FortiWLC – Configuring VPN Connections

Configuring VPN Connections

In System Directer version 5.2 and later, users have the ability to configure supported APs to connect to the corporate controller via VPN connections, allowing a secure remote wireless signal. This can be of particular use in telecommuting applications, as a user can simply take an AP that has been configured for VPN access to another Internet-accessible location and quickly set up a secure line back to the corporate network. In the VPN implementation, the controller acts as a TLS/SSL VPN server while the APs act as TLS/SSL VPN clients.

In order to configure an AP for VPN access, it must first be connected to the corporate network so that it can be populated into the controller AP table. The AP’s secure VPN connection requires the use of a security certificate, which for some modes comes pre-installed, while others require it to be installed by the user. The following sections provide instructions on how to configure a VPN connection and add APs for VPN access.

VPN functionality is currently available on the AP110, AP332e, AP332i, AP832, 822, FAP-U421EV, FAP-U423EV and AP1014i models, and is supported on all physical and virtual controllers.

Activating Controller Certificates for VPN

If a certificate has already been installed on the controller (i.e., for Captive Portal access—see

“Sample Certificates Returned by CA (Server, Intermediate, and Root) Generate a CSR on a Controller” on page 243), the same certificate can be used for VPN access; however, it must be configured for this use before it will allow VPN connections.

To enable a certificate for VPN use:

  1. From the WebUI, navigate to Configuration > Certificates > Controller Certificates. The Controller Certificates table appears.
  2. Select the desired certificate and click Used By…. A list of applications will appear.

Integration with Palo Alto Networks Firewall


  1. Click VPN to enable the certificate for VPN use.
  2. A dialog message will appear stating that you need to execute a command from the CLI to load the changes. Execute the command by performing the following:
    • Click the WebTerm link in the upper-right portion of the WebUI.
    • Log in using your controller credentials.
    • Type reload-vpn and press Enter. The VPN service will relaunch.

Now that the controller certificate has been added, it is recommended that you add and install all required AP security certificates as well. Following this sequence of events will provide best VPN results. See “AP Certificates” on page 246 for instructions on installing AP certificates.

Configuring the VPN

Prior to configuring specific APs, the system administrator must first configure the VPN connection settings on the controller.

To configure the VPN:

  1. From the WebUI, navigate to Configuration > Security > VPN Server. The VPN Configuration screen appears.

Figure 50: Configuring the VPN

  1. Enter the desired configuration for the VPN server. Refer to the following table for details:
Field Description  
Status Can be set to Enable or Disable. When enabled, the VPN Server will be active. By default, this is disabled.  
VPN Server IP/Name Enter an IP address or DNS name to be used by the VPN server.  
  Field Description
  VPN Server Port Enter the port to be used for VPN communications. By default, the value is set to 1194.
  IP Pool Enter the IP range that can be used by the VPN server (in standard notation).

Note: Be sure that the IP from which you are accessing the controller (i.e., your current machine’s IP address) is not included in this range. If it is, your local connection will be terminated once VPN is enabled.

Note: The IP address is reserved by the controller and cannot fall within the VPN range specified.

  Netmask Enter the netmask for the VPN server (in standard notation).
  1. Click OK to save the changes. The controller is now configured for VPN service.
Adding VPN APs

Once the VPN server is configured, APs can be added for VPN access. To do so, follow the steps below.

  1. From the VPN screen (Configuration > Security > VPN Server), click the VPN APs tab. The screen refreshes. See Figure 51.

Configuring VPN Connections

Figure 51: Selecting VPN APs

  1. Check the box alongside the AP(s) that shall be configured for VPN access and click Next to proceed to the Activate tab.

The new table displays the VPN-readiness of the selected APs. If your AP already has a security certificate installed, the table will indicate that no further action is required. However, if any of the selected APs require a certificate to be installed, the Action Required column will provide a link that navigates automatically to the Certificates screen where you can install one for it. Figure 52 shows two APs, one which has already had a certificate configured and one which requires additional steps.

Figure 52: Activation Table

  1. When all APs have “No Action Required” in the Action Required column, you are ready to activate the VPN devices. Click Activate to proceed to the VPN Status tab. The APs should automatically appear and are now ready to be deployed.

The show vpn-ap CLI command can be used to view the APs currently configured for VPN access.

This command can be executed from the WebTerm link in the upper-right portion of the WebUI.

Configuring VPN Client Connections

In addition to allowing VPN AP connections, FortiWLC (SD) can be configured to use VPN connectivity to its E(z)RF Network Manager as well. In this configuration, the Network Manager appliance acts as a VPN server and the controller acts as a client. Note that this must also be configured on the Network Manager appliance for full VPN communication.

To configure VPN Client connection:

  1. From the FortiWLC (SD) WebUI, navigate to Configuration > Security > VPN Client.
  2. Use the State drop-down to select Enable.

Configuring VPN Connections

  1. In the VPN Server IP address field, enter the IP of your Network Manager appliance. Note that VPN must be configured on the Network Manager device prior to attempting to associate VPN controllers with it.
  2. In the VPN Server Port field, enter the port used for VPN service. By default, this is 1194.
  3. Click OK to save the changes.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos