Fortinet black logo

EMS Administration Guide

Configuring a backup VPN connection

Configuring a backup VPN connection

You can configure FortiClient to connect to a preconfigured SSL VPN tunnel instead when connection to a configured IPsec VPN tunnel fails. This feature is convenient for connecting to VPN when the IPsec VPN tunnel is blocked or if a public router or gateway is performs IPsec VPN NAT incorrectly.

This guide assumes that the EMS administrator has already configured an SSL VPN tunnel and IPsec VPN tunnel on the desired endpoint profile.

To configure a backup VPN connection:
  1. Go to Endpoint Profiles > Manage Profiles.
  2. Edit the desired profile, then do one of the following:
    1. Configure this feature from the GUI. Do the following:
      1. Edit the desired IPsec VPN tunnel.
      2. In Advanced Settings, from the Failover SSL VPN Connection dropdown list, select the desired SSL VPN connection.
      3. Click Save.
    2. Configure this feature using XML. On the XML Configuration tab, configure the following for the desired IPsec VPN tunnel. The following configures the secure_sslvpn tunnel as the backup tunnel:

      <forticlient_configuration>

      <vpn>

      <ipsecvpn>

      <connections>

      <connection>

      <ike_settings>

      <failover_sslvpn_connection>secure_sslvpn</failover_sslvpn_connection>

      <ike_settings>

      <connection>

      <connections>

      <ipsecvpn>

      <vpn>

      <forticlient_configuration>

      This is a balanced but incomplete XML configuration fragment. It includes all closing tags but omits some important elements to complete the IPsec VPN configuration.

  3. After FortiClient receives the next update from EMS, on the Remote Access tab, from the VPN Name dropdown list, select the IPsec VPN tunnel.
  4. Select View the selected connection.
  5. Verify that the Failover SSL VPN field specifies the SSL VPN tunnel configured in step 2.

  6. Attempt connection to the IPsec VPN tunnel when you know that it fails. FortiClient automatically connects to the configured SSL VPN tunnel instead.

Configuring a backup VPN connection

You can configure FortiClient to connect to a preconfigured SSL VPN tunnel instead when connection to a configured IPsec VPN tunnel fails. This feature is convenient for connecting to VPN when the IPsec VPN tunnel is blocked or if a public router or gateway is performs IPsec VPN NAT incorrectly.

This guide assumes that the EMS administrator has already configured an SSL VPN tunnel and IPsec VPN tunnel on the desired endpoint profile.

To configure a backup VPN connection:
  1. Go to Endpoint Profiles > Manage Profiles.
  2. Edit the desired profile, then do one of the following:
    1. Configure this feature from the GUI. Do the following:
      1. Edit the desired IPsec VPN tunnel.
      2. In Advanced Settings, from the Failover SSL VPN Connection dropdown list, select the desired SSL VPN connection.
      3. Click Save.
    2. Configure this feature using XML. On the XML Configuration tab, configure the following for the desired IPsec VPN tunnel. The following configures the secure_sslvpn tunnel as the backup tunnel:

      <forticlient_configuration>

      <vpn>

      <ipsecvpn>

      <connections>

      <connection>

      <ike_settings>

      <failover_sslvpn_connection>secure_sslvpn</failover_sslvpn_connection>

      <ike_settings>

      <connection>

      <connections>

      <ipsecvpn>

      <vpn>

      <forticlient_configuration>

      This is a balanced but incomplete XML configuration fragment. It includes all closing tags but omits some important elements to complete the IPsec VPN configuration.

  3. After FortiClient receives the next update from EMS, on the Remote Access tab, from the VPN Name dropdown list, select the IPsec VPN tunnel.
  4. Select View the selected connection.
  5. Verify that the Failover SSL VPN field specifies the SSL VPN tunnel configured in step 2.

  6. Attempt connection to the IPsec VPN tunnel when you know that it fails. FortiClient automatically connects to the configured SSL VPN tunnel instead.