FortiClient VPN
Use the FortiClient VPN for OS X, Windows, and Android VPN Wizard option when configuring an IPsec VPN for remote users to connect to the VPN tunnel using FortiClient.
When configuring a FortiClient VPN connection, the settings for Phase 1 and Phase 2 settings are automatically configured by the FortiGate unit. They are set to:
l Remote Gateway — Dialup User l Mode — Aggressive l Default settings for Phase 1 and 2 Proposals l XAUTH Enable as Server (Auto) l IKE mode-config will be enabled l Peer Option — “Any peer ID”
The remainder of the settings use the current FortiGate defaults. Note that FortiClient settings need to match these FortiGate defaults. If you need to configure advanced settings for the FortiClient VPN, you must do so using the CLI.
| Name | Enter a name for the FortiClient VPN. |
| Local Outgoing Interface | Select the local outgoing interface for the VPN. |
| Authentication Method | Select the type of authentication used when logging in to the VPN. |
| Preshared Key | If Pre-shared Key was selected in Authentication Method, enter the pre-shared key in the field provided. |
| User Group | Select a user group. You can also create a user group from the drop-down list by selecting Create New. |
| Address Range Start IP | Enter the start IP address for the DHCP address range for the client. |
| Address Range End IP | Enter the end IP address for the address range. |
| Subnet Mask | Enter the subnet mask. |
| Enable IPv4 Split Tunnel | Enabled by default, this option enables the FortiClient user to use the VPN to access internal resources while other Internet access is not sent over the VPN, alleviating potential traffic bottlenecks in the VPN connection.
Disable this option to have all traffic sent through the VPN tunnel. |
| Accessible Networks | Select from a list of internal networks that the FortiClient user can access. |
| Client Options | These options affect how the FortiClient application behaves when connected to the FortiGate VPN tunnel. When enabled, a check box for the corresponding option appears on the VPN login screen in FortiClient, and is not enabled by default.
Save Password – When enabled, if the user selects this option, their password is stored on the user’s computer and will automatically populate each time they connect to the VPN. Auto Connect – When enabled, if the user selects this option, when the FortiClient application is launched, for example after a reboot or system startup, FortiClient will automatically attempt to connect to the VPN tunnel. Always Up (Keep Alive) – When enabled, if the user selects this option, the FortiClient connection will not shut down. When not selected, during periods of inactivity, FortiClient will attempt to stay connected every three minutes for a maximum of 10 minutes. |
Concentrator
| Endpoint Registration | When selected, the FortiGate unit requests a registration key from FortiClient before a connection can be established. A registration key is defined by going to System > Advanced.
For more information on FortiClient VPN connections to a FortiGate unit, see the FortiClient Administration Guide. |
| DNS Server | Select which DNS server to use for this VPN:
Use System DNS — Use the same DNS servers as the FortiGate unit. These are configured at Network > DNS. This is the default option. Specify — Specify the IP address of a different DNS server. |
Concentrator
In a hub-and-spoke configuration, policy-based VPN connections to a number of remote peers radiate from a single, central FortiGate unit. Site-to-site connections between the remote peers do not exist; however, you can establish VPN tunnels between any two of the remote peers through the FortiGate unit’s “hub”.
In a hub-and-spoke network, all VPN tunnels terminate at the hub. The peers that connect to the hub are known as “spokes”. The hub functions as a concentrator on the network, managing all VPN connections between the spokes. VPN traffic passes from one tunnel to the other through the hub.
You define a concentrator to include spokes in the hub-and-spoke configuration. You create the concentrator in VPN > IPsec Concentrator and select Create New. A concentrator configuration specifies which spokes to include in an IPsec hub-and-spoke configuration.
| Concentrator Name | Type a name for the concentrator. |
| Available Tunnels | A list of defined IPsec VPN tunnels. Select a tunnel from the list and then select the right arrow. |
| Members | A list of tunnels that are members of the concentrator. To remove a tunnel from the concentrator, select the tunnel and select the left arrow. |
IPsec Monitor
You can use the IPsec Monitor to view activity on IPsec VPN tunnels and start or stop those tunnels. The display provides a list of addresses, proxy IDs, and timeout information for all active tunnels, including tunnel mode and route-based (interface mode) tunnels.
To view the IPsec monitor, go to Monitor > IPsec Monitor.
Tunnels are considered as “up” if at least one phase 2 selector is active. To avoid confusion, when a tunnel is down, IPsec Monitor will keep the Phase 2 Selectors column, but hide it by default and be replaced with Phase 1 status column.
IPsec Monitor
For dialup VPNs, the list provides status information about the VPN tunnels established by dialup clients, and their IP addresses.
For static IP or dynamic DNS VPNs, the list provides status and IP addressing information about VPN tunnels, active or not, to remote peers that have static IP addresses or domain names. You can also start and stop individual tunnels from the list.
Timeout field in IPsec Monitor page
The Timeout field in Monitor > IPsec Monitor shows the realtime timeout value for each VPN tunnel that is Up (tunnels that are Down show a timeout value of 0).
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!