Jean-Philippe_P
Created on
‎08-11-2023
06:21 AM
Edited on
‎03-13-2025
07:17 AM
By
dwickramasinghe
| Description | This article describes how to have an automatic FortiClient VPN connection on the PC startup. |
| Scope | FortiClient EMS v7.2.1 and FortiClient v7.0.9 and v7.2.1. |
| Solution | When using Forticlient EMS some can have problems starting the FortiClient VPN automatically when turning on the PC to allow the user to login via the domain.
Let's take this configuration as an example of this issue. The code displayed below is the one for the VPN on the EMS server and FortiGate side. With this configuration, the VPN starts automatically when the PC starts up without requiring user interaction and the VPN remains up even when the Windows user logs off. It was tested with FortiClient EMS v7.2.1 and FortiClient v7.0.9 and v7.2.1. It also works for Android. This configuration is for a dial-up IPsec VPN but many parts of the configuration are also usable in SSL: <?xml version="1.0" ?> <forticlient_configuration> <VPN> <enabled>1</enabled> <sslvpn> <options> <enabled>0</enabled> <dnscache_service_control>0</dnscache_service_control> <prefer_sslvpn_dns>1</prefer_sslvpn_dns> <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate> <warn_invalid_server_certificate>0</warn_invalid_server_certificate> <no_dns_registration>0</no_dns_registration> </options> <connections/> </sslvpn> <ipsecvpn> <options> <enabled>1</enabled> <use_win_current_user_cert>0</use_win_current_user_cert> <use_win_local_computer_cert>1</use_win_local_computer_cert> <beep_if_error>1</beep_if_error> <usewincert>1</usewincert> <uselocalcert>0</uselocalcert> <usesmcardcert>0</usesmcardcert> <block_ipv6>1</block_ipv6> <enable_udp_checksum>0</enable_udp_checksum> <disable_default_route>0</disable_default_route> <show_auth_cert_only>0</show_auth_cert_only> <check_for_cert_private_key>0</check_for_cert_private_key> <enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory> <no_dns_registration>0</no_dns_registration> </options> <connections> <connection> <name>YYYYY</name> <machine>1</machine> <keep_running>1</keep_running> <disclaimer_msg/> <sso_enabled>0</sso_enabled> <single_user_mode>0</single_user_mode> <type>manual</type> <ui> <show_remember_password>1</show_remember_password> <show_alwaysup>1</show_alwaysup> <show_autoconnect>1</show_autoconnect> <show_passcode>0</show_passcode> <save_username>0</save_username> </ui> <redundant_sort_method>0</redundant_sort_method> <tags> <allowed/> <prohibited></prohibited> </tags> <host_check_fail_warning><![YYY.]]></host_check_fail_warning> <ike_settings> <server>YYYY</server> <authentication_method>Preshared Key</authentication_method> <fgt>1</fgt> <prompt_certificate>0</prompt_certificate> <xauth> <use_otp>0</use_otp> <enabled>0</enabled> <prompt_username>0</prompt_username> <username/> </xauth> <version>1</version> <mode>aggressive</mode> <key_life>43200</key_life> <localid>YYYYYYY</localid> <implied_SPDO>1</implied_SPDO> <implied_SPDO_timeout>2</implied_SPDO_timeout> <nat_traversal>1</nat_traversal> <enable_local_lan>1</enable_local_lan> <enable_ike_fragmentation>1</enable_ike_fragmentation> <mode_config>1</mode_config> <dpd>1</dpd> <dpd_retry_count>3</dpd_retry_count> <dpd_retry_interval>3</dpd_retry_interval> <run_fcauth_system>1</run_fcauth_system> <auth_data> <preshared_key>YYY</preshared_key> </auth_data> <dhgroup>5</dhgroup> <proposals> <proposal>DES|SHA1</proposal> <proposal>3DES|MD5</proposal> </proposals> <nat_alive_freq>5</nat_alive_freq> </ike_settings> <ipsec_settings> <remote_networks> <network> <addr>0.0.0.0</addr> <mask>0.0.0.0</mask> </network> <network> <addr>::/0</addr> <mask>::/0</mask> </network> </remote_networks> <dhgroup>5</dhgroup> <key_life_type>seconds</key_life_type> <key_life_seconds>500</key_life_seconds> <key_life_Kbytes>5200</key_life_Kbytes> <replay_detection>1</replay_detection> <pfs>1</pfs> <use_vip>1</use_vip> <virtualip> <type>modeconfig</type> <ip>0.0.0.0</ip> <mask>0.0.0.0</mask> <dnsserver>0.0.0.0</dnsserver> <winserver>0.0.0.0</winserver> </virtualip> <proposals> <proposal>DES|MD5</proposal> <proposal>3DES|SHA1</proposal> </proposals> </ipsec_settings> <warn_invalid_server_certificate>1</warn_invalid_server_certificate> <android_cert_path/> <on_connect> <script> <os>windows</os> <script/> </script> </on_connect> <on_disconnect> <script> <os>windows</os> <script/> </script> </on_disconnect> <traffic_control> <enabled>1</enabled> <mode>2</mode> <isdb_objects> <object> <owner>28</owner> <app>109</app> </object> <object> <owner>28</owner> <app>100</app> </object> <object> <owner>19</owner> <app>293</app> </object> </isdb_objects> <apps> <app>teamviewer.exe</app> </apps> </traffic_control> </connection> </connections> </ipsecvpn> <lockdown> <enabled>0</enabled> <grace_period>120</grace_period> <max_attempts>3</max_attempts> <exceptions> <apps/> <ips/> </exceptions> </lockdown> <options> <allow_personal_vpns>0</allow_personal_vpns> <disable_connect_disconnect>0</disable_connect_disconnect> <show_vpn_before_logon>1</show_vpn_before_logon> <use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon> <keep_running_max_tries>2</keep_running_max_tries> <minimize_window_on_connect>0</minimize_window_on_connect> <use_windows_credentials>0</use_windows_credentials> <show_negotiation_wnd>1</show_negotiation_wnd> <suppress_vpn_notification>0</suppress_vpn_notification> <secure_remote_access>1</secure_remote_access> <on_os_start_connect>TUNNEL_NAME</on_os_start_connect> <on_os_start_connect_has_priority>1</on_os_start_connect_has_priority> <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet> <autoconnect_on_install>1</autoconnect_on_install> <current_connection_name>TUNNEL_NAME</current_connection_name> <current_connection_type>ipsec</current_connection_type> <autoconnect_tunnel>TUNNEL_NAME</autoconnect_tunnel> </options> </vpn> <endpoint_control> <ui> <display_vpn>1</display_vpn> </ui> </endpoint_control> </forticlient_configuration>
Phase 1:
edit "VPN_FORTIGATE" set type dynamic set interface "WAN" set keylife 43200 set mode aggressive set peertype one set net-device disable set mode-cfg enable set proposal des-sha1 3des-md5 set dpd on-idle set dhgrp 5 set idle-timeout enable set idle-timeoutinterval 120 set peerid "YYYYY" set ipv4-start-ip YYYYY set ipv4-end-ip YYYYY set dns-mode auto set unity-support disable set psksecret YYYYYYYYYYYYYYY set dpd-retryinterval 10
Phase 2:
edit "VPN_FORTIGATE_2" set phase1name "VPN_FORTIGATE" set proposal des-md5 3des-sha1 set dhgrp 5 set keepalive enable set keylifeseconds 500
Note: |
