fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
FortiOS Handbook<br />
FortiClient dialup-client<br />
configurations<br />
The FortiClient Endpoint Security application is an IPsec VPN client with antivirus,<br />
antispam and firewall capabilities. This section explains how to configure dialup VPN<br />
connections between a FortiGate unit and one or more FortiClient Endpoint Security<br />
applications.<br />
FortiClient users are usually mobile or remote users who need to connect to a private<br />
network behind a FortiGate unit. For example, the users might be employees who<br />
connect to the office network while traveling or from their homes.<br />
For greatest ease of use, the FortiClient application can download the VPN settings from<br />
the FortiGate unit to configure itself automatically. This section covers both automatic<br />
and manual configuration.<br />
The following topics are included in this section:<br />
Configuration overview<br />
Configuration overview<br />
The FortiClient configurations in this guide do not apply to the FortiClient Consumer<br />
Edition, which does not include the IPsec VPN feature.<br />
FortiClient-to-FortiGate VPN configuration steps<br />
Configure the FortiGate unit<br />
Configure the FortiClient Endpoint Security application<br />
Adding XAuth authentication<br />
FortiClient dialup-client configuration example<br />
Dialup users typically obtain dynamic IP addresses from an ISP through Dynamic Host<br />
Configuration Protocol (DHCP) or Point-to-Point Protocol over Ethernet (PPPoE). Then,<br />
the FortiClient Endpoint Security application initiates a connection to a FortiGate dialup<br />
server.<br />
By default the FortiClient dialup client has the same IP address as the host PC on which<br />
it runs. If the host connects directly to the Internet, this is a public IP address. If the host<br />
is behind a NAT device, such as a router, the IP address is a private IP address. The NAT<br />
device must be NAT traversal (NAT-T) compatible to pass encrypted packets (see “NAT<br />
traversal” on page 52). The FortiClient application also can be configured to use a virtual<br />
IP address (VIP). For the duration of the connection, the FortiClient application and the<br />
FortiGate unit both use the VIP address as the IP address of the FortiClient dialup client.<br />
For a faster and easier method of configuring a FortiGate - to - FortiClient VPN, see “One<br />
button FortiGate - to - FortiClient Phase1 VPN” on page 117.<br />
FortiOS Handbook v3: IPsec VPNs<br />
01-434-112804-20120111 115<br />
http://docs.fortinet.com/