IPsec VPN
This topic contains descriptions of IPsec VPN settings:
Configuration |
Description |
|
---|---|---|
IPsec VPN |
Enable IPsec VPN. |
|
Beep If Connection Fails |
PC beeps if connection to the IPsec VPN tunnel fails. |
|
Use Windows Store Certificates |
Enable using Windows store certificates. |
|
|
Current User Windows Store Certificates |
Certificates from the user store display. |
|
Local Computer Windows Store Certificates |
Certificates from the computer store display. |
Use Smart Card Certificates |
Shows certificates on smartcards. |
|
Show Auth Certificates Only |
Only shows certificates with authentication in certificate features. |
|
Block IPv6 |
Blocks IPv6 when connected to an IPv4 tunnel. |
|
Enable UDP Checksum |
Add checksum to UDP packets. |
|
Disable Default Route |
Disable default route to gateway. |
|
Check for Certificate Private Key |
Does not show certificates if the private key is not directly accessible, such as for smartcards. |
|
Enhanced Key Usage Mandatory |
Lists only certificates with private keys that allow enhanced key usage. |
|
Configure one of the following: |
When you click Add Tunnel in VPN Tunnels, you can create an IPsec VPN tunnel using manual configuration or XML. For details on configuring a VPN tunnel using XML, see VPN. The following options are available for manual IPsec VPN tunnel creation:
Basic Settings |
||
Name |
Enter a VPN name. Use only standard alphanumeric characters. Do not use symbols or accented characters. |
|
Type |
Select IPsec VPN. |
|
Remote Gateway |
Enter the remote gateway IP address/hostname. You can configure multiple remote gateways by clicking the + button. If one gateway is not available, the tunnel connects to the next configured gateway. |
|
Authentication Method |
Select the authentication method for the VPN. |
|
Android Certificate Location |
Configure a certificate location for FortiClient (Android) to automatically go to when selecting a certificate. Available if you selected Smart Card Certificate or System Store Certificate for Authentication Method. See Certificate path configuration for automated certificate selection. |
|
Pre-Shared Key |
Enter the preshared key required. Available if you selected Pre-Shared Key for Authentication Method. |
|
Prompt for Username |
Prompt for the username when accessing VPN. |
|
Split Tunnel |
|
|
Application Based |
Enable application-based split tunnel. FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to exclude from or include in the VPN tunnel. You can exclude high bandwidth-consuming applications for improved performance. For example, you can exclude applications like the following from the VPN tunnel:
Once the VPN tunnel is up, FortiClient binds the specified excluded applications to the physical interface. |
|
|
Type |
Select Include or Exclude to configure whether to include or exclude certain application traffic from the VPN tunnel. |
|
Local Applications |
You can only exclude local applications from the VPN tunnel. Click Add. In the Add Application(s) field, specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon. For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:
To find a running application's full path, on the Details tab in Task Manager, add the Image path name column. Select the application checkbox, then click Remove to remove it from the list. |
|
Cloud Applications |
You can exclude or include cloud applications. Click Add. In the list, select the desired applications, then click Add. Select the application checkbox, then click Remove to remove it from the list. |
|
Domain |
You can exclude or include domains. After you exclude a domain, any associated traffic does not go through the VPN tunnel when accessed through a popular browser such as Chrome, Edge, or Firefox. Click Add. In the Add Domain(s) field, enter the desired domains, using ; to configure multiple entries. For example, if you configure the VPN tunnel to exclude youtube.com, youtube.com and *.youtube.com are excluded from the tunnel. Select the application checkbox, then click Remove to remove it from the list. |
VPN Settings |
||
IKE |
Select Version 1 or Version 2. |
|
Mode |
Select Main or Aggressive. |
|
Address Assignment |
Select Mode Config, Manual Set, or DHCP over IPsec. |
|
Encapsulation |
|
Available if you select Version 2 for IKE. Configure one of the following for the encapsulation (or transport) mode:
|
|
IKE TCP Port |
Available if you select Auto for Encapsulation. Configure a custom port number if desired. |
|
IKE UDP Port |
Available if you select Auto for Encapsulation. Configure a custom port number if desired. |
Specify DNS Server (IPv4) |
Specify the DNS server for the VPN tunnel. Available if you selected Manual Set. |
|
Assign IP Address (IPv4) |
Enter the IP address to assign for the VPN tunnel. Available if you selected Manual Set. |
|
Split Table |
Enter the IP address and subnet mask for the VPN tunnel. Available if you selected Manual Set or DHCP over IPsec. |
|
Phase 1 |
Select the encryption and authentication algorithms used to generate keys for protecting negotiations and add encryption and authentication algorithms as required. You need to select a minimum of one and a maximum of two combinations. The remote peer or client must be configured to use at least one of the proposals that you define. |
|
Encryption |
Select the encryption standard. |
|
Authentication |
Select the authentication method. |
|
DH Groups |
Select one or more Diffie-Hellman (DH) groups from groups 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, and 21. At least one of the selected groups on the remote peer or client must match one of the selections on the FortiGate. Failure to match one or more DH groups results in failed negotiations. |
|
Key Life |
Enter the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The key life can be from 120 to 172,800 seconds. |
|
Local ID |
Enter the local ID. |
|
Network ID |
Configure a network ID value between 0 to 255 to differentiate between multiple IKEv2 certificate-based phase 1 tunnels. The network ID is a Fortinet proprietary attribute used to select the correct phase 1 between IPsec peers, so that multiple IKEv2 tunnels can be established between the same local/remote gateway pairs. In a dial-up VPN, network-id is in the first initiator message of an IKEv2 phase 1 negotiation. The responder (hub) uses the network-id to match a phase 1 configuration with a matching network-id. The hub can then differentiate multiple dial-up phase 1s that are bound to the same underlay interface and IP address. Without a network-id, the hub cannot have multiple phase 1 dialup tunnels on the same interface. In static phase 1 configurations, network-id is used with the pair of gateway IPs to negotiate the correct tunnel with a matching network-id. This allows IPsec peers to use the same pair of underlay IPs to establish multiple IPsec tunnels. Without it, only a single tunnel can be established over the same pair of underlay IPs. |
|
Enable Implied SPDO |
Enable implied SPDO. Enter the timeout in seconds. |
|
Dead Peer Detection |
Select this checkbox to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. |
|
NAT Traversal |
Select the checkbox if a NAT device exists between the client and the local FortiGate. The client and the local FortiGate must have the same NAT traversal setting (both selected or both cleared) to connect reliably. |
|
Enable Local LAN |
Enable local LAN. |
|
Enable IKE Fragmentation |
Enable IKE fragmentation. |
|
Allow non-administrators to use machine certificates |
Allow non-administrator users to use local machine certificates to connect IPsec VPN. |
|
Phase 2 |
Select the encryption and authentication algorithms that to propose to the remote VPN peer. You can specify up to two proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer. |
|
Encryption |
Select the encryption standard. |
|
Authentication |
Select the authentication method. |
|
DH Group |
Select one DH group (1, 2, 5, 14, 15, 16, 17, 18, 19, 20, or 21). This must match the DH group that the remote peer or dialup client uses. |
|
Key Life |
Set a limit on the length of time that a phase 2 key can be used. The default units are seconds. Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or both. If you select both, the key expires when the time has passed or the number of KB have been processed. When the phase 2 key expires, a new key is generated without interrupting service. |
|
Enable Replay Detection |
Replay detection enables the unit to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the unit discards them. |
|
Enable Perfect Forward Secrecy (PFS) |
Enable PFS. PFS forces a new DH exchange when the tunnel starts and whenever the phase 2 key life expires, causing a new key to be generated each time. |
|
Advanced Settings |
||
Enable one-time password. |
||
Enable XAuth |
When IKEv1 is selected, enable IKE Extended Authentication (xAuth). When IKEv2 is selected, enable Extensible Authentication Protocol (EAP). |
|
|
XAuth Timeout |
Only available if Enable XAuth is enabled. Configure the timeout in seconds. Default value is two minutes if not configured. Enter a value between 120 and 300 seconds. |
Prompt for Certificate |
Prompt the user for the certificate. |
|
Enable Single User Mode |
Enable single user mode. |
|
Show Passcode |
Display Passcode instead of Password in the VPN tab in FortiClient. |
|
Save Username |
Save your username. |
|
Enforce Acceptance of Disclaimer Message |
Enable and enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection. |
|
Enable SAML Login |
Enable SAML SSO login for this VPN tunnel. FortiClient provides an option to the end user to save their VPN login password with or without SAML configured. When using SAML, this feature relies on persistent sessions being configured in the identity provider (IdP), discussed as follows: If the IdP does not support persistent sessions, FortiClient cannot save the SAML password. The end user must provide the password to the IdP for each VPN connection attempt. The FortiClient save password feature is commonly used along with autoconnect and always-up features as well. |
|
|
Use External Browser as User-agent for SAML Login |
Display the SAML authentication prompt in an external browser instead of in the FortiClient GUI. This option is only available for IKEv2 tunnels. |
|
SAML Port |
Enter the port number that FortiClient uses to communicate with the FortiGate, which acts as the SAML service provider. |
Failover SSL VPN Connection |
If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL VPN tunnel. |
|
Redundant Sort Method |
How FortiClient determines the order in which to try connection to the IPsec VPN servers when more than one is defined. FortiClient calculates the order before each IPsec VPN connection attempt. When Server is selected, FortiClient tries the order explicitly defined in the server settings. When Ping Speed is selected, FortiClient determines the order by the ping response speed. When TCP Round Trip Time is selected, FortiClient determines the order by the TCP round trip time. |
|
Tags |
Select Allow or Prohibit, then select the desired security posture tag from the Select a Tag dropdown list. Tags only display in the list if they are already configured. See Security Posture Tags. You can use this feature to prohibit endpoints from connecting to the VPN tunnel when they do not meet certain criteria. For example, if you want to prohibit endpoints without up-to-date antivirus signatures from connecting to the VPN tunnel, you would do the following:
Endpoints without up-to-date AV signatures are prohibited from connecting to the VPN tunnel. |
|
Customize Host Check Fail Warning |
Enable and configure a custom message to display to the user when EMS prohibits the endpoint from connecting to the VPN tunnel due to its applied security posture tag. For the example configuration described in the Host Tag field description, you could configure a custom message to direct the user to update their AV signature, so that they can connect to the VPN tunnel afterward. |
|
Show "Remember Password" Option |
Show option to have the VPN tunnel remember the password. You must also enable this option on the FortiGate. |
|
Show "Always Up" Option |
Show option to have the VPN tunnel always up. You must also enable this option on the FortiGate. |
|
Show "Auto Connect" Option |
Automatically connect the VPN tunnel. You must also enable this option on the FortiGate. Automatic connection to the VPN tunnel may fail if the endpoint boots up with a user profile set to automatic logon. |
|
On Connect Script |
|
Enable the on connect script. Enter your script. |
On Disconnect Script |
|
Enable the disconnect script. Enter your script. |