VPN is a type of secure connection between your computer and a remote computer that works in isolation from the outside environment.
A virtual network is created between the two ends and all data flow is carried out over this network. Due to the recent situation in our country, the use of VPNs has become widespread.
What is Forticlient VPN?
FortiClient VPN uses SSL and IPSec VPN to provide secure and reliable access to corporate networks and applications from virtually any internet-connected remote location. FortiClient simplifies the remote user experience with built-in auto-connect and always-on VPN features.
This recipe provides a group of remote users with secure and encrypted access to the corporate network using the IPsec VPN wizard. The tunnel gives group members access to the internal network but forces them through the FortiGate unit when accessing the Internet. Once the tunnel is configured, you will connect using the FortiClient application.
This recipe consists of the following steps:
- Create a user group for remote users.
- Add a firewall address for the local network.
- Configure the IPsec VPN connection.
- Create security policies for VPN access to the Internet.
- Configure FortiClient for IPsec VPN.
To create a user group for remote users:
- In FortiOS go to User & Device > User > User Definition.
- Create a new local user using the user creation wizard. Enter the appropriate information for each step of the wizard.
- Go to User & Device > User > User Groups.
- Create a user group for remote users and add the user you just created.
To add a firewall address for the local network:
- In FortiOS, go to Policy & Objects > Objects > Addresses.
- Add a firewall address for the local network, including the subnet and local interface.
To configure the Forticlient VPN IPsec VPN connection:
- In FortiOS go to VPN > IPsec > Wizard.
- Enter the VPN connection name and select Template under Dial-up – forticlient (Windows, Mac OS, Android). Click Next.
- In the Sender Incoming Interface drop-down list, select the Internet-facing interface. Select the Authentication Method for Pre-shared Key.
- In the Pre-shared key field, enter the desired preshared key. In the Sending User Group drop-down list, select the vpn_users user group. Click Next.
- In the Sender Local Interface drop-down list, select the internal interface. From the Local Address drop-down list, select Local LAN.
- In the Inbound Client Address Range field, enter an IP range for VPN users. Click Next.
- Configure client options as desired. Click Create. When using the IPsec VPN wizard, FortiOS automatically creates an IPsec firewall address range using the configured tunnel name. Because the wizard creates an IPsec-internal IPv4 policy, you only need to create the Internet access policy.
To create security policies for VPN access to the Internet:
- In FortiOS, go to Policy & Objects > Policy > IPv4.
- Create a security policy that allows remote users to securely access the Internet through the FortiGate unit.
Configure the policies as follows:
- In the Sender Incoming Interface drop-down list, select the tunnel interface. In the From Source Address drop-down list, select All.
- In the From Outgoing Interface drop-down list, select WAN1. In the From Destination Address drop-down list, select All.
- In the Sender Service drop-down list, select ALL. Make sure NAT is enabled.
To configure FortiClient VPN for IPsec:
- In FortiClient, on the Remote Access tab, add a new connection.
- IPsec VPN for the desired connection name and set Enter Type.
- In the Remote Gateway field, enter the FortiGate IP address.
- Select Pre-Shared Key from the Authentication Method drop-down list. In the Pre-Shared Key field, enter your key.
- Select the newly created tunnel, enter the username and password and click Connect. Once the FortiClient has established a connection, the FortiGate user assigns an IP address, and the FortiClient displays the IP address, connection status, including connection time, and bytes sent and received.
- In FortiOS go to VPN > Monitor > IPsec Monitor. Verify that the tunnel status is on.
- To view the traffic, go to Log & Report > Traffic Log > Forward Traffic. Verify that the Sent / Received column shows traffic successfully flowing through the tunnel.