FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 14 - IPsec VPN > FortiGate dialup-client configurations > Configure the FortiGate dialup client

Configure the FortiGate dialup client

Configure the FortiGate dialup client.

  1. At the FortiGate dialup client, define the Phase 1 parameters needed to authenticate the dialup server and establish a secure connection. See Phase 1 parameters. Enter these settings in particular:
Name Enter a name to identify the VPN tunnel.
Remote Gateway Select Static IP Address.
IP Address Type the IP address of the dialup server’s public interface.
Local Interface Select the interface that connects to the public network.
Mode The FortiGate dialup client has a dynamic IP address, select Aggressive.
Advanced Select to view the following options.
Local ID If you defined a peer ID for the dialup client in the FortiGate dialup server configuration, enter the identifier of the dialup client. The value must be identical to the peer ID that you specified previously in the FortiGate dialup server configuration.
  1. Define the Phase 2 parameters needed to create a VPN tunnel with the dialup server. See Phase 2 parameters. Enter these settings in particular:
Name Enter a name to identify this Phase 2 configuration.
Phase 1 Select the name of the Phase 1 configuration that you defined.
  1. Define names for the addresses or address ranges of the private networks that the VPN links. See Defining VPN security policies. Enter these settings in particular:
  • Define an address name for the server, host, or network behind the FortiGate dialup server.
  • Define an address name for the private network behind the FortiGate dialup client.
  1. Define security policies to permit communication between the private networks through the VPN tunnel. Route-based and policy-based VPNs require different security policies. For detailed information about creating security policies, see Defining VPN security policies.

Route-based VPN security policy

Define an ACCEPT security policy to permit communications between hosts on the private network behind this FortiGate dialup client and the private network behind the FortiGate dialup server. Because communication cannot be initiated in the opposite direction, there is only one policy.

  1. Go to Policy & Objects > Policy > IPv4 and select Create New.
  2. Leave the Policy Type of Firewall and leave the Policy Subtype as Address.
  3. Enter these settings in particular:
Incoming Interface Select the interface that connects to the private network behind this FortiGate unit.
Source Address Select All.
Outgoing Interface Select the VPN tunnel (IPsec interface) created in Step 1.
Destination Address Select All.
Action Select ACCEPT.
Enable NAT Disable

Policy-based VPN security policy

Define an IPsec security policy to permit communications between the source and destination addresses.

  1. Go to Policy & Objects > Policy > IPv4 and select Create New.
  2. Enter these settings in particular:
Incoming Interface Select the interface that connects to the private network behind this FortiGate unit.
Source Address Select the address name that you defined for the private network behind this FortiGate unit.
Outgoing Interface Select the FortiGate unit’s public interface.
Destination Address Select the address name that you defined for the private network behind the dialup server.
VPN Tunnel Select Use Existing and select the name of the Phase 1 configuration that you created in Step Configure the FortiGate dialup client from the drop-down list.

Clear Allow traffic to be initiated from the remote site to prevent traffic from the remote network from initiating the tunnel after the tunnel has been established.

Place the policy in the policy list above any other policies having similar source and destination addresses.