FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 14 - IPsec VPN > FortiClient dialup-client configurations > Configure the FortiGate unit

Configure the FortiGate unit

Configuring the FortiGate unit to establish VPN connections with FortiClient Endpoint Security users involves the following steps:

  • Configure the VPN settings
  • If the dialup clients use automatic configuration, configure the FortiGate unit as a VPN policy server
  • If the dialup clients obtain VIP addresses by DHCP over IPsec, configure an IPsec DHCP server or relay

The procedures in this section cover basic setup of policy-based and route-based VPNs compatible with FortiClient Endpoint Security. A route-based VPN is simpler to configure.

Configuring FortiGate unit VPN settings

To configure FortiGate unit VPN settings to support FortiClient users, you need to:

  • Configure the FortiGate Phase 1 VPN settings
  • Configure the FortiGate Phase 2 VPN settings
  • Add the security policy

  1. On the local FortiGate unit, define the Phase 1 configuration needed to establish a secure connection with the FortiClient peer. See Phase 1 parameters. Enter these settings in particular:
Name Enter a name to identify the VPN tunnel. This name appears in Phase 2 configurations, security policies and the VPN monitor.
Remote Gateway Select Dialup User.
Local Interface Select the interface through which clients connect to the FortiGate unit.
Mode Select Main (ID Protection).
Authentication Method Select Pre-shared Key.
Pre-shared Key Enter the pre-shared key. This must be the same preshared key provided to the FortiClient users.
Peer option Select Any peer ID.
  1. Define the Phase 2 parameters needed to create a VPN tunnel with the FortiClient peer. See Phase 2 parameters. Enter these settings in particular:
Name Enter a name to identify this Phase 2 configuration.
Phase 1 Select the name of the Phase 1 configuration that you defined.
Advanced Select to configure the following optional setting.
DHCP-IPsec Select if you provide virtual IP addresses to clients using DHCP.
  1. Define names for the addresses or address ranges of the private networks that the VPN links. These addresses are used in the security policies that permit communication between the networks. For more information, see Defining VPN security policies.

    Enter these settings in particular:
  • Define an address name for the individual address or the subnet address that the dialup users access through the VPN.
  • If FortiClient users are assigned VIP addresses, define an address name for the subnet to which these VIPs belong.
  1. Define security policies to permit communication between the private networks through the VPN tunnel. Route-based and policy-based VPNs require different security policies. For detailed information about creating security policies, see Defining VPN security policies.

If the security policy, which grants the VPN Connection is limited to certain services, DHCP must be included, otherwise the client won’t be able to retrieve a lease from the FortiGate’s (IPsec) DHCP server, because the DHCP Request (coming out of the tunnel) will be blocked.

Route-based VPN security policies

Define an ACCEPT security policy to permit communications between the source and destination addresses.

  1. Go to Policy & Objects > Policy > IPv4 and select Create New.
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  3. Enter these settings in particular:
Incoming Interface Select the VPN Tunnel (IPsec Interface) you configured in Step Configure the FortiGate unit.
Source Address Select All.
Outgoing Interface Select the interface that connects to the private network behind this FortiGate unit.
Destination Address Select All.
Action Select ACCEPT.
Enable NAT Disable.

If you want to allow hosts on the private network to initiate communications with the FortiClient users after the tunnel is established, you need to define a security policy for communication in that direction.

  1. Go to Policy & Objects > Policy > IPv4 and select Create New.
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  3. Enter these settings in particular:
Incoming Interface Select the interface that connects to the private network behind this FortiGate unit.
Source Address Select All.
Outgoing Interface Select the interface that connects to the private network behind this FortiGate unit.
Destination Address Select All.
Action Select ACCEPT.
Enable NAT Disable.

Policy-based VPN security policy

Define an IPsec security policy to permit communications between the source and destination addresses.

  1. Go to Policy & Objects > Policy > IPv4 and select Create New.
  2. Enter these settings in particular:
Incoming Interface Select the interface that connects to the private network behind this FortiGate unit.
Source Address Select the address name that you defined in Step Configure the FortiGate unit for the private network behind this FortiGate unit.
Outgoing Interface Select the FortiGate unit’s public interface.
Destination Address If FortiClient users are assigned VIPs, select the address name that you defined for the VIP subnet. Otherwise, select All.
VPN Tunnel Select Use Existing and select the name of the Phase 1 configuration that you created in Step Configure the FortiGate unit.

Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

Place VPN policies in the policy list above any other policies having similar source and destination addresses.

Configuring the FortiGate unit as a VPN policy server

When a FortiClient application set to automatic configuration connects to the FortiGate unit, the FortiGate unit requests a user name and password. If the user supplies valid credentials, the FortiGate unit downloads the VPN settings to the FortiClient application.

You must do the following to configure the FortiGate unit to work as a VPN policy server for FortiClient automatic configuration:

  1. Create user accounts for FortiClient users.
  2. Create a user group for FortiClient users and the user accounts that you created in step 1.
  3. Connect to the FortiGate unit CLI and configure VPN policy distribution as follows:

config vpn ipsec forticlient

edit <policy_name>

set phase2name <tunnel_name>

set usergroupname <group_name>

set status enable

end

<tunnel_name> must be the Name you specified in the step 2 of Configure the FortiGate unit. <group_name> must be the name of the user group your created for FortiClient users.

Configuring DHCP services on a FortiGate interface

If the FortiClient dialup clients are configured to obtain a VIP address using DHCP, configure the FortiGate dialup server to either:

Note that DHCP services are typically configured during the interface creation stage, but you can return to an interface to modify DHCP settings if need be.

To configure DHCP relay on a FortiGate interface
  1. Go to System > Network > Interfaces and select the interface that you want to relay DHCP.
  2. Under DHCP Server, select Enable and create a new DHCP Address Range and Netmask.
  3. Open the Advanced... menu and select Relay for the Mode option.
  4. For the Type, select IPsec.
  5. Select OK.
To configure a DHCP server on a FortiGate interface
  1. Go to System > Network > Interfaces and select the interface that you want to act as a DHCP server.
  2. Under DHCP Server, select Enable and create a new DHCP Address Range and Netmask.
  3. For Default Gateway, enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.
  4. For DNS Server, select Same as System DNS. If you want to use a different DNS server for VPN clients, select Specify and enter an IP address in the available field.
  5. Open the Advanced... menu and select Server for the Mode option.
  6. For the Type, select IPsec.
  7. Select OK.