Fortinet black logo

Cookbook

Configuring the IPsec VPN

Copy Link
Copy Doc ID a4a06ec3-12a7-11e9-b86b-00505692583a:786021
Download PDF

Configuring the IPsec VPN

  1. To create the VPN, go to VPN > IPsec Wizard and create a new tunnel using a pre-existing template.
  2. Name the VPN. The tunnel name cannot include any spaces or exceed 13 characters. Set Template to Remote Access, and set Remote Device Type to FortiClient VPN for OS X, Windows, and Android.

  3. Set the Incoming Interface to wan1 and Authentication Method to Pre-shared Key.
  4. Enter a pre-shared key. This pre-shared key is a credential for the VPN and should differ from the user password. Select the Employees group.

  5. Set Local Interface to lan and set Local Address to the local network address.
  6. Enter a Client Address Range for VPN users. The IP range you enter here prompts FortiOS to create a new firewall object for the VPN tunnel using the name of your tunnel followed by the _range suffix (in the example, IPsec-FCT_range).
  7. Make sure Enable IPv4 Split Tunnel is not selected, so that all Internet traffic will go through the FortiGate. If you do select Enable Split Tunneling, traffic not intended for the corporate network will not flow through the FortiGate or be subject to the corporate security profiles.

  8. Select Client Options as desired.

  9. After you create the tunnel, a summary page appears listing the objects which have been added to the FortiGate’s configuration by the wizard.

  10. If multiple dialup IPsec VPNs are defined for the same dialup server interface, each phase1 configuration must define a unique peer ID to distinguish the tunnel that the remote client is connecting to:
    1. Go to VPN > IPsec Tunnels and edit the just created tunnel.
    2. Click Convert To Custom Tunnel.
    3. In the Authentication section, click Edit.
    4. Under Peer Options, set Accept Types to Specific peer ID.
    5. In the Peer ID field, enter a unique ID, such as dialup1.
    6. Click OK.
  11. To view the VPN interface created by the wizard, go to Network > Interfaces.

  12. To view the firewall address created by the wizard, go to Policy & Objects > Addresses.

  13. To view the security policy created by the wizard, go to Policy & Objects > IPv4 Policy.

Configuring the IPsec VPN

  1. To create the VPN, go to VPN > IPsec Wizard and create a new tunnel using a pre-existing template.
  2. Name the VPN. The tunnel name cannot include any spaces or exceed 13 characters. Set Template to Remote Access, and set Remote Device Type to FortiClient VPN for OS X, Windows, and Android.

  3. Set the Incoming Interface to wan1 and Authentication Method to Pre-shared Key.
  4. Enter a pre-shared key. This pre-shared key is a credential for the VPN and should differ from the user password. Select the Employees group.

  5. Set Local Interface to lan and set Local Address to the local network address.
  6. Enter a Client Address Range for VPN users. The IP range you enter here prompts FortiOS to create a new firewall object for the VPN tunnel using the name of your tunnel followed by the _range suffix (in the example, IPsec-FCT_range).
  7. Make sure Enable IPv4 Split Tunnel is not selected, so that all Internet traffic will go through the FortiGate. If you do select Enable Split Tunneling, traffic not intended for the corporate network will not flow through the FortiGate or be subject to the corporate security profiles.

  8. Select Client Options as desired.

  9. After you create the tunnel, a summary page appears listing the objects which have been added to the FortiGate’s configuration by the wizard.

  10. If multiple dialup IPsec VPNs are defined for the same dialup server interface, each phase1 configuration must define a unique peer ID to distinguish the tunnel that the remote client is connecting to:
    1. Go to VPN > IPsec Tunnels and edit the just created tunnel.
    2. Click Convert To Custom Tunnel.
    3. In the Authentication section, click Edit.
    4. Under Peer Options, set Accept Types to Specific peer ID.
    5. In the Peer ID field, enter a unique ID, such as dialup1.
    6. Click OK.
  11. To view the VPN interface created by the wizard, go to Network > Interfaces.

  12. To view the firewall address created by the wizard, go to Policy & Objects > Addresses.

  13. To view the security policy created by the wizard, go to Policy & Objects > IPv4 Policy.