Creating a User Group
To create a VPN tunnel via IPsec, you need to create users who will be granted access and combine them into a group.
The process for creating users and groups is similar to the previous section.
To create a tunnel itself, you can use the IPsec Wizard that provides the necessary configuration templates:
- Go to the VPN → IPsec Wizard section.
- At the VPN Setup stage, enter a name for the tunnel.
- Select the Remote Access tunnel type and the Client-based and FortiClient remote device type, which indicates that the connection is using the FortiClient client.
- Click Next.
- At the Authentication stage, specify the incoming interface to which connections will come (in this case, it is wan1).
- Select the authentication method: Pre-shared key or signature. In this case, the secret key is selected and its value is entered in the Pre-shared key field.
- Specify the user group created in step 1 that will be granted access for connections.
- At the Policy & Routing stage, specify the local interface to which remote clients will connect, in the drop-down menu.
- In the Local Address parameter, specify the subnet to which users will have access. In this case, the all address object is selected.
- To select a specific subnet, click + and select an address from the existing ones.
- To create an address in the pop-up window, click Create or Policy & Objects → Addresses → Create New.
- In the Client Address Range field, specify the pool of addresses that will be assigned to remote clients upon connection.
- Make sure that these addresses don’t match the internal addressing. Leave the default Subnet Mask.
- The DNS Server field allows you to select the DNS server that will be used by remote users when connecting to the tunnel. In this case, system DNS is selected.
- The Enable Split Tunnel parameter allows you to grant users access only to certain subnets, rather than passing all their traffic through FortiGate.
- The Allow Endpoint Registration parameter allows you to get various information about remote points, and make decisions based on this information (for example, whether to allow a remote point to connect or not).
- At the Client Options stage, you can configure the following options: password saving, auto-connection, and keep alive function.
After that, a tunnel is created, and a summary of created objects appears on the screen.
You can download FortiClient for free on the official website. FortiClient is compatible with multiple platforms that offer free SSL VPNs. You can also purchase a license for the client, which provides additional features and technical support. The specifics of use and compatibility can also be found on the official website in the Technical Specification section.
To configure a connection on the client:
- Go to the REMOTE ACCESS section and select IPsec VPN.
- Specify the connection name, FortiGate IP address, select the authentication method. In this case, Pre-shared key is selected and the value of the secret key is entered as configured earlier.
- In the Authentication field, select:
- Prompt on login so that each time FortiClient connects, it prompts for a username and password;
- Save login so that only the password is requested each time you connect. In this case, the username must be entered in the Username field.
- Save this connection.
After that, select the name of the saved connection, enter the username created in step 1, enter the password, and click Connect. If the connection is successful, the following window will appear: