Technical Tip: How to configure FortiClient IPSec to FortiGate in NGFW Mode: policy-based.

This demonstration made use of the free version of FortiClient.

Once FortiGate is set to NGFW Mode: Policy-based, there will no longer be access to the VPN -> IPSec wizard tab, where it has easily been created VPN to FortiClient using the wizard.

Follow these steps when it is necessary to create an IPSec VPN to FortiClient with FortiGate in policy-based mode.

Step 1:

Create an address pool or range for the FortiClient users (ensure this IP is not in use elsewhere on the network); this can also be done in GUI.

config firewall address

    edit FortiClient-IP

        set type iprange

        set start-ip 10.200.200.1    <<<<< First assignable IP

        set end-ip 10.200.200.40   <<<<<  choose range that suits your deployment

    next

end

Step 2:

Determine which LAN subnet is desired to permit the FortiClient users access to (it is possible to create an address group if it has more than one subnet, and assign all the subnets to the group).

config firewall address

    edit "LAN”

        set subnet 10.100.100.0/24  <- FortiClient users will have access to this network.

    next

end

Step 3:

Create the user/user group.

config user local

    edit "FortiClient_IPSec"  <- Local user account.

        set type password

        set passwd xxxxxx

    next

end

config user group

    edit "FortiClient_GROUP"  <-  User group.

        set member "FortiClient_IPSec"  <- Group member.

    next 

end

Step 4:

Configure IPSec VPN phase1 and 2.

config vpn ipsec phase1-interface

    edit "FCT-IPSec"

        set type dynamic

        set interface port1

        set mode aggressive

        set peertype one

        set net-device enable

        set mode-cfg enable

        set proposal aes128-sha1

        set dpd on-idle

        set xauthtype auto  

        set authusrgrp "FortiClient_GROUP"    <- The user group.

        set peerid "FortiClient_IPSec_ID"    <- Configure this ID in FortiClient settings.

        set assign-ip-from name

        set dns-mode auto

        set ipv4-split-include "LAN"    <- Network which FortiClient users can access.

        set ipv4-name "FortiClient-IP"    <- IP address range that is assigned to FortiClient users.

        set save-password enable

        set psksecret “strong_pwd”

        set dpd-retryinterval 60

    next

end

config vpn ipsec phase2-interface

    edit FCT-IPSec

        set phase1name FCT-IPSec

        set proposal aes128-sha1   <- Choose the algorithm that is desired.

    next

end

It is also possible to choose to configure IP version 2.

Step 5:

Configure Firewall Policies.

It will require two sets of policies since the FortiGate is in NGFW Mode: Policy-based.

1. 
   

   config firewall security-policy

       edit 0

           set name "name"

           set srcintf "FCT-IPSec"  <- IPSec tunnel interface.

           set dstintf "FCT-IPSec"  <- IPSec tunnel interface.

           set srcaddr "all"    <- Choose the relevant address.

           set dstaddr "all"

           set enforce-default-app-port disable

           set service "ALL"

           set action accept

           set schedule "always"

           set logtraffic all

       next

   end

2.  

config firewall policy

    edit 0

        set name "name"

        set srcintf "FCT-IPSec"   <- IPSec tunnel interface.

        set dstintf "LAN"   <- Interface connecting subnet/resource which FortiClient users will access.

        set srcaddr "FortiClient-IP"   <- Address pool for FortiClient users.

        set dstaddr "LAN"   <- Internal/App Address.

        set service "ALL"    <- Choose the desired service.

    next

end

Step 6:

Configure FortiClient Settings:

Step 7:

Verifications: