Technical Tip: IPsec remote access VPN with peer type set to 'dialup'

When FortiGate IPsec Remote Access VPN is configured with peer type 'dialup', FortiClient connection will use the user password as pre-shared key and username as Local ID.

Example:

Username: testuser.

User Password: password1.

FortiGate Configuration on CLI:

config vpn ipsec phase1-interface

    edit "IPSEC_RA"

        set type dynamic

        set interface "port1"

        set mode aggressive

        set peertype dialup         --> Peer Type set to 'dialup'.

        set net-device disable

        set mode-cfg enable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set dhgrp 20 14 5

        set xauthtype auto

        set authusrgrp "IPSEC_GROUP"

        set usrgrp "IPSEC_GROUP"  --> User Group should be set.

        set ipv4-start-ip 10.10.10.1

        set ipv4-end-ip 10.10.10.10

        set dns-mode auto

        set ipv4-split-include "IPSEC_RA_split"

        set save-password enable

    next

end

Note: When 'peertype' is set to 'dialup', the 'psksecret' command will be unavailable.

The <user-group> must only contain local users (config user local).

These settings only apply to the following dialup phase1 with PSK authentication:

• IKEv1 aggressive-mode.
• IKEv2.

This allows to associate multiple peer Identities, each with its own PSK, in a single dial-up phase1.

The same phase1 is shared by multiple dialers but each of them is identified by its own ID and has its own PSK.

It is a good practice which avoids having to use a shared pre-shared key for all dialers of the same phase1.

FortiGate Configuration on GUI:

FortiClient connection configuration: