FortiClient as dialup client

This is a sample configuration of dialup IPsec VPN with FortiClient as the dialup client.

You can configure dialup IPsec VPN with FortiClient as the dialup client using the GUI or CLI.

If multiple dialup IPsec VPNs are defined for the same dialup server interface, each phase1 configuration must define a unique peer ID to distinguish the tunnel that the remote client is connecting to. When a client connects, the first IKE message that is in aggressive mode contains the client's local ID. FortiGate matches the local ID to the dialup tunnel referencing the same Peer ID, and the connection continues with that tunnel.

To configure IPsec VPN with FortiClient as the dialup client on the GUI:
  1. Configure a user and user group.
    1. Go to User & Authentication > User Definition to create a local user vpnuser1.
    2. Go to User & Authentication > User Groups to create a group vpngroup with the member vpnuser1.
  2. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a VPN name.
    2. For Template Type, select Remote Access.
    3. For Remote Device Type, select Client-based > FortiClient.
    4. Click Next.
  3. Configure the following settings for Authentication:
    1. For Incoming Interface, select wan1.
    2. For Authentication Method, select Pre-shared Key.
    3. In the Pre-shared Key field, enter your-psk as the key.
    4. From the User Group dropdown list, select vpngroup.
    5. Click Next.
  4. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select lan.
    2. Configure the Local Address as local_network.
    3. Configure the Client Address Range as 10.10.2.1-10.10.2.200.
    4. Keep the default values for the Subnet Mask, DNS Server, Enable IPv4 Split tunnel, and Allow Endpoint Registration.
    5. Click Next.
  5. Adjust the Client Options as needed, then click Create.
  6. Optionally, define a unique Peer ID in the phase1 configuration:
    1. Go to VPN > IPsec Tu