the clients have unique peer IDs, set Mode to Aggressive.
4. Clear the Pre-shared Key field.
The user account password will be used as the preshared key.
5. Select Peer ID from dialup group and then select the group name from the list of user groups.
6. Select OK.
Follow this procedure to add a unique pre-shared key and unique peer ID to an existing FortiClient configuration.
To configure FortiClient - pre-shared key and peer ID
1. Start the FortiClient Endpoint Security application.
2. Go to VPN > Connections, select the existing configuration.
3. Select Advanced > Edit.
4. In the Preshared Key field, type the FortiGate password that belongs to the dialup client (for example, 1234546).
The user account password will be used as the preshared key.
5. Select Advanced.
6. Under Policy, select Config.
7. In the Local ID field, type the FortiGate user name that you assigned previously to the dialup client (for example, FortiC1ient1).
8. Select OK to close all dialog boxes.
Configure all FortiClient dialup clients this way using unique preshared keys and local IDs.
Follow this procedure to add a unique pre-shared key to an existing FortiClient configuration.
To configure FortiClient - preshared key only
1. Start the FortiClient Endpoint Security application.
2. Go to VPN > Connections, select the existing configuration
3. Select Advanced > Edit.
4. In the Preshared Key field, type the user name, followed by a “+” sign, followed by the password that you specified previously in the user account settings on the FortiGate unit (for example, FC2+1FG6LK)
5. Select OK to close all dialog boxes.
Configure all the FortiClient dialup clients this way using their unique peer ID and pre‑shared key values.