The following guide covers the process of using the free version of FortiClient to do a client-based IPSEC connection for you and your end users.
The free FortiClient does not allow the following features for your VPN:
Fortinet Docs: Save password, auto connect, and always up
If you require access to these features, please refer to the following guide:
FortiGate - Create an IPsec VPN for FortiClient - EMS Client
Creating a User Group and assigning Users
To ensure secure access, you will start this process by creating a User Group and Users that you wish to have access to your FortiClient VPN.
Creating the User Group
Navigate to the following area: “User & Authentication” > “User Groups”
Enter a descriptive “Name”, leave the Type as Firewall, and press the “OK” button:
Create and assign users to the group
On the “User Groups” tab, double click on your newly created group to edit it:
Now that we are in the “Edit User Group” menu, you can press the ‘+’ button next to “Members” to begin creating and assigning users:
We can create our Users in the box that pops up by using the “+ Create” button:
Select “+ User”:
On the “Users/Groups Creation Wizard”, leave the User Type as “Local User” and click “Next”:
Enter a Username and Password under the “Login Credentials” tab:
Leave “Two-Factor Authentication” disabled and click “Next”:
On the “Extra Info” tab, leave the “User Account Status” set as enabled.
Press “Submit”:
Select the “User Group” we created originally and then press “Submit”:
This process can be repeated as many times as you want for additional users, or you can create multiple users and attach them all to the User Group.
Click on the created User under the “Select Entries” pane. You will see that this has appeared under the “Members” section of the User Group. You can now press “OK”:
You can see that the User is listed as an active Member of the “VPN Users” Group:
Create your IPSEC connection within the FortiGate Firewall
While within your FortiGate Firewall product, go to the following tab:
VPN > IPsec Wizard.
Put a descriptive “Name” for the VPN in place > Select “Remote Access” > Select “Client Based” > Select “FortiClient” and press “Next”:
Select your “Incoming Interface” for the connection. The default will be
VDOMNAME_wan. In our example, this is “CE089_wan1”. You can reference your VDOM name as shown in the screenshot.
Leave the “Authentication method” as “Pre-shared Key” and put a complex one in place. I would recommend using a password generator and setting this to 24 characters or more.
Select the “User Group” we created earlier within this guide and press “Next”:
Select the “Local Interface” as the LAN interface. This interface can be identified, as it will have a name similar to the following:
VDOM_lan(VLANXXXX).
In this example, we will select our VDOM LAN interface: “CE089_lan (VLAN3224)”.You will need to denote your “Local Address” range. This can be actioned by clicking the ‘+’ symbol next to “Local Address” and in the pane that pops up to the right, search VLAN. Select the VLAN XXXX option that comes up by clicking on it:
You will now need to assign a “Client Address Range” and a Subnet Mask.
Enter an uncommon private IP range to utilise.
In my example, I will go with: 192.168.123.10 to 192.168.123.20.
Confirm this does not overlap with your personal computer's existing IP range!
The range entered must be seperated by a “-”.The other toggles regarding Split Tunnel and Endpoint Registration should be left toggled on.
Once you have entered the “Client Address Range” and “Subnet Mask” you can press “Next” as shown in the example below:
Toggle the following options as per your use case. In this instance, I will toggle all three to “on” as I want a highly available VPN for my end users with minimum interaction required from their side. Once you have confirmed your “Client Options”, hit “Next”:
On the “Review Settings” tab, ensure all of your settings are correct and press “Create”:
This will show a summary of the tunnel being created:
Convert your IPSEC to a “Custom Tunnel”
There is some further configuration required to create a working client-based IPSEC tunnel. The first step is to convert your IPsec tunnel to a custom tunnel.
Navigate to the “VPN” tab in the left pane and select “IPSEC Tunnels”. You will see the tunnel you created, and you can double-click on it to edit the tunnel:
Once you are within the newly created IPSEC tunnel, click “Convert to Custom Tunnel”.
Once you have clicked this, you will see that there are multiple changes from what is displayed initially.
Click into the “Network” configuration box, as we will need to set DNS servers for your connection.
We need to un-tick “Use system DNS in mode config” and enter a DNS server IP address.
This example uses Google DNS, but you can specify any relevant DNS server:
Once your configuration is the same as the above, click the circled checkmark icon in the top right of the configuration box to accept the changes.
Now that we have established our DNS server, click into the “Authentication” tab to bring up its options.
In this configuration box, we want to set the “IKE Version” to 2. The other options can be left on their default settings.
Once your configuration is the same as the above, click the circled checkmark icon in the top right of the configuration box to accept the changes.We now want to modify the “Phase 1 Proposal” by clicking the Edit button:
The “Phase 1 Proposal” configuration box will look the same as the example below:
We want to make the following changes to the “Phase 1 Proposal”:
Delete all IKE proposals by pressing the X next to their relevant “Authentication” boxes besides the following:
Encryption AES128
Authentication SHA256Encryption AES256
Authentication SHA256
Ensure that DH Group 32 is the only selected option under “Diffie-Hellman Groups”.
The result should match the image below. Once completed, click the circled checkmark icon in the top right of the configuration box to accept the changes.
We now want to edit our “Phase 2 Selectors” by pressing the pencil icon as shown below:
This will bring up a new configuration box where we have to click on the "+ Advanced” section.
This will expand the configuration box.
Here, we need to make the following changes:
Delete all “Encryptions” besides the following:
Encryption AES128, Authentication SHA256
Encryption AES256, Authentication SHA256
Set your “Diffie-Hellman Group” to 32 only.
The result should match the image below. Once completed, click the circled checkmark icon in the top right of the configuration box to accept the changes.
Once this is completed, press the “OK” button at the bottom of the screen.
Editing your IPsec connection via the Command Line Interface (CLI)
Before we can proceed, you need to make some additional changes to the IPsec tunnel you created. These changes must be made via the FortiOS CLI.
The CLI can be accessed by clicking on the following button, as highlighted below.
Our first step is to enter CLI “config” mode for IPsec Phase 1. This can be done by pasting the following command:
config vpn ipsec phase1-interface
From here, we can type “show” to have the CLI list the name and existing settings of your VPN tunnel:
To edit the configuration of your tunnel, enter “edit”, followed by the name of the VPN tunnel, e.g.:
edit IPSEC\ VPNIf you only have one phase1-interface entry, you can press the “tab” key on your keyboard after typing “edit” to auto-fill this.
We are now modifying the IPsec Phase 1 settings of the tunnel directly.Enter the following commands, one at a time:
set eap enable set eap-identity send-request set transport tcp
An example of these commands having been run is shown below:
You will now need to finalise this by typing the commands below in order and one at a time:
next end
You can now close the CLI by pressing the ‘X’ in the top right corner, as all work within the CLI is now completed.
Modifying the created firewall rule to include your User Group
We now need to navigate to the firewall rules that allow connectivity before making a slight edit.
This can be navigated to via the following: Policy & Objects > Firewall Policy.
As shown above, we can see a rule was automatically created with the name of our IPsec VPN, and it shows that this is a rule allowing connectivity via the IPsec VPN through to our LAN interface.
In this example, the policy set is: “IPSEC VPN → CE089_lan (VLAN3224)”, while the individual rule is named “vpn_IPSEC VPN_remote_0”.
Double-click on the rule so that you can edit it. This will bring you to a screen similar to the following example:
We now need to add our “User Group” under the “Source”.
Click into the “Source” configuration box, and a pane will open on the right-hand side.
Click on the highlighted “Address” dropdown and set this to “User”.
Under the “User Group” section, select the User Group created earlier in this guide
Once the group appears in the “Source” configuration box, you can press “OK” at the bottom of the screen.
This concludes the required firewall policy changes and edits.
Downloading the free version of FortiClient
Head to the following site to download the free version of FortiClient:
https://www.fortinet.com/support/product-downloads#download-vpn-only
You will need to select to download for the appropriate OS version you are on, as per the screenshot below:
Installing the FortiClient on your operating system
Once you have downloaded the FortiClient installer to your computer, you can proceed with the following steps:
Navigate to the installer file, and double-click it to start the installation process.
Accept the Licence Agreement and click “Next”.
Select your installation directory, or leave this as default, and click “Next”.
Click “Install” to proceed:
Once the installation is completed, click “Finish”.
Configuring your FortiClient
After your installation is completed, we will need to set up the FortiClient to use the correct settings.
Open FortiClient by double-clicking the icon in your system tray.
When the GUI opens up, you want to select “Add New VPN”.
Connection configuration
A configuration box will open when completing the previous step.
We’ll need to enter your configuration here:
Connection Name: This is purely cosmetic, and can be anything you choose.
Remote Gateway: This will, in most circumstances (unless there was some special configuration), be the Public IP of your FortiGate firewall.
Authentication Method: Leave this as “Pre-shared key” and paste the earlier created PSK (pre-shared key) into the field below the drop-down box.
Authentication: This can be set to “Prompt on login” or “Save Login”, depending on your use case.
An example of this first section is below, with the IP redacted for reference:
VPN Settings
We now move on to the VPN Settings section, which only has two changes we need to make here:
Set this connection to use “IPsec over TCP”
Change the “IKE TCP Port” to 4500.
Refer to the screenshot below to see how yours should look:
Phase 1
For the Phase 1 settings, make the following changes:
On the first IKE proposal, we want to change the “Authentication” to SHA256.
Ensure that only DH Group 32 is selected.
Phase 2
For the Phase 2 settings, make the following changes:
Set the first “Authentication” drop-down to SHA256.
Ensure that only DH Group 32 is selected.
Press “Save” when your configuration matches the screenshot:
Connecting to your VPN
Now that the VPN tunnel has been configured on the FortiClient endpoint, we can connect by clicking the associated “Connect” button.
You will be prompted for the Username and Password of the FortiGate user you created at the beginning of this guide.
If all prior steps were followed correctly, you will now be connected to your IPsec tunnel.