To define the Phase 1 parameters
1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
3. Enter the following information, and select OK:
Name todialups
Remote Gateway Dialup User
Local Interface Port 1
Mode Main
Authentication Method Preshared Key
Pre–shared Key hardtoguess
Peer Options Any peer ID
Advanced Select
To define the Phase 2 parameters
1. Open the Phase 2 Selectors panel.
2. Select Advanced, enter the following information, and select OK:
Name td_2
Phase 1 todialups
Advanced DHCP-IPsec
To define the firewall addresses
1. Go to Policy & Objects > Addresses.
2. Select Create New, enter the following information, and select OK:
Name internal_net
Type Subnet
Subnet/IP Range 10.11.101.0/24
Interface Port 2
3. Select Create New, enter the following information, and select OK:
Name dialups
Type IP Range
Subnet/IP Range 10.254.254.1-10.254.254.10
Interface Route-based VPN: todialups
Policy-based VPN: Any
The security policies for route-based and policy-based VPNs are described in separate sections below.
To define security policies – route-based VPN
1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information, and select OK:
Incoming Interface todialups
Source Address dialups
Outgoing Interface Port 2
Destination Address internal_net
Action ACCEPT
Enable NAT Disable
4. Select Create New.
5. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
6. Enter the following information, and select OK:
Incoming Interface Port 2
Source Address internal_net
Outgoing Interface todialups
Destination Address dialups
Action ACCEPT
Enable NAT Disable
7. Select Create New.
8. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
9. Enter the following information, and select OK:
Incoming Interface Port 2
Source Address internal_net
Outgoing Interface todialups
Destination Address all
Service DHCP
Action ACCEPT
Enable NAT Disable
10. Place these policies in the policy list above any other policies having similar source and destination addresses. The policy in step “FortiClient dialup-client configuration example” on page 1710 is required for DHCP to function properly for policy-based VPNs. You can omit this policy if you change the Destination Address Name to all in the step before. Route-based policies are not affected by this.
To define the security policy – policy-based VPN
1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Enter the following information, and select OK:
Incoming Interface Port 2
Source Address internal_net
Outgoing Interface Port 1
Destination Address dialups
VPN Tunnel Select Use Existing and select todialups from the drop-down list.
Allow traffic to be initiated from the remote site Enable
3. Place the policy in the policy list above any other policies having similar source and destination addresses.