Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
- Fortinet Community
- Knowledge Base
- FortiClient
- Technical Tip: Automatic FortiClient VPN connectio...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Jean-Philippe_P
Moderator
Created on 08-11-2023 06:21 AM Edited on 08-11-2023 06:24 AM
Article Id
268496
| Description | This article describes how to have an automatic FortiClient VPN connection on the PC startup. |
| Scope | FortiClient EMS 7.2.1 and FortiClient 7.0.9 and 7.2.1. |
| Solution | When using Forticlient EMS some can have problems starting the FortiClient VPN automatically when turning on the PC to allow the user to login via the domain.
For this issue, let's take this configuration as an example. The code displayed below is the one of the VPN in the EMS server and FortiGate side. With this configuration, the VPN starts automatically when the PC starts up without requiring user interaction and the VPN remains up even when the Windows user logs off. It was tested with FortiClient EMS 7.2.1 and FortiClient 7.0.9 and 7.2.1. It also works for Android. This configuration is for a dial-up IPsec VPN but many parts of the configuration are also usable in SSL: <?xml version="1.0" ?> <forticlient_configuration> <VPN> <enabled>1</enabled> <sslvpn> <options> <enabled>0</enabled> <dnscache_service_control>0</dnscache_service_control> <prefer_sslvpn_dns>1</prefer_sslvpn_dns> <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate> <warn_invalid_server_certificate>0</warn_invalid_server_certificate> <no_dns_registration>0</no_dns_registration> </options> <connections/> </sslvpn> <ipsecvpn> <options> <enabled>1</enabled> <use_win_current_user_cert>0</use_win_current_user_cert> <use_win_local_computer_cert>1</use_win_local_computer_cert> <beep_if_error>1</beep_if_error> <usewincert>1</usewincert> <uselocalcert>0</uselocalcert> <usesmcardcert>0</usesmcardcert> <block_ipv6>1</block_ipv6> <enable_udp_checksum>0</enable_udp_checksum> <disable_default_route>0</disable_default_route> <show_auth_cert_only>0</show_auth_cert_only> <check_for_cert_private_key>0</check_for_cert_private_key> <enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory> <no_dns_registration>0</no_dns_registration> </options> <connections> <connection> <name>YYYYY</name> <machine>1</machine> <keep_running>1</keep_running> <disclaimer_msg/> <sso_enabled>0</sso_enabled> <single_user_mode>0</single_user_mode> <type>manual</type> <ui> <show_remember_password>1</show_remember_password> <show_alwaysup>1</show_alwaysup> <show_autoconnect>1</show_autoconnect> <show_passcode>0</show_passcode> <save_username>0</save_username> </ui> <redundant_sort_method>0</redundant_sort_method> <tags> <allowed/> <prohibited></prohibited> </tags> <host_check_fail_warning><![YYY.]]></host_check_fail_warning> <ike_settings> <server>YYYY</server> <authentication_method>Preshared Key</authentication_method> <fgt>1</fgt> <prompt_certificate>0</prompt_certificate> <xauth> <use_otp>0</use_otp> <enabled>0</enabled> <prompt_username>0</prompt_username> <username/> </xauth> <version>1</version> <mode>aggressive</mode> <key_life>43200</key_life> <localid>YYYYYYY</localid> <implied_SPDO>1</implied_SPDO> <implied_SPDO_timeout>2</implied_SPDO_timeout> <nat_traversal>1</nat_traversal> <enable_local_lan>1</enable_local_lan> <enable_ike_fragmentation>1</enable_ike_fragmentation> <mode_config>1</mode_config> <dpd>1</dpd> <dpd_retry_count>3</dpd_retry_count> <dpd_retry_interval>3</dpd_retry_interval> <run_fcauth_system>1</run_fcauth_system> <auth_data> <preshared_key>YYY</preshared_key> </auth_data> <dhgroup>5</dhgroup> <proposals> <proposal>DES|SHA1</proposal> <proposal>3DES|MD5</proposal> </proposals> <nat_alive_freq>5</nat_alive_freq> </ike_settings> <ipsec_settings> <remote_networks> <network> <addr>0.0.0.0</addr> <mask>0.0.0.0</mask> </network> <network> <addr>::/0</addr> <mask>::/0</mask> </network> </remote_networks> <dhgroup>5</dhgroup> <key_life_type>seconds</key_life_type> <key_life_seconds>500</key_life_seconds> <key_life_Kbytes>5200</key_life_Kbytes> <replay_detection>1</replay_detection> <pfs>1</pfs> <use_vip>1</use_vip> <virtualip> <type>modeconfig</type> <ip>0.0.0.0</ip> <mask>0.0.0.0</mask> <dnsserver>0.0.0.0</dnsserver> <winserver>0.0.0.0</winserver> </virtualip> <proposals> <proposal>DES|MD5</proposal> <proposal>3DES|SHA1</proposal> </proposals> </ipsec_settings> <warn_invalid_server_certificate>1</warn_invalid_server_certificate> <android_cert_path/> <on_connect> <script> <os>windows</os> <script/> </script> </on_connect> <on_disconnect> <script> <os>windows</os> <script/> </script> </on_disconnect> <traffic_control> <enabled>1</enabled> <mode>2</mode> <isdb_objects> <object> <owner>28</owner> <app>109</app> </object> <object> <owner>28</owner> <app>100</app> </object> <object> <owner>19</owner> <app>293</app> </object> </isdb_objects> <apps> <app>teamviewer.exe</app> </apps> </traffic_control> </connection> </connections> </ipsecvpn> <lockdown> <enabled>0</enabled> <grace_period>120</grace_period> <max_attempts>3</max_attempts> <exceptions> <apps/> <ips/> </exceptions> </lockdown> <options> <allow_personal_vpns>0</allow_personal_vpns> <disable_connect_disconnect>0</disable_connect_disconnect> <show_vpn_before_logon>1</show_vpn_before_logon> <use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon> <keep_running_max_tries>2</keep_running_max_tries> <minimize_window_on_connect>0</minimize_window_on_connect> <use_windows_credentials>0</use_windows_credentials> <show_negotiation_wnd>1</show_negotiation_wnd> <suppress_vpn_notification>0</suppress_vpn_notification> <secure_remote_access>1</secure_remote_access> <on_os_start_connect>TUNNEL_NAME</on_os_start_connect> <on_os_start_connect_has_priority>1</on_os_start_connect_has_priority> <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet> <autoconnect_on_install>1</autoconnect_on_install> <current_connection_name>TUNNEL_NAME</current_connection_name> <current_connection_type>ipsec</current_connection_type> <autoconnect_tunnel>TUNNEL_NAME</autoconnect_tunnel> </options> </vpn> <endpoint_control> <ui> <display_vpn>1</display_vpn> </ui> </endpoint_control> </forticlient_configuration>
Phase 1: edit "VPN_FORTIGATE" set type dynamic set interface "WAN" set keylife 43200 set mode aggressive set peertype one set net-device disable set mode-cfg enable set proposal des-sha1 3des-md5 set dpd on-idle set dhgrp 5 set idle-timeout enable set idle-timeoutinterval 120 set peerid "YYYYY" set ipv4-start-ip YYYYY set ipv4-end-ip YYYYY set dns-mode auto set unity-support disable set psksecret YYYYYYYYYYYYYYY set dpd-retryinterval 10
Phase 2: edit "VPN_FORTIGATE_2" set phase1name "VPN_FORTIGATE" set proposal des-md5 3des-sha1 set dhgrp 5 set keepalive enable set keylifeseconds 500 |
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.