Fortinet white logo
Fortinet white logo

EMS Administration Guide

IPsec VPN

IPsec VPN

This topic contains descriptions of IPsec VPN settings.

Configuration

Description

IPsec VPN

Enable IPsec VPN.

Beep If Connection Fails

PC beeps if connection to the IPsec VPN tunnel fails.

Use Windows Store Certificates

Enable using Windows store certificates.

Current User Windows Store Certificates

Certificates from the user store display.

Local Computer Windows Store Certificates

Certificates from the computer store display.

Use Smart Card Certificates

Shows certificates on smartcards.

Show Auth Certificates Only

Only shows certificates with authentication in certificate features.

Block IPv6

Blocks IPv6 when connected to an IPv4 tunnel.

Enable UDP Checksum

Add checksum to UDP packets.

Disable Default Route

Disable default route to gateway.

Check for Certificate Private Key

Does not show certificates if the private key is not directly accessible, such as for smartcards.

Enhanced Key Usage Mandatory

Lists only certificates with private keys that allow enhanced key usage.

Do Not Accept Invalid Server Certificate

FortiClient does not complete the requested VPN connection when an invalid server certificate is used.

Do Not Accept Invalid Server Certificate Warning

FortiClient does not complete the connection when an invalid VPN server certificate is used.

When you click the Add Tunnel button in the VPN Tunnels section, you can create an IPsec VPN tunnel using manual configuration or XML. For details on configuring a VPN tunnel using XML, see VPN. The following options are available for manual IPsec VPN tunnel creation:

Basic Settings

Name

Enter a VPN name. Use only standard alphanumeric characters. Do not use symbols or accented characters.

Type

Select IPsec VPN.

Remote Gateway

Enter the remote gateway IP address/hostname. You can configure multiple remote gateways by clicking the + button. If one gateway is not available, the tunnel connects to the next configured gateway.

Authentication Method

Select the authentication method for the VPN.

Android Certificate Location

Configure a certificate location for FortiClient (Android) to automatically go to when selecting a certificate. Available if you selected Smart Card Certificate or System Store Certificate for Authentication Method.

See Certificate path configuration for automated certificate selection.

Pre-Shared Key

Enter the preshared key required. Available if you selected Pre-Shared Key for Authentication Method.

Prompt for Username

Prompt for the username when accessing VPN.

Split Tunnel

Application Based

Enable application-based split tunnel. FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to exclude from or include in the VPN tunnel. You can exclude high bandwidth-consuming applications for improved performance. For example, you can exclude applications like the following from the VPN tunnel:

  • Microsoft Office 365
  • Microsoft Teams
  • Skype
  • GoToMeeting
  • Zoom
  • WebEx
  • YouTube

Once the VPN tunnel is up, FortiClient binds the specified excluded applications to the physical interface.

Type

Select Include or Exclude to configure whether to include or exclude certain application traffic from the VPN tunnel.

Local Applications

You can only exclude local applications from the VPN tunnel. Click Add. In the Add Application(s) field, specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon.

For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:

  • Application Name: teams.exe;firefox.exe
  • Full Path: C:\Users\<username>appData\Local\Microsoft\Teams\current\Teams.exe;C:\Program Files\Mozilla Firefox\firefox.exe
  • Directory: C:\Users\<username>appData\Local\Microsoft\Teams\current\;C:\Program Files\Mozilla Firefox\

To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

Select the application checkbox, then click Remove to remove it from the list.

Cloud Applications

You can exclude or include cloud applications. Click Add. In the list, select the desired applications, then click Add.

Select the application checkbox, then click Remove to remove it from the list.

Domain

You can exclude or include domains. After you exclude a domain, any associated traffic does not go through the VPN tunnel when accessed through a popular browser such as Chrome, Edge, or Firefox. Click Add. In the Add Domain(s) field, enter the desired domains, using ; to configure multiple entries.

For example, if you configure the VPN tunnel to exclude youtube.com, youtube.com and *.youtube.com are excluded from the tunnel.

Select the application checkbox, then click Remove to remove it from the list.

VPN Settings

IKE

Select Version 1 or Version 2.

Mode

Select Main or Aggressive.

Options

Select Mode Config, Manual Set, or DHCP over IPsec.

Specify DNS Server (IPv4)

Specify the DNS server for the VPN tunnel. Available if you selected Manual Set.

Assign IP Address (IPv4)

Enter the IP address to assign for the VPN tunnel. Available if you selected Manual Set.

Split Table

Enter the IP address and subnet mask for the VPN tunnel. Available if you selected Manual Set or DHCP over IPsec.

Phase 1

Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.

Encryption

Select the encryption standard.

Authentication

Select the authentication method.

DH Groups

Select one or more Diffie-Hellman (DH) groups from groups 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, and 21. At least one of the selected groups on the remote peer or client must match one of the selections on the FortiGate. Failure to match one or more DH groups results in failed negotiations.

Key Life

Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.

Local ID

Enter the local ID.

Enable Implied SPDO

Enable implied SPDO. Enter the timeout in seconds.

Dead Peer Detection

Select this checkbox to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.

NAT Traversal

Select the checkbox if a NAT device exists between the client and the local FortiGate. The client and the local FortiGate must have the same NAT traversal setting (both selected or both cleared) to connect reliably.

Enable Local LAN

Enable local LAN.

Enable IKE Fragmentation

Enable IKE fragmentation.

Allow non-administrators to use machine certificates

Allow non-administrator users to use local machine certificates to connect IPsec VPN.

Phase 2

Select the encryption and authentication algorithms that to propose to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.

Encryption

Select the encryption standard.

Authentication

Select the authentication method.

DH Group

Select one DH group (1, 2, 5, 14, 15, 16, 17, 18, 19, 20, or 21). This must match the DH group that the remote peer or dialup client uses.

Key Life

Set a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service.

Enable Replay Detection

Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them.

Enable Perfect Forward Secrecy (PFS)

Enable PFS. PFS forces a new DH exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.

Advanced Settings

Enable One-Time Password

Enable one-time password.

Enable XAuth

When IKEv1 is selected, enable IKE Extended Authentication (xAuth).

When IKEv2 is selected, enable Extensible Authentication Protocol (EAP).

XAuth Timeout

Only available if Enable XAuth is enabled. Configure the timeout in seconds. Default value is two minutes if not configured. Enter a value between 120 and 300 seconds.

Prompt for Certificate

Prompt the user for the certificate.

Enable Single User Mode

Enable single user mode.

Show Passcode

Display Passcode instead of Password in the VPN tab in FortiClient.

Save Username

Save your username.

Enforce Acceptance of Disclaimer Message

Enable and enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection.

Enable SAML Login

Enable SAML SSO login for this VPN tunnel.

FortiClient provides an option to the end user to save their VPN login password with or without SAML configured. When using SAML, this feature relies on persistent sessions being configured in the identity provider (IdP), discussed as follows:

If the IdP does not support persistent sessions, FortiClient cannot save the SAML password. The end user must provide the password to the IdP for each VPN connection attempt.

The FortiClient save password feature is commonly used along with autoconnect and always-up features as well.

SAML Port

Enter the port number that FortiClient uses to communicate with the FortiGate, which acts as the SAML service provider.

Failover SSL VPN Connection

If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL VPN tunnel.

Redundant Sort Method

How FortiClient determines the order in which to try connection to the IPsec VPN servers when more than one is defined. FortiClient calculates the order before each IPsec VPN connection attempt.

When Server is selected, FortiClient tries the order explicitly defined in the server settings.

When Ping Speed is selected, FortiClient determines the order by the ping response speed.

When TCP Round Trip Time is selected, FortiClient determines the order by the TCP round trip time.

Tags

Select Allow or Prohibit, then select the desired Zero Trust tag from the Select a Tag dropdown list. Tags only display in the list if they are already configured. See Zero Trust Tags.

You can use this feature to prohibit endpoints from connecting to the VPN tunnel when they do not meet certain criteria. For example, if you want to prohibit endpoints without up-to-date antivirus signatures from connecting to the VPN tunnel, you would do the following:

  1. Configure a Zero Trust tagging rule that tags all endpoints without up-to-date AV signatures. See Adding a Zero Trust tagging rule set.
  2. For the VPN tunnel settings, select Prohibit, then select the configured tag from the Select a Tag dropdown list.

Endpoints without up-to-date AV signatures are prohibited from connecting to the VPN tunnel.

Customize Host Check Fail Warning

Enable and configure a custom message to display to the user when EMS prohibits the endpoint from connecting to the VPN tunnel due to its applied Zero Trust tag.

For the example configuration described in the Host Tag field description, you could configure a custom message to direct the user to update their AV signature, so that they can connect to the VPN tunnel afterward.

Show "Remember Password" Option

Show option to have the VPN tunnel remember the password. You must also enable this option on the FortiGate.

Show "Always Up" Option

Show option to have the VPN tunnel always up. You must also enable this option on the FortiGate.

Show "Auto Connect" Option

Automatically connect the VPN tunnel. You must also enable this option on the FortiGate. Automatic connection to the VPN tunnel may fail if the endpoint boots up with a user profile set to automatic logon.

On Connect Script

Enable the on connect script. Enter your script.

On Disconnect Script

Enable the disconnect script. Enter your script.

IPsec VPN

IPsec VPN

This topic contains descriptions of IPsec VPN settings.

Configuration

Description

IPsec VPN

Enable IPsec VPN.

Beep If Connection Fails

PC beeps if connection to the IPsec VPN tunnel fails.

Use Windows Store Certificates

Enable using Windows store certificates.

Current User Windows Store Certificates

Certificates from the user store display.

Local Computer Windows Store Certificates

Certificates from the computer store display.

Use Smart Card Certificates

Shows certificates on smartcards.

Show Auth Certificates Only

Only shows certificates with authentication in certificate features.

Block IPv6

Blocks IPv6 when connected to an IPv4 tunnel.

Enable UDP Checksum

Add checksum to UDP packets.

Disable Default Route

Disable default route to gateway.

Check for Certificate Private Key

Does not show certificates if the private key is not directly accessible, such as for smartcards.

Enhanced Key Usage Mandatory

Lists only certificates with private keys that allow enhanced key usage.

Do Not Accept Invalid Server Certificate

FortiClient does not complete the requested VPN connection when an invalid server certificate is used.

Do Not Accept Invalid Server Certificate Warning

FortiClient does not complete the connection when an invalid VPN server certificate is used.

When you click the Add Tunnel button in the VPN Tunnels section, you can create an IPsec VPN tunnel using manual configuration or XML. For details on configuring a VPN tunnel using XML, see VPN. The following options are available for manual IPsec VPN tunnel creation:

Basic Settings

Name

Enter a VPN name. Use only standard alphanumeric characters. Do not use symbols or accented characters.

Type

Select IPsec VPN.

Remote Gateway

Enter the remote gateway IP address/hostname. You can configure multiple remote gateways by clicking the + button. If one gateway is not available, the tunnel connects to the next configured gateway.

Authentication Method

Select the authentication method for the VPN.

Android Certificate Location

Configure a certificate location for FortiClient (Android) to automatically go to when selecting a certificate. Available if you selected Smart Card Certificate or System Store Certificate for Authentication Method.

See Certificate path configuration for automated certificate selection.

Pre-Shared Key

Enter the preshared key required. Available if you selected Pre-Shared Key for Authentication Method.

Prompt for Username

Prompt for the username when accessing VPN.

Split Tunnel

Application Based

Enable application-based split tunnel. FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to exclude from or include in the VPN tunnel. You can exclude high bandwidth-consuming applications for improved performance. For example, you can exclude applications like the following from the VPN tunnel:

  • Microsoft Office 365
  • Microsoft Teams
  • Skype
  • GoToMeeting
  • Zoom
  • WebEx
  • YouTube

Once the VPN tunnel is up, FortiClient binds the specified excluded applications to the physical interface.

Type

Select Include or Exclude to configure whether to include or exclude certain application traffic from the VPN tunnel.

Local Applications

You can only exclude local applications from the VPN tunnel. Click Add. In the Add Application(s) field, specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon.

For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:

  • Application Name: teams.exe;firefox.exe
  • Full Path: C:\Users\<username>appData\Local\Microsoft\Teams\current\Teams.exe;C:\Program Files\Mozilla Firefox\firefox.exe
  • Directory: C:\Users\<username>appData\Local\Microsoft\Teams\current\;C:\Program Files\Mozilla Firefox\

To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

Select the application checkbox, then click Remove to remove it from the list.

Cloud Applications

You can exclude or include cloud applications. Click Add. In the list, select the desired applications, then click Add.

Select the application checkbox, then click Remove to remove it from the list.

Domain

You can exclude or include domains. After you exclude a domain, any associated traffic does not go through the VPN tunnel when accessed through a popular browser such as Chrome, Edge, or Firefox. Click Add. In the Add Domain(s) field, enter the desired domains, using ; to configure multiple entries.

For example, if you configure the VPN tunnel to exclude youtube.com, youtube.com and *.youtube.com are excluded from the tunnel.

Select the application checkbox, then click Remove to remove it from the list.

VPN Settings

IKE

Select Version 1 or Version 2.

Mode

Select Main or Aggressive.

Options

Select Mode Config, Manual Set, or DHCP over IPsec.

Specify DNS Server (IPv4)

Specify the DNS server for the VPN tunnel. Available if you selected Manual Set.

Assign IP Address (IPv4)

Enter the IP address to assign for the VPN tunnel. Available if you selected Manual Set.

Split Table

Enter the IP address and subnet mask for the VPN tunnel. Available if you selected Manual Set or DHCP over IPsec.

Phase 1

Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required.

You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define.

Encryption

Select the encryption standard.

Authentication

Select the authentication method.

DH Groups

Select one or more Diffie-Hellman (DH) groups from groups 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, and 21. At least one of the selected groups on the remote peer or client must match one of the selections on the FortiGate. Failure to match one or more DH groups results in failed negotiations.

Key Life

Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds.

Local ID

Enter the local ID.

Enable Implied SPDO

Enable implied SPDO. Enter the timeout in seconds.

Dead Peer Detection

Select this checkbox to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required.

NAT Traversal

Select the checkbox if a NAT device exists between the client and the local FortiGate. The client and the local FortiGate must have the same NAT traversal setting (both selected or both cleared) to connect reliably.

Enable Local LAN

Enable local LAN.

Enable IKE Fragmentation

Enable IKE fragmentation.

Allow non-administrators to use machine certificates

Allow non-administrator users to use local machine certificates to connect IPsec VPN.

Phase 2

Select the encryption and authentication algorithms that to propose to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer.

Encryption

Select the encryption standard.

Authentication

Select the authentication method.

DH Group

Select one DH group (1, 2, 5, 14, 15, 16, 17, 18, 19, 20, or 21). This must match the DH group that the remote peer or dialup client uses.

Key Life

Set a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service.

Enable Replay Detection

Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them.

Enable Perfect Forward Secrecy (PFS)

Enable PFS. PFS forces a new DH exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time.

Advanced Settings

Enable One-Time Password

Enable one-time password.

Enable XAuth

When IKEv1 is selected, enable IKE Extended Authentication (xAuth).

When IKEv2 is selected, enable Extensible Authentication Protocol (EAP).

XAuth Timeout

Only available if Enable XAuth is enabled. Configure the timeout in seconds. Default value is two minutes if not configured. Enter a value between 120 and 300 seconds.

Prompt for Certificate

Prompt the user for the certificate.

Enable Single User Mode

Enable single user mode.

Show Passcode

Display Passcode instead of Password in the VPN tab in FortiClient.

Save Username

Save your username.

Enforce Acceptance of Disclaimer Message

Enable and enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection.

Enable SAML Login

Enable SAML SSO login for this VPN tunnel.

FortiClient provides an option to the end user to save their VPN login password with or without SAML configured. When using SAML, this feature relies on persistent sessions being configured in the identity provider (IdP), discussed as follows:

If the IdP does not support persistent sessions, FortiClient cannot save the SAML password. The end user must provide the password to the IdP for each VPN connection attempt.

The FortiClient save password feature is commonly used along with autoconnect and always-up features as well.

SAML Port

Enter the port number that FortiClient uses to communicate with the FortiGate, which acts as the SAML service provider.

Failover SSL VPN Connection

If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL VPN tunnel.

Redundant Sort Method

How FortiClient determines the order in which to try connection to the IPsec VPN servers when more than one is defined. FortiClient calculates the order before each IPsec VPN connection attempt.

When Server is selected, FortiClient tries the order explicitly defined in the server settings.

When Ping Speed is selected, FortiClient determines the order by the ping response speed.

When TCP Round Trip Time is selected, FortiClient determines the order by the TCP round trip time.

Tags

Select Allow or Prohibit, then select the desired Zero Trust tag from the Select a Tag dropdown list. Tags only display in the list if they are already configured. See Zero Trust Tags.

You can use this feature to prohibit endpoints from connecting to the VPN tunnel when they do not meet certain criteria. For example, if you want to prohibit endpoints without up-to-date antivirus signatures from connecting to the VPN tunnel, you would do the following:

  1. Configure a Zero Trust tagging rule that tags all endpoints without up-to-date AV signatures. See Adding a Zero Trust tagging rule set.
  2. For the VPN tunnel settings, select Prohibit, then select the configured tag from the Select a Tag dropdown list.

Endpoints without up-to-date AV signatures are prohibited from connecting to the VPN tunnel.

Customize Host Check Fail Warning

Enable and configure a custom message to display to the user when EMS prohibits the endpoint from connecting to the VPN tunnel due to its applied Zero Trust tag.

For the example configuration described in the Host Tag field description, you could configure a custom message to direct the user to update their AV signature, so that they can connect to the VPN tunnel afterward.

Show "Remember Password" Option

Show option to have the VPN tunnel remember the password. You must also enable this option on the FortiGate.

Show "Always Up" Option

Show option to have the VPN tunnel always up. You must also enable this option on the FortiGate.

Show "Auto Connect" Option

Automatically connect the VPN tunnel. You must also enable this option on the FortiGate. Automatic connection to the VPN tunnel may fail if the endpoint boots up with a user profile set to automatic logon.

On Connect Script

Enable the on connect script. Enter your script.

On Disconnect Script

Enable the disconnect script. Enter your script.