IPsec VPN and SSL VPN
FortiClient supports both IPsec and SSL VPN connections to your network for remote access. Administrators can provision client VPN connections to FortiGate in profiles from EMS, and you can configure new connections in FortiClient console.
Add new connections
You can add new SSL VPN connections and IPsec VPN connections.
Connection Name |
Enter a name for the connection. |
Description |
Enter a description for the connection. (optional) |
Create SSL VPN connections
To create SSL VPN connections:
- On the Remote Access tab, click the Configure VPN link, or use the drop-down menu in the FortiClient console.
- Select SSL-VPN, then configure the following settings:
Add new connections
Remote Gateway |
Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway. |
Customize port |
Select to change the port. The default port is 443. |
Authentication |
Select to prompt on login, or save login. The option to disable is available when Client Certificate is enabled. |
Username |
If you selected to save login, enter the username in the dialog box. |
Client Certificate |
Select to enable client certificates, then select the certificate from the dropdown list. |
Do not Warn Invalid Server
Certificate |
Select if you do not want to warned if the server presents an invalid certificate. |
Add |
Select the add icon to add a new connection. |
Delete |
Select a connection and then select the delete icon to delete a connection. |
- Click Apply to save the VPN connection, and then click Close to return to the Remote Access screen.
Create IPsec VPN connections
To create IPsec VPN connections:
- On the Remote Access tab, click the Configure VPN link, or use the drop-down menu in the FortiClient console.
- Select IPsec VPN, then configure the following settings:
Connection Name |
|
Enter a name for the connection. |
Description |
|
Enter a description for the connection. (optional) |
Add new connections
Remote Gateway |
Enter the IP address/hostname of the remote gateway. Multiple remote gateways can be configured by separating each entry with a semicolon. If one gateway is not available, the VPN will connect to the next configured gateway. |
Authentication Method |
Select either X.509 Certificate or Pre-shared Key in the dropdown menu. |
Authentication (XAuth) |
Select to prompt on login, save login, or disable. |
Username |
If you selected save login, enter the username in the dialog box. |
Advanced Settings |
Configure VPN settings, Phase 1, and Phase 2 settings. |
VPN Settings |
|
Mode |
Select one of the following:
l Main: In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information.
l Aggressive: In Aggressive mode, the phase 1 parameters are exchanged in a single message with authentication information that is not encrypted.
Although Main mode is more secure, you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address, and the remote VPN peer or client is authenticated using an identifier (local ID). |
Options |
Select one of the following:
l Mode Config: IKE Mode Config can configure host IP address, Domain, DNS and WINS addresses.
l Manually Set: Manual key configuration. If one of the VPN devices is manually keyed, the other VPN device must also be manually keyed with the identical authentication and encryption keys. Enter the DNS server IP, assign IP address, and subnet values. Select the check box to enable split tunneling.
l DHCP overIPsec: DHCP over IPsec can assign an IP address, Domain, DNS and WINS addresses. Select the check box to enable split tunneling. |
Phase 1 |
Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.
You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define. |
IKE Proposal |
Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists. |
Add new connections
|
DH Group |
Select one or more Diffie-Hellman groups from DH group 1, 2, 5 and 14. At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate unit. Failure to match one or more DH groups will result in failed negotiations. |
|
Key Life |
Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds. |
|
Local ID |
Enter the Local ID (optional). This Local ID value must match the peer ID value given for the remote VPN peer’s Peer Options. |
|
Dead Peer
Detection |
Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. |
|
NAT Traversal |
Select the check box if a NAT device exists between the client and the local FortiGate unit. The client and the local FortiGate unit must have the same NAT traversal setting (both selected or both cleared) to connect reliably. |
Phase 2 |
|
Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer. |
|
IKE Proposal |
Select symmetric-key algorithms (encryption) and message digests (authentication) from the drop-down lists. |
|
Key Life |
The Key Life setting sets a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when either the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service. |
|
Enable Replay Detection |
Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them. |
|
Enable Perfect
Forward Secrecy
(PFS) |
Select the check box to enable Perfect forward secrecy (PFS). PFS forces a new Diffie-Hellman exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time. |
|
DH Group |
Select one Diffie-Hellman (DH) group (1, 2, 5 or 14). This must match the DH Group that the remote peer or dialup client uses. |
Add |
|
Select the add icon to add a new connection. |
Delete |
|
Select a connection and then select the delete icon to delete a connection. |
Advanced features (Microsoft Windows)
- Click Apply to save the VPN connection, and then click Close to return to the Remote Access screen.
Advanced features (Microsoft Windows)
When deploying a custom FortiClient XML configuration, use the advanced FortiClient Profile options in EMS to ensure the FortiClient profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference.
Activate VPN before Windows Log on
When using VPN before Windows log on, the user is offered a list of pre-configured VPN connections to select from on the Windows log on screen. This requires that the Windows log on screen is not bypassed. As such, if VPN before Windows log on is enabled, it is required to also check the check box Users must entera username and password to use this computer in the UserAccounts dialog box.
To make this change, proceed as follows:
In FortiClient:
- Create the VPN tunnels of interest or connect to FortiClient EMS, which provides the VPN list of interest
- Enable VPN before log on to the FortiClient Settings page, see VPN options on page 102.
On the Microsoft Windows system,
- Start an elevated command line prompt.
- Enter control passwords2 and press Enter. Alternatively, you can enter netplwiz.
- Check the check box for Users must entera username and password to use this computer.
- Click OK to save the setting.
Connect VPNs before logging on (AD environments)
The VPN <options> tag holds global information controlling VPN states. The VPN will connect first, then log on to AD/Domain.
<forticlient_configuration>
<vpn>
<options>
<show_vpn_before_logon>1</show_vpn_before_logon>
<use_windows_credentials>1</use_windows_credentials> </options>
</vpn>
</forticlient_configuration>
Create redundant IPsec VPNs
To use VPN resiliency/redundancy, you will configure a list of EMS IP/FQDN servers, instead of just one:
<forticlient_configuration>
<vpn>
<ipsecvpn>
<options> …
Advanced features (Microsoft Windows)
</options>
<connections>
<connection>
<name>psk_90_1</name>
<type>manual</type>
<ike_settings>
<prompt_certificate>0</prompt_certificate>
<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …
</ike_settings>
</connection>
</connections>
</ipsecvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.
RedundantSortMethod = 1
This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate which responds the fastest.
RedundantSortMethod = 0
By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate starting with the first in the list.
Create priority-based SSL VPN connections
SSL VPN supports priority based configurations for redundancy.
<forticlient_configuration>
<vpn>
<sslvpn>
<options>
<enabled>1</enabled> …
</options>
<connections>
<connection>
<name>ssl_90_1</name>
<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …
</connection>
</connections>
</sslvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.
For SSL VPN, all FortiGate must use the same TCP port.
Advanced features (Mac OS X)
Advanced features (Mac OS X)
When deploying a custom FortiClient XML configuration, use the advanced FortiClient profile options in EMS to ensure the FortiClient Profile settings do not overwrite your custom XML settings. For more information, see the FortiClient XML Reference.
Create redundant IPsec VPNs
To use VPN resiliency/redundancy, you will configure a list of FortiGate/EMS IP/FQDN servers, instead of just one:
<forticlient_configuration>
<vpn>
<ipsecvpn>
<options> …
</options>
<connections>
<connection>
<name>psk_90_1</name>
<type>manual</type>
<ike_settings>
<prompt_certificate>0</prompt_certificate>
<server>10.10.90.1;ipsecdemo.fortinet.com;172.17.61.143</server> <redundantsortmethod>1</redundantsortmethod> …
</ike_settings>
</connection>
</connections>
</ipsecvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted.
RedundantSortMethod = 1
This XML tag sets the IPsec VPN connection as ping-response based. The VPN will connect to the FortiGate/EMS which responds the fastest.
RedundantSortMethod = 0
By default, RedundantSortMethod =0 and the IPsec VPN connection is priority based. Priority based configurations will try to connect to the FortiGate/EMS starting with the first in the list.
Create priority-based SSL VPN connections
SSL VPN supports priority based configurations for redundancy.
<forticlient_configuration>
<vpn>
<sslvpn>
tunnel & script
<options>
<enabled>1</enabled> …
</options>
<connections>
<connection>
<name>ssl_90_1</name>
<server>10.10.90.1;ssldemo.fortinet.com;172.17.61.143:443</server> …
</connection>
</connections>
</sslvpn>
</vpn>
</forticlient_configuration>
This is a balanced, but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the SSL VPN configuration are omitted.
For SSL VPN, all FortiGate/EMS must use the same TCP port.
VPN tunnel & script
This feature supports auto running a user-defined script after the configured VPN tunnel is connected or disconnected. The scripts are batch scripts in Windows and shell scripts in Mac OS X. They are defined as part of a VPN tunnel configuration on EMS’s XML format FortiClient profile. The profile will be pushed down to FortiClient from EMS. When FortiClient’s VPN tunnel is connected or disconnected, the respective script defined under that tunnel will be executed.
Windows
Map a network drive after tunnel connection
The script will map a network drive and copy some files after the tunnel is connected.
<on_connect>
<script>
<os>windows</os>
<script>
<script>
<![CDATA[ net use x: \\192.168.10.3\ftpshare /user:Ted Mosby md c:\test copy x:\PDF\*.* c:\test ]]>
</script>
</script>
</script>
</on_connect>
Delete a network drive after tunnel is disconnected
The script will delete the network drive after the tunnel is disconnected.
<on_disconnect>
<script>
<os>windows</os> <script>
90
VPN tunnel & script
<script>
<![CDATA[ net use x: /DELETE ]]>
</script>
</script>
</script>
</on_disconnect>
OS X
Map a network drive after tunnel connection
The script will map a network drive and copy some files after the tunnel is connected.
<on_connect>
<script>
<os>mac</os>
<script>
/bin/mkdir /Volumes/installers
/sbin/ping -c 4 192.168.1.147 > /Users/admin/Desktop/dropbox/p.txt
/sbin/mount -t smbfs //kimberly:RigUpTown@ssldemo.fortinet.com/installers
/Volumes/installers/ > /Users/admin/Desktop/dropbox/m.txt
/bin/mkdir /Users/admin/Desktop/dropbox/dir
/bin/cp /Volumes/installers/*.log /Users/admin/Desktop/dropbox/dir/. </script>
</script>
</on_connect>
Delete a network drive after tunnel is disconnected
The script will delete the network drive after the tunnel is disconnected.
<on_disconnect>
<script>
<os>mac</os>
<script>
/sbin/umount /Volumes/installers
/bin/rm -fr /Users/admin/Desktop/dropbox/*
</script>
</script>
</on_disconnect>