FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
mforbes
Staff
Staff
Article Id 195552

Description

 

This article explains how to configure a FortiClient to auto-connect to a VPN tunnel.


Scope


All FortiClient versions.
All FortiGates.
All FortiClient EMS versions.


Solution

 
Auto-connecting a VPN tunnel requires preliminary configuration on both the FortiGate and on the FortiClient.
 
When specifying Auto-connection, only one tunnel can be set to auto-connect.
 
FortiGate.
 
SSL VPN Web Portal Tunnel Mode Settings:
 
mforbes_Tunnel Mode Settings.png
 
config vpn ssl web portal
    edit "full-access"
        set auto-connect enable
        set keep-alive enable
        set save-password enable
    next
end
 
IPSec VPN Dial-up Settings.
 
Enabling the 'Save Password', 'Auto Connect', and 'Always UP' options in the GUI is only possible when initially creating the VPN tunnel.
 
mforbes_Dial-up Settings.png
 
Modifying/disabling the 'Save Password', 'Auto Connect' and 'Always UP' options is is only possible through the CLI afterwards.
 
config vpn ipsec phase1-interface
    edit "FortiClients"
        set xauthtype auto
        set reauth disable
        set authusrgrp "VPNUsers"
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive disable
        set psksecret ENC   "tunnel_password"
        set keepalive 10
    next
end
 
FortiClient.
 
Enabling the "Auto Connect", "Always UP" or "Save Password" options can only be done by editing the FortiClient XML configuration file (on non-managed installations.)
 
  1. From the FortiClient GUI, go to File -> Settings -> System.
  2. Backup the configuration.
  3. Edit the backup xml configuration file.  
  4. Locate the VPN tunnel section.
  5. Locate the [<show_remember_password>], [<show_alwaysup>], and [<show_autoconnect>] tags.
  6. Enable the tags by adding a [1] to the tags.
  7. Save the xml configuration.
  8. Restore configuration back to the FortiClient.

Note:  Auto-connection settings are only set on FortiClient after the first tunnel connection.

 
For example:
 
<?xml version="1.0" encoding="utf-8"?>
<forticlient_configuration generatedby="EMS-1.0.3.0107" policy="VPN_Only">
    <version>5.4.1</version>
    <vpn>
        <sslvpn>
            <connections>
                <connection>
                    <name>
                        <![CDATA[172.17.97.156_SSL]]>
                    </name>
                    <server>172.17.97.156:10443</server>
                    <username />
                    <password />
                    <prompt_username>1</prompt_username>
                    <ui>
                        <show_remember_password>1</show_remember_password>
                        <show_alwaysup>1</show_alwaysup>
                        <show_autoconnect>1</show_autoconnect>
                    </ui>
                </connection>
            </connections>
        </sslvpn>
        <ipsecvpn>
            <connections>
                <connection>
                    <name>
                        <![CDATA[172.17.97.156_IPSec]]>
                    </name>
                    <type>manual</type>
                    <ui>
                        <show_remember_password>1</show_remember_password>
                        <show_alwaysup>1</show_alwaysup>
                        <show_autoconnect>1</show_autoconnect>
                        <show_passcode>1</show_passcode>
                    </ui>
                </connection>
            </connections>
        </ipsecvpn>
        <options>
<autoconnect_tunnel>[tunnel_name]</autoconnect_tunnel>  <- Use windows LDAP credentials for both VPN tunnel and Windows logon.
<autoconnect_only_when_offnet>1</autoconnect_only_when_offnet>  <- Auto-connect the VPN tunnel only when off-net.
<disable_connect_disconnect>1</disable_connect_disconnect>  <- Prevent disconnection.
<show_vpn_before_logon>1</show_vpn_before_logon>  <- Optional.
<use_legacy_vpn_before_logon>1</use_legacy_vpn_before_logon>   <- Optional.
<keep_running_max_tries>0</keep_running_max_tries>  <- Retry count.
<use_windows_credentials>1</use_windows_credentials>  <- Use windows LDAP credentials for both VPN tunnel and Windows logon.
        </options>
    </vpn>
</forticlient_configuration>
 
FortiClient EMS.
 
When using a FortiClient EMS to push Profiles, enable the 'Remember Password', 'Always Up', and 'Auto Connect' options from under the VPN tunnel settings.
  1. Locate the Policy.
  2. Edit the tunnel.
  3. Go to Advanced Settings.
  4. Enable 'Remember Password', 'Always Up' and 'Auto Connect' options.
  5. Save the Profile.
  6. Sync the Profile to Endpoint.
IPSec VPN Tunnel:
 
mforbes_IPSec VPN Tunnel.png
 
SSL VPN Tunnel:
 
mforbes_SSL VPN Tunnel.png
 
Related documents:
 

Note:

The following features are not supported in the FortiClient v6.2.X - v7.0.2 free versions:

  • VPN auto-connect/always-up.
  • VPN before logon.
  • On-net/off-net.
  • Host check features.
  • Central management
  • No feedback option & no diagnostic tool under help/info page.
  • IKEv2 is not supported on FortiClient 6.2.x free version.
  • TAC support.