fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
FortiClient dialup-client configurations Configuration overview<br />
One button FortiGate - to - FortiClient Phase1 VPN<br />
On the FortiOS VPN IKE page there is a button to create a Phase1 portion of a VPN<br />
tunnel between the FortiGate and FortiClient. Very little information is required for this<br />
configuration. No encryption or authentication method is required. This feature is ideal for<br />
setting up quick VPN connections with basic settings.<br />
This one button is only compatible with FortiClient 4.3 and higher. Earlier versions of<br />
FortiClient need to create IKE Phase-1 object separately, similar to earlier versions of<br />
FortiOS.<br />
On the Phase 1 screen (VPN > IPsec > Phase 1) is a button called Create a FortiClient<br />
VPN. This button asks a few basic VPN configuration related questions. Once all the<br />
information is added, click Create Now. This will create a new dial-up IPsec-interface<br />
mode tunnel. Phase 1 and Phase 2 will be added using the default ike settings.<br />
The following Settings will be used when creating a one-button FortiClient VPN Phase1<br />
object:<br />
Remote Gateway: Dialup User<br />
Mode: Aggressive<br />
Enable IPSec Interface Mode<br />
Default setting for P1 and P2 Proposal<br />
XAUTH Enable as Server (Auto)<br />
IKE mode-config will be enabled<br />
Peer Option set to "Accept any peer ID"<br />
Rest of the setting use the current defaults (Default value needs to be the same on<br />
FCT side)<br />
Once the one button Phase1 is complete, you must create a default Phase2<br />
configuration. This only requires a name for the Phase2 object, and select the one-button<br />
Phase1 name.<br />
How the FortiGate unit determines which settings to apply<br />
The FortiGate unit follows these steps to determine the configuration information to send<br />
to the FortiClient application:<br />
1 Check the virtual domain associated with the connection to determine which VPN<br />
policies might apply.<br />
2 Select the VPN policy that matches the dialup client’s user group and determine<br />
which tunnel (phase 1 configuration) is involved.<br />
3 Check all IPsec security policies that use the specified tunnel to determine which<br />
private networks the dialup clients may access.<br />
4 Retrieve the rest of the VPN policy information from the existing IPsec phase 1 and<br />
phase 2 parameters in the dialup-client configuration.<br />
FortiOS Handbook v3: IPsec VPNs<br />
01-434-112804-20120111 117<br />
http://docs.fortinet.com/