Post

Fortigate IPSec Remote Access VPN

Posted
By Sena Perdiana 2 min read


What is IPSec Remote Access VPN?

An IPSec Remote Access VPN (Virtual Private Network) is a secure network connection that allows remote users or devices to access a private network over the internet using the IPSec (Internet Protocol Security) protocol suite. It provides encryption, authentication, and secure communication, allowing remote users to securely connect to a corporate or private network from a remote location.



Connection Topology

Here’s the connection topology, where PC on the internet will become the VPN client to connect to the inside network

x



Configuring VPN User

On Fortigate, go to User & Authentication » User Definition, create new, choose local user

x


Give it username and password

x


Leave 2FA off

x


Enable user

x


Now go to User & Authentication » User Groups, create new, include the new user as a member

x



Configuring Remote Access VPN

Go to VPN » IPsec Wizard, select the type of Remote Access and the client of Forticlient

x


On Authentication, select the WAN interface as the incoming interface, the auth method as pre-shared key, and add the user group created earlier

x


On Policy & Routing, select the LAN interface as the local interface, select the local address that will be accessible from VPN, and give the VPN Users the IP Address range

x


On Client Options, leave it as it is is fine

x


Lastly, review and create

x


Now the VPN is set up

x


On Firewall Policy, we’ll see new policy automatically generated

x



Connecting VPN from Client PC

On this client PC, we have a connection to the Forti’s WAN IP but not the inside segment

x


Configure the connection as below

x


Because we’re using an evaluation license, we have to set the IKE Proposal to use weak encryption configuration as below

x

IKE (Internet Key Exchange) is a protocol used in IPsec VPNs to establish a secure connection between two devices, such as a computer and a network gateway, by negotiating encryption and authentication keys.

  • Encryption : DES uses a 56-bit key and is considered weak by today’s standards, while AES-128 uses a 128-bit key and is considered a strong and secure encryption algorithm.
  • Authentication : MD5 and SHA1 is no longer secure for cryptographic use due to vulnerabilities to collision attacks, while SHA-256 is a highly secure cryptographic hash function with a 256-bit output, resistant to collision attacks.


Now try to connect

x


And we’re connected. We’re able to access the Inside segment

x


On Dashboard » IPsec Monitor, we can see the connected VPN client

x


And on Log & Report » Forward Traffic, we can see all the traffic flowing from the VPN client

x


Security, Fortigate
Fortigate
This post is licensed under CC BY 4.0 by the author.