Scenario:

Create an IPsec VPN with the VPN Wizard on FortiGate:

• Select the VPN type (Remote Access was chosen in this case).

• Use a client pool with approximately 20 IP addresses:

  • Pool range: 192.168.100.20 to 192.168.100.40

Version 7.6.2:

The incoming interface (connected to the Internet) and the local interface (connected to the LAN) must be declared. A pool for remote user connections must be created, along with user/group access for remote connections. The Split Tunneling option ensures internal resources remain reachable.

Configure the IPsec VPN parameters and policies, then validate the configuration.

Lower versions than 7.6.x.

The configuration remains similar to version 7.6.x, but the GUI differs (e.g., classic view in 7.4.7).

After using the VPN Wizard, navigate to VPN -> IPsec Tunnels and double-click the VPN to verify parameters. Ensure XAUTH is enabled in the wizard to match the user group for VPN access.

Phase 2 Selector Parameters:

• Proposals: AES-256, SHA-256.

• Diffie-Hellman Group: 5.

Configuration Validation:

Use FortiClient 7.4.3 (compatible with these FortiGate versions).

Replicate same parameters on it. 

Parameters on FortiClient:

Testing Connectivity:

On a Windows device:

• Ping the LAN's default gateway behind the FortiGate.

• Execute route print to confirm the internal segment is reachable via the VPN pool IP.

Related articles:

• Technical Tip: How to configure IPsec remote access with full tunnelling
  
• Technical Tip: FortiGate IPSec VPN Resource List
• Technical Tip: FortiGate Resource Lists