I' m having the same problem as the original poster keldrin. All I want is to setup IPSEC for a couple of users using the forticlient and the Fortigate 60b as the VPN server. I want the clients to have access to all our internal network resources and servers. The documentation is not good as it goes into many different senarios that don' t seem to apply to a simply Ipsec client to Fortigate setup. I don' t need to use a virtual IP and I' m content having the fortigate unit assign an IP to the client, but could also have my Microsoft server assign the IP as well. I am using V3.0 MR7 patch 2 build 733. If someone could post the settings needed on the router, I' m sure I could follow them. My settings are currently look very much like Keldrins the original poster.

Please provide some further information on the problem. Do you get any log messages on the FortiClient or on the FortiGate? When you try connecting with the forticlient, there should be a window showing the negotiation stauts. Could you please post the output of this window to see at which point the negotiation fails? Furthermore, just some infos: Check if the selectors in your vpn tunnel are correct. If you have checked " use this peer id" or " use peer id from this group" you must enter a valid user as the LocalID on your forticlient. For your firewall policy you need to enable allow inbound (and if you need allow outbound), no NAT.

The client window that pops up initially says connecting then quickly disappears after a second line briefly says failed to connect. What is confusing about the instructions is they refer to port 1 and port 2 on the diagrams. There is no explaination to what port 1 and port 2 stand for. Are the external interface reference or internal interface? I' m using the AutoKey tab for Phase 1 and have the following Name: Staff Vpn Remote Gateway: Dialup user Local Interface: Internal (this is where the instructions say port 1) If I try to use Wan 1 here it says already in use. Athentication Method: Preshared Key Preshared key: filled in with a string of characters For Peer Options I have Accept Any Peer ID For Phase 2: Name: Phase2 Staff Phase 1: Staff Vpn In advanced I have DHCP-IPSEC enabled. Firewall Policy Source Interface: Wan1 Source addresse: all Destination interface: internal Destination address: internal all (our entire internal subnet) Schedule: Always Service: Any Action: IPSEC VPN tunnel: staff vpn Allow inbound and Allow Outbound are checked Log allowed traffic is checked. With the connecting client we have tried using Automatic and putting in the external IP of the Fortigate unit. We also tried manual with specifying the IP and preshared key. Am I missing anything? I think the client has some logs I could look at and post if needed.

What is confusing about the instructions is they refer to port 1 and port 2 on the diagrams.

which instructions do you refer to? The local interface must be the interface to which the forticlient connects. Since the FortiClients are coming from the internet it must be one of your external interfaces (wan1 or wan2, depending on your configuration). If it says " already in use" check if there already is a Dialup VPN Tunnel configured for that interface. The firewall policy has to be from internal to external, where the source address is the network you want the dialup users to be able to access. The destination address would be the address the forticlient comes from. Since this address may change you might use any here.

In advanced I have DHCP-IPSEC enabled.

Have you also configured the DHCP Server on your FortiGate? If not, go to System -> DHCP and create a new DHCP Relay for the interface you have specified in phase1. The type should be IPSec and the DHCP Server IP is of course the IP of your internal DHCP Server.

With the connecting client we have tried using Automatic and putting in the external IP of the Fortigate unit. We also tried manual with specifying the IP and preshared key.

Up to now, I have always used manuel configuration. Just enter the IP of your fortigate and the preshard key. In the advanced configuration acquire an IP via DHCP over IPSec. If nescessary configure the localID of the forticlient and you should be done.

I' m using this router currently in a test environment just so you know. I have my network plugged into the Wan1 port, and I have a laptop plugged into one of the internal ports. The external Wan1 gets a 10. xx.xx.xx. ip and the laptop gets a 192.xx.xx.xx from the fortinet unit. Dhcp is setup on the unit as the laptop gets an ip from it. I' m treating the laptop as the internal network I' m trying to reach via the vpn. I have serveral computers on the wan1 side that I can use to connect to the fortigate via ipsec for testing. Does having a client computer in the same subnet as the assigned wan1 ip port cause a problem? I wouldn' t think so. The only things I have set on this router is the PPTP and IPSEC, there are no other configurations or policies. So there is nothing else using the wan1. My policy that I have set up is under the Wan1-->Internal section. Are you telling me I need to move this under the Internal --> Wan1 section? That doesn' t make logical sense since the Fortinet client is coming in from Wan1 and wants access to the internal network. Please confirm. The instructions I was referring to is the IPSEC VPN guide from Fortinet. Just so you know.

Maybe these two documents will help you(especially the admin guide). http://docs.forticare.com/fclient/FortiClient_Admin_Guide_04-403-86643-20090306.pdf http://docs.forticare.com/fclient/FortiClient_User_Guide_04-402-86641-20090223.pdf

My policy that I have set up is under the Wan1-->Internal section. Are you telling me I need to move this under the Internal --> Wan1 section? That doesn' t make logical sense since the Fortinet client is coming in from Wan1 and wants access to the internal network.

Excactly, the policy hast to be from internal to wan1. You can read through the configuration of the fortigate in the admin guide (page 37).