FortiClient VPN

FortiClient VPN

Use the FortiClient VPN for OS X, Windows, and Android VPN Wizard option when configuring an IPsec VPN for remote users to connect to the VPN tunnel using FortiClient.


When configuring a FortiClient VPN connection, the settings for Phase 1 and Phase 2 settings are automatically configured by the FortiGate unit. They are set to:

  • Remote Gateway — Dialup User
  • Mode — Aggressive
  • Default settings for Phase 1 and 2 Proposals
  • XAUTH Enable as Server (Auto)
  • IKE mode-config will be enabled
  • Peer Option — “Any peer ID”

The remainder of the settings use the current FortiGate defaults. Note that FortiClient settings need to match these FortiGate defaults. If you need to configure advanced settings for the FortiClient VPN, you must do so using the CLI.

Name                                           Enter a name for the FortiClient VPN.

Local Outgoing Interface         Select the local outgoing interface for the VPN.

Authentication Method            Select the type of authentication used when logging in to the VPN.

Preshared Key                           If Preshared Key was selected in Authentication Method, enter the pre-shared key in the field provided.

User Group                                Select a user group. You can also create a user group from the drop-down list by selecting Create New.

Address Range Start IP            Enter the start IP address for the DHCP address range for the client.

Address Range End IP             Enter the end IP address for the address range.

Subnet Mask                              Enter the subnet mask.

Enable IPv4 Split Tunnel         Enabled by default, this option enables the FortiClient user to use the VPN to access internal resources while other Internet access is not sent over the VPN, alleviating potential traffic bottlenecks in the VPN connection. Dis- able this option to have all traffic sent through the VPN tunnel.

Accessible Networks                Select from a list of internal networks that the FortiClient user can access.

Client Options                           These options affect how the FortiClient application behaves when con- nected to the FortiGate VPN tunnel. When enabled, a check box for the cor- responding option appears on the VPN login screen in FortiClient, and is not enabled by default.

Save Password – When enabled, if the user selects this option, their pass- word is stored on the user’s computer and will automatically populate each time they connect to the VPN.

Auto Connect – When enabled, if the user selects this option, when the FortiClient application is launched, for example after a reboot or system startup, FortiClient will automatically attempt to connect to the VPN tunnel.

Always Up (Keep Alive) – When enabled, if the user selects this option, the FortiClient connection will not shut down. When not selected, during periods of inactivity, FortiClient will attempt to stay connected every three minutes for a maximum of 10 minutes.

Endpoint Registration              When selected, the FortiGate unit requests a registration key from FortiCli- ent before a connection can be established. A registration key is defined by going to System > Advanced.

For more information on FortiClient VPN connections to a FortiGate unit, see the FortiClient Administration Guide.

DNS Server                                 Select which DNS server to use for this VPN:

Use System DNS — Use the same DNS servers as the FortiGate unit. These are configured at Network > DNS. This is the default option. Specify — Specify the IP address of a different DNS server.

This entry was posted in FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.