FortiGate IPsec Remote Access VPN Setup Guide | FortiOS 7.x

FortiGate IPsec Remote Access VPN

in modern enterprise network environments, providing secure, encrypted access for dynamic remote workforces is a foundational architecture requirement. Unlike site-to-site tunnels, a remote access (dial-up) topology allows shifting, unknown external client internet connections to establish a secure tunnel back to protected corporate Local Area Network (LAN) resources.

This guide outlines the step-by-step engineering workflow required to deploy an IPsec Remote Access VPN using a FortiGate Firewall running FortiOS 7.x and the client-side FortiClient VPN agent.

The Network Blueprint & Parameters

To keep our configuration consistent throughout this deployment, we will use the following network parameter layout:

Phase 1: Identity & Authentication Administration

Security baselines dictate that remote access authorization should be restricted to verified personnel. Before building any tunnel interfaces, we must establish an identity boundary consisting of a dedicated user group and local accounts.

Step 1.1: Create the VPN User Group

Open your FortiGate dashboard and expand User & Authentication from the left-hand navigation pane, then select User Groups.

Click Create New to instantiate a new security boundary.

Define the Name parameter as IPSec VPN Group.

Leave the group Type configured to its default value: Firewall.

Click OK to commit the group.

Step 1.2: Provision the Local User Account

Inside the User & Authentication menu, navigate to User Definition.

Click Create New to invoke the user onboarding wizard.

Select Local User as the source mechanism and click Next.

Provide a descriptive Username (e.g., test1) and a cryptographically secure Password. Click Next.

Step past the optional contact details screen by clicking Next.

On the final page, toggle the User Group parameter to the enabled state.

Click the selection indicator (+), choose your newly created IPSec VPN Group from the fly-out menu, and click Submit.

Phase 2: IPsec Cryptographic Tunnel Definition

Because your remote endpoints use unknown, shifting public source IPs, the tunnel must be constructed as a dynamic Dialup User gateway.

Step 2.1: Initialize a Custom IPsec Gateway

Navigate to VPN > IPsec Tunnels on the side menu.

Click Create New > IPsec Tunnel.

Input a clean administrative label in the Name field (e.g., Remote Access).

Under the Template type selections, mark the Custom radio button. Bypassing templates gives us full granular control over our cryptographic selections.

Click Next to open the advanced security settings console.

Step 2.2: Network Interface & IP Pool Settings

Configure the top section of the advanced console with these settings:

Remote Gateway: Change the selection from Static IP Address to Dialup User.

Interface: Select your primary public-facing edge interface (e.g., wan1).

Mode Config: Ensure this parameter is explicitly Enabled. This permits the FortiGate to dynamically assign virtual adapter parameters onto connecting clients.

Assign IP From: Set this to Range.

IP Range Fields: Input the private start and end address strings: 192.168.41.1 to 192.168.41.254.

DNS Server: Select custom configuration and inject a global public query handler: 8.8.8.8.

Enable IPv4 Split Tunnel: Mark this checkbox as Active. Split-tunnel paths ensure that only traffic destined for designated corporate infrastructure traverses the VPN, preventing general consumer internet usage from saturating your enterprise backhaul bandwidth.

Accessible Networks: Click the lookup window and select your target internal segment (e.g., your local lan address space: 192.168.26.0/24).

Step 2.3: Phase 1 Proposal Negotiation

Scroll down to the Authentication and Phase 1 Proposal panels and configure the following parameters exactly:

Method: Pre-shared Key Pre-shared Key: [Enter your secure baseline key string] IKE Version: 1 Mode: Aggressive (Required for Dial-up environments using XAUTH authentication rules) Peer Options: Any peer ID Encryption / Auth: DES / SHA1 (Remove default alternative rows, leaving only this custom stack match) Diffie-Hellman Group: 14 (Specifies a 2048-bit modular exponential key-exchange safety group; uncheck group 5) Key Lifetime: 86400 seconds

Step 2.4: Extended Authentication (XAUTH) Integration

Locate the XAUTH options pane within the advanced settings screen.

Change the Type parameter drop-down from Disabled to Auto Server.

Under the User Group field, click Choose.

Select the IPSec VPN Group created during Phase 1. This binds user-account identity checks directly onto the phase 1 key exchange sequence.

Step 2.5: Phase 2 Proposal Definition

Expand the Phase 2 Selectors structural menu block.

Remove all auto-populated proposal rows using the delete (x) actions until only the primary selection string remains.

Modify the Encryption to DES and the Authentication protocol to SHA1.

Deselect DH Group 5 and verify that only Diffie-Hellman Group 14 is selected.

Check that Autokey Keep Alive is toggled to the active/enabled state.

Click OK at the base of the portal page to save the full tunnel configuration.

Phase 3: Firewall Policy Configuration (Transit Control)

Defining a tunnel is non-functional without explicit forwarding policies. Security contexts on a FortiGate Firewall mandate that traffic moving between separate cryptographic zones must be explicitly validated by an access control rule.

Navigate to Policy & Objects > Firewall Policy.

Click Create New to build a new data path rule.

Set the policy parameters using the following strict structural framework:

⚠️ Crucial Architectural Note on NAT Settings

Ensure that Network Address Translation (NAT) is explicitly disabled on this policy. Preserving original remote addresses across the inner transit architecture is necessary to maintain clean end-to-end IP audit records and prevent session breakage.

Phase 4: Client-Side Provisioning (FortiClient App Setup)

With the server infrastructure configured, client-side application endpoints must be built to match the structural parameters defined on the FortiGate firewall.

Step 4.1: Establish an Active IPsec Profile Connection

Launch the FortiClient VPN app on the client desktop.

Click on Configure VPN to build an alternate endpoint map profile.

Select the IPsec VPN structural selector button at the top of the context box.

Configure the endpoint settings exactly as follows:

Connection Name: Input a tracking label (e.g., Mumbai Office VPN).

Remote Gateway: Enter the public interface WAN IP address matching your FortiGate border port (e.g., 122.161.198.190).

Authentication Method: Mark Pre-shared Key and type the exact matching string used during Phase 2.

Click on the Advanced Settings link expansion toggle (+).

Step 4.2: Align Advanced Cryptographic Values

VPN Settings: Verify that the IKE parameter maps to Version 1, the Mode corresponds to Aggressive, and Options are flagged for Mode Config.

Phase 1 Alignment: Set the Encryption setting profile string to DES and Authentication to SHA1. Change the DH Group selection to match group 14. Match the Key Life value to 86400.

Phase 2 Alignment: Match the protocol layout explicitly by selecting DES and SHA1. Ensure that the Key Life length matches 43200 and the DH Group selection is set to 14.

Click Save to compile and commit the profile map.

Phase 5: Operational Testing and Cryptographic Verification

The final engineering lifecycle stage requires functional protocol checks to confirm that data plane transmission flows occur correctly.

Step 5.1: Initialize the Remote Session

On your FortiClient interface, select the newly saved Mumbai Office VPN connection profile.

Provide your designated identity tokens into the credential prompt lines:

Username: test1

Password: [Your configured user password]

Click Connect to trigger negotiation. The application window will process parameters and minimize to the system tray upon successful tunnel initialization.

Step 5.2: Network Layer & Data Path Validation

Launch a system Command Prompt (cmd) execution screen on the client machine.

Execute an active echo request test targeting the internal gateway interface of your firewall:

ping 192.168.26.1

FortiGate CLI commands mapped directly to the phases in the guide:

Phase 1: Identity & Authentication Administration

Security baselines require a dedicated user and group for authorization.

#Step 1.1: Provision the Local User Account 
config user local
    edit "test1"
       set type password
       set passwd "YourSecurePasswordHere!"
    next
end

# Step 1.2: Create the VPN User Group and assign the user
config user group
     edit "IPSec VPN Group"
        set member "test1"
   next
end

Phase 2: IPsec Cryptographic Tunnel Definition (Phase 1 & Phase 2)

Because remote workers use shifting public IPs, the tunnel relies on a dynamic dial-up configuration along with Mode Config to distribute virtual adapter parameters.

# Step 2.1 to 2.4: Initialize Custom IPsec Gateway (Phase 1)

config vpn ipsec phase1-interface
edit "Remote Access"
set type dynamic
set interface "wan1"
set ike-version 1
set mode aggressive
set peertype any
set net-device disable
set proposal des-sha1
set dhgrp 14
set psksecret "YourPreSharedKeyMatch!"
set mode-cfg enable
set ipv4-start-ip 10.10.10.100 # Replace with your desired VPN IP pool start
set ipv4-end-ip 10.10.10.200 # Replace with your desired VPN IP pool end
set ipv4-netmask 255.255.255.0
set xauthtype auto
set authusrgrp "IPSec VPN Group"
next
end

# Step 2.5: Phase 2 Proposal Definition

config vpn ipsec phase2-interface
edit "Remote Access"
set phase1name "Remote Access"
set proposal des-sha1
set pfs disable
next
end

# Define transit control allowing VPN traffic into the internal network
config firewall policy
edit 0
set name "VPN-to-Internal"
set srcintf "Remote Access"
set dstintf "internal" # Change to match your LAN interface name
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable # NAT is often required if internal routing lacks a return route to the VPN pool
next
end

FAQ

What is a FortiGate Dial-Up VPN?

A VPN designed for remote users with dynamic public IP addresses.

What port does IPsec use?

UDP 500 and UDP 4500.

Why use Split Tunneling?

It reduces VPN bandwidth consumption by routing only corporate traffic through the tunnel.

Can FortiClient use IKEv2?

Yes. FortiOS 7.x fully supports IKEv2 and is recommended for production.

Should I use DES and SHA1?

No. Use AES256 and SHA256 whenever possible.

Conclusion

FortiGate IPsec Remote Access VPN provides a secure method for remote employees to access internal resources over the public internet.

By combining user authentication, dynamic dial-up VPN tunnels, firewall policies, and FortiClient software, organizations can build a scalable remote access solution suitable for small businesses and enterprise deployments.

For production environments, upgrade cryptographic algorithms to AES256, SHA256, and IKEv2 to align with current security best practices.

Read More – FortiGate Web Filtering Deep Dive

Bhardwaj Vishnu

Bhardwaj Vishnu is a Network Security Engineer with hands-on expertise in enterprise firewall management, network automation, and multi-vendor infrastructure. He holds Fortinet NSE 4/NSE 5, a Cisco CCNA, and the full Cisco Meraki certification track. He architects FortiGate security policies, manages Cisco Meraki MX/MS/MR deployments, and handles enterprise routing and switching. Every guide on netconfig.io comes from direct production experience — real CLI commands, verified configs.