Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jbindra
Staff
Staff

Created on ‎10-10-2024 07:47 AM Edited on ‎10-10-2024 08:08 AM By Moderator

Article Id 348562

Technical Tip: Setup remote FortiClient using dial-up IPsec with split-tunneling on 7.6 FortiGate

Description This article describes how to set up an IPsec dial-up tunnel for remote users with split tunneling on 7.6 FortiGate GUI.
Scope FortiGate 7.6.0.
Solution

In this particular example, IPsec dial tunnel is configured with Split tunneling enabled which means clients' traffic, which is configured through the firewall policy, will be routed over the IPsec VPN tunnel.


First, create a new address for the LAN network:

Policy & Objects -> Addresses and select 'Create New'.

 

address object.PNG

 

Configure the IPsec Dial-Up VPN using FortiClient:

Navigate to VPN -> VPN tunnels -> Create new -> IPsec tunnel from template.

Give it a name and set the template to Remote Access.

 

remote access.PNG

 

Select the relevant VPN client type. In this example, FortiClient is used.

 

Assign the IP range that the devices will get upon connecting through FortiClient.

 

client type.PNG

 

Select the Authentication method.Here, the pre-shared key is utilized.

This pre-shared key will also be used under FortiClient settings later as well.

 

Select the User group which will be connecting through FortiClient for remote access.

 

user group.PNG

 

Now, select the incoming interface on which the IPsec traffic will come and select the Local interface and Local address:

 

interface wan.PNG

 

Create a tunnel. A summary page will appear, listing the objects that have been added to the FortiGate’s configuration by the wizard.

 

summary page.PNG

 

Note: If more than one IPsec dial-up VPN is configured on the same server interface (WAN in this case), each phase1 of those VPNs needs to be defined with a unique peer ID to distinguish between the multiple tunnels that the remote client is going to connect with.

 

Refer to this article for enabling Peer ID: Technical Tip: How to use Peer IDs to select an IPSec dialup tunnel on a FortiGate configured with m....

 

Check the firewall address created by the wizard. To do so, navigate to Policy & Objects -> Addresses.

 

DIALUPRNAGE.PNG

 

Check the VPN interface created by the wizard. To do so, navigate to Network -> Interfaces.

 

IPSECINTERFACE.PNG

 

Check the IPv4 firewall policy created by the wizard. To do so, navigate to Policy and Objects -> Firewall policy.

 

fp.PNG

 

FortiClient configuration:

To add the VPN connection, navigate to Remote Access and select 'Add a new connection'.
Set the VPN to 'IPsec VPN' and set 'Remote Gateway' to the 'FortiGate IP address (wan IP)'.
Set 'Authentication Method' to' Pre-Shared Key'.

 

Capture.PNG

 

If the user is ever unable to connect, double-check the advanced settings under the FortiClient and match them under the IPsec settings on FortiGate: they must be the same on both sides.

 

After matching the settings, the user should be able to connect through FortiClient.

 

vpnconnected.PNG

 

Verify the routes received on the Windows machine, and run the following command on the command prompt on Windows:

 

route print

 

route print.PNG

 

pining.PNG

 

Related document: 

FortiClient as a dial-up client
490
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.