IPsec VPN and SSL VPN
FortiClient supports both IPsec and SSL VPN connections to your network for remote access. You can provision client VPN connections in the FortiClient Profile or configure new connections in the FortiClient console.
This section describes how to configure remote access.
Add a new connection
Select Configure VPN in the FortiClient console to add a new VPN configuration.
Create a new SSL VPN connection
To create a new SSL VPN connection, select Configure VPNor use the drop-down menu in the FortiClient console.
Select SSL-VPN, then configure the following settings:
Connection Name |
Enter a name for the connection. |
Description |
Enter a description for the connection. (optional) |
Remote Gateway |
Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway. |
Customize port |
Select to change the port. The default port is 443. |
Add a new connection
Authentication |
Select to prompt on login, or save login. The option to disable is available when Client Certificate is enabled. |
Username |
If you selected to save login, enter the username in the dialog box. |
Client Certificate |
Select to enable client certificates, then select the certificate from the dropdown list. |
Do not Warn Invalid Server
Certificate |
Select if you do not want to warned if the server presents an invalid certificate. |
Add |
Select the add icon to add a new connection. |
Delete |
Select a connection and then select the delete icon to delete a connection. |
Connection Name |
Enter a name for the connection. |
Description |
Enter a description for the connection. (optional) |
Select Apply to save the VPN connection, then select Close to return to the Remote Access screen.
Create a new IPsec VPN connection
To create a new IPsec VPN connection, select Configure VPN or use the drop-down menu in the FortiClient console.
Select IPsec VPN, then configure the following settings:
Add a new connection
Remote Gateway |
Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway. |
Authentication Method |
Select either X.509 Certificate or Pre-shared Key in the dropdown menu. |
Authentication (XAuth) |
Select to prompt on login, save login, or disable. |
Username |
If you selected save login, enter the username in the dialog box. |
Advanced Settings |
Configure VPN settings, Phase 1, and Phase 2 settings. |
VPN Settings |
|
Mode |
Select one of the following:
l Main: In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.
l Aggressive: In Aggressive mode, the phase 1 parameters are exchanged in a single message with authentication information that is not encrypted. Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier (local ID). |
Options |
Select one of the following:
l Mode Config: IKE Mode Config can configure host IP address, Domain, DNS and WINS addresses.
l Manually Set: Manual key configuration. If one of the VPN devices is manually keyed, the other VPN device must also be manually keyed with the identical authentication and encryption keys. Enter the DNS server IP, assign IP address, and subnet values. Select the check box to enable split tunneling.
l DHCP overIPsec: DHCP over IPsec can assign an IP address, Domain, DNS and WINS addresses. Select the check box to enable split tunneling. |
Add a new connection
Phase 1 |
|
Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.
You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define. |
|
IKE Proposal |
Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists. |
|
DH Group |
Select one or more Diffie-Hellman groups from DH group 1, 2, 5 and 14. At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations. |
|
Key Life |
Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds. |
|
Local ID |
Enter the Local ID (optional). This Local ID value must match the peer ID value given for the remote VPN peer’s Peer Options. |
|
Dead Peer Detection |
Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. |
|
NAT Traversal |
Select the check box if a NAT device exists between the client and the local FortiGate unit. The client and the local FortiGate unit must have the same NAT traversal setting (both selected or both cleared) to connect reliably. |
Phase 2 |
|
Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer. |
|
IKE Proposal |
Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists. |
Key Life |
The Key Life setting sets a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when either the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service. |
Enable Replay Detection |
Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them. |
Enable Perfect
Forward Secrecy
(PFS) |
Select the check box to enable Perfect forward secrecy (PFS). PFS forces a new Diffie-Hellman exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time. |
DH Group |
Select one Diffie-Hellman (DH) group (1, 2, 5 or 14). This must match the DH Group that the remote peer or dialup client uses. |
Add |
Select the add icon to add a new connection. |
Delete |
Select a connection and then select the delete icon to delete a connection. |
Select Apply to save the VPN connection, then select Close to return to the Remote Access screen.
Provision client VPN connections
You can provision client VPN connections in the FortiClient Profile for registered clients.
FortiGate VPN provisioning
Provision a client VPN in the FortiClient Profile:
- Log in to your FortiGate device.
- In the left tree menu, select Security Profiles > FortiClient Profiles.
- Select the FortiClient profile and select Edit from the toolbar.
- Select the VPN
Provision client VPN connections
- Turn on VPN and Client VPN Provisioning.
- Configure the following:
IPsec VPN |
Configure remote gateway and authentication settings for IPsec VPN. |
SSL-VPN |
Configure remote gateway and access settings for SSL VPN. |
Auto-connect when Off-Net |
Turn on the automatically connect when Off-Net, then configure the following: l VPN Name: Select a VPN from the list.
l Prevent VPN Disconnect: Turn on to not allow users to disconnect when the VPN is connected.
l Captive Portal Support: Turn on the enable support for captive portals. |
VPN before Windows logon |
Enable VPN connection before Windows log on. |
- Select Apply to save the profile.
The FortiGate will send the FortiClient Profile configuration update to registered clients.
When registered to a FortiGate, VPN settings are enabled and configured in the FortiClient Profile.
Alternatively, you can provision a client VPN using the advanced VPN FortiClient Profile options in FortiGate. For more information, see the FortiClient XML Reference and the CLI Reference forFortiOS.
EMS VPN provisioning
Provision a client VPN in the FortiClient Profile:
- Log in to EMS.
- Go to Endpoint Profiles and either select a profile to edit, or create a new profile.
- Select the VPN
- Select the on/off button to enable VPN.
Provision client VPN connections
- Configure the following settings:
Allow Personal VPN |
Select to enable personal VPN connections |
Disable
Connect/Disconnect |
Select to disable not allowing users to disconnect when the VPN is connected. |
Show VPN Before Logon |
Enable VPN connection before Windows log on, and select from the following options:
l Use Legacy VPN Before Logon l Use Windows Credentials |
Local Computer Windows
Store Certificates (IPSec only) |
Select to enable local Windows store certificates (IPsec only). |
Current User Windows Store Certificates (IPSec only) |
Select to enable current user Windows store certificates (IPsec only). |
Auto-connect only when
Off-Net |
Turn on the automatically connect only when Off-Net. |
Add VPN Tunnel |
Select to add a VPN tunnel, then enter the following information: l VPN Name: Enter the VPN name.
l Type: Select the type of VPN tunnel, either SSL VPN or IPsec VPN.
l Remote Gateway: Enter the remote gateway IP address or hostname.
l Require Certificate: Turn on to require a certificate (SSL VPN only). l Access Port: Enter the access port number (SSL VPN only).
l Authentication Method: Select the authentication method, wither Pre-shared Key or Certificate (IPsec VPN only).
l Pre-Shared Key: Enter the pre-shared key (IPsec VPN with preshared key only).
l Advanced Configuration: |
- Select Save to save your changes.
Connect to a VPN
To connect to a VPN, select the VPN connection from the drop-down menu. Enter your username, password, and select the Connect button.
Optionally, you can click on the system tray, right-click the FortiClient icon and select the VPN connection you want to connect to.
You can also select to edit an existing VPN connection and delete an existing VPN connection using the dropdown menu.
When connected, the console will display the connection status, duration, and other relevant information. You can now browse your remote network. Select the Disconnect button when you are ready to terminate the VPN session.
Save Password, Auto Connect, and Always Up
Save Password, Auto Connect, and Always Up
When configuring a FortiClient IPsec or SSL VPN connection on your FortiGate/EMS, you can select to enable the following features:
- Save Password: Allows the user to save the VPN connection password in the console. l Auto Connect: When FortiClient is launched, the VPN connection will automatically connect.
- Always Up (Keep Alive): When selected, the VPN connection is always up even when no data is being processed. If the connection fails, keep alive packets sent to the FortiGate will sense when the VPN connection is available and re-connect.
When enabled in the FortiGate configuration, once the FortiClient is connected to the FortiGate, the client will receive these configuration options.
For FortiClient VPN configurations, once these features are enabled they may only be edited from the command line. Use the following FortiOS CLI commands to disable these features:
config vpn ipsec phase1-interface edit [vpn name] set save-password disable set client-auto-negotiate disable set client-keep-alive disable
end
end
FortiToken and FortiClient VPN
You can use FortiToken with FortiClient for two-factor authentication. See the FortiOS Handbook for information on configuring FortiToken, user groups, VPN, and two-factor authentication on your FortiGate device for
Advanced features (Microsoft Windows)
FortiClient VPN connections.
Advanced features (Microsoft Windows)
When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate/EMS to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the FortiOS CLI Reference.
Activating VPN before Windows Log on
When using VPN before Windows log on, the user is offered a list of pre-configured VPN connections to select from on the Windows log on screen. This requires that the Windows log on screen is not bypassed. As such, if VPN before Windows log on is enabled, it is required to also check the check box Users must entera username and password to use this computer in the UserAccounts dialog box.
To make this change, proceed as follows:
In FortiClient:
- Create the VPN tunnels of interest or use Endpoint Control to register to a FortiGate/EMS which provides the VPN list of interest
- Enable VPN before log on on the FortiClient Settings page, see VPN options on page 108.
On the Microsoft Windows system,
- Start an elevated command line prompt.
- Enter control passwords2 and press Enter. Alternatively, you can enter netplwiz.
- Check the check box for Users must entera username and password to use this computer.
- Click OK to save the setting.
Connect VPN before log on (AD environments)
The VPN <options> tag holds global information controlling VPN states. The VPN will connect first, then log on to AD/Domain.
Advanced features (Microsoft Windows)
<forticlient_configuration>
<vpn>
<options>
<show_vpn_before_logon>1</show_vpn_before_logon>
<use_windows_credentials>1</use_windows_credentials> </options>
</vpn>
</forticlient_configuration>
Create a redundant IPsec VPN
To use VPN resiliency/redundancy, you will configure a list of FortiGate/EMS IP/FQDN servers, instead of just one:
<forticlient_configuration>
<vpn>
<ipsecvpn>
<options> …
</options>
<connections>
<connection>
<name>psk_90_1</name>
<type>manual</type>
<ike_settings>
<prompt_certificate>0</prompt_certificate>
<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …
</ike_settings>
</connection>
</connections>
</ipsecvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.
RedundantSortMethod = 1
This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate/EMS which responds the fastest.
RedundantSortMethod = 0
By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate/EMS starting with the first in the list.
Priority based SSL VPN connections
SSL VPN supports priority based configurations for redundancy.
<forticlient_configuration>
<vpn>
<sslvpn>
<options>
Advanced features (Mac OS X)
<enabled>1</enabled> …
</options>
<connections>
<connection>
<name>ssl_90_1</name>
<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …
</connection>
</connections>
</sslvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.
For SSL VPN, all FortiGate/EMS must use the same TCP port.
Advanced features (Mac OS X)
When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in FortiGate/EMS to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference and the FortiOS CLI Reference.
Create a redundant IPsec VPN
To use VPN resiliency/redundancy, you will configure a list of FortiGate/EMS IP/FQDN servers, instead of just one:
<forticlient_configuration>
<vpn>
<ipsecvpn>
<options> …
</options>
<connections>
<connection>
<name>psk_90_1</name>
<type>manual</type>
<ike_settings>
<prompt_certificate>0</prompt_certificate>
<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …
</ike_settings>
</connection>
</connections>
</ipsecvpn>
</vpn>
</forticlient_configuration>
VPN tunnel & script
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.
RedundantSortMethod = 1
This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate/EMS which responds the fastest.
RedundantSortMethod = 0
By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate/EMS starting with the first in the list.
Priority based SSL VPN connections
SSL VPN supports priority based configurations for redundancy.
<forticlient_configuration>
<vpn>
<sslvpn>
<options>
<enabled>1</enabled> …
</options>
<connections>
<connection>
<name>ssl_90_1</name>
<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …
</connection>
</connections>
</sslvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.
For SSL VPN, all FortiGate/EMS must use the same TCP port.
VPN tunnel & script
This feature supports auto running a user-defined script after the configured VPN tunnel is connected or disconnected. The scripts are batch scripts in Windows and shell scripts in Mac OS X. They are defined as part of a VPN tunnel configuration on FortiGate/EMS’s XML format FortiClient Profile. The profile will be pushed down to FortiClient from FortiGate/EMS. When FortiClient’s VPN tunnel is connected or disconnected, the respective script defined under that tunnel will be executed.
tunnel & script
Windows
Map a network drive after tunnel connection
The script will map a network drive and copy some files after the tunnel is connected.
<on_connect>
<script>
<os>windows</os>
<script>
<script>
<![CDATA[ net use x: \\192.168.10.3\ftpshare /user:Ted Mosby md c:\test copy x:\PDF\*.* c:\test ]]>
</script>
</script>
</script>
</on_connect>
Delete a network drive after tunnel is disconnected
The script will delete the network drive after the tunnel is disconnected.
<on_disconnect>
<script>
<os>windows</os>
<script>
<script>
<![CDATA[ net use x: /DELETE ]]>
</script>
</script>
</script>
</on_disconnect>
OS X
Map a network drive after tunnel connection
The script will map a network drive and copy some files after the tunnel is connected.
<on_connect>
<script>
<os>mac</os>
<script>
/bin/mkdir /Volumes/installers
/sbin/ping -c 4 192.168.1.147 > /Users/admin/Desktop/dropbox/p.txt
/sbin/mount -t smbfs //kimberly:RigUpTown@ssldemo.fortinet.com/installers
/Volumes/installers/ > /Users/admin/Desktop/dropbox/m.txt
/bin/mkdir /Users/admin/Desktop/dropbox/dir
/bin/cp /Volumes/installers/*.log /Users/admin/Desktop/dropbox/dir/.
</script>
</script>
</on_connect>
VPN tunnel & script
Delete a network drive after tunnel is disconnected
The script will delete the network drive after the tunnel is disconnected.
<on_disconnect>
<script>
<os>mac</os>
<script>
/sbin/umount /Volumes/installers
/bin/rm -fr /Users/admin/Desktop/dropbox/*
</script>
</script>
</on_disconnect>