FortiClient dialup-client configurations

Configure the FortiClient Endpoint Security application

The following procedure explains how to configure the FortiClient Endpoint Security application to communicate with a remote FortiGate dialup server using the VIP address that you specify manually. These procedures are based on FortiClient 5.4.

 

Configuring FortiClient

This procedure explains how to configure the FortiClient application manually using the default IKE and IPsec settings. For more information, refer to the FortiClient Administration Guide.

 

To create a FortiClient VPN configuration

1. Go to Remote Access and select the down-arrow for the VPN connection.

2. Select Add new connection and complete following information:

 

VPN Type Select IPsec VPN.
Connection Name Enter a descriptive name for the connection.
Remote Gateway Enter the IP address or the fully qualified domain name (FQDN) of the remote gateway.
Authentication Method Select Preshared Key.
Preshared Key Enter the pre-shared key.
User Name Enter the user name to connect to the tunnel.
 

3.

 

Select OK.

 

Adding XAuth authentication

Extended Authentication (XAuth) increases security by requiring additional user authentication in a separate exchange at the end of the VPN Phase 1 negotiation. The FortiGate unit challenges the user for a user name and password. It then forwards the user’s credentials to an external RADIUS or LDAP server for verification.

Implementation of XAuth requires configuration at both the FortiGate unit and the FortiClient application. For information about configuring a FortiGate unit as an XAuth server, see Phase 1 parameters on page 1624. The following procedure explains how to configure the FortiClient application.

Note that XAuth is not compatible with IKE version 2.

For more information on configuring XAuth authentication, see the FortiClient Administration Guide.

 

FortiClient dialup-client configuration example

This example demonstrates how to set up a FortiClient dialup-client IPsec VPN that uses preshared keys for authentication purposes. In the example configuration, the DHCP over IPsec feature is enabled in the FortiClient Endpoint Security application so that the FortiClient Endpoint Security application can acquire a VIP address through the FortiGate DHCP server. Both route-based and policy-based solutions are covered.

 

Example FortiClient dialup-client configuration

forticlient-dialup-client-config

In the example configuration:

  • VIP addresses that are not commonly used (in this case, 10.254.254.0/24) are assigned to the FortiClient dialup clients using a DHCP server.
  • The dialup clients are have access to the LAN behind FortiGate_1.
  • The other network devices are assigned IP addresses as shown above.

 

Configuring FortiGate_1

When a FortiGate unit receives a connection request from a dialup client, it uses IPsec Phase 1 parameters to establish a secure connection and authenticate the client. Then, if the security policy permits the connection, the FortiGate unit establishes the tunnel using IPsec Phase 2 parameters and applies the IPsec security policy. Key management, authentication, and security services are negotiated dynamically through the IKE protocol.

To support these functions, the following general configuration steps must be performed at the FortiGate unit:

  • Define the Phase 1 parameters that the FortiGate unit needs to authenticate the dialup clients and establish a secure connection. See To define the Phase 1 parameters on page 1712.
  • Define the Phase 2 parameters that the FortiGate unit needs to create a VPN tunnel and enable all dialup clients having VIP addresses on the 10.254.254.0/24 network to connect using the same tunnel definition. See To define the Phase 2 parameters on page 1712.
  • Create security policy to control the permitted services and permitted direction of traffic between the IP source address and the dialup clients. See To define the firewall addresses on page 1712.
  • Configure the FortiGate unit to service DHCP requests from dialup clients. See Configuring the FortiClient Endpoint Security application on page 1714.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.