Home

FortiGate IPsec VPN Configuration Guide: Secure Site-to-Site and Remote Access Setup

.

IPsec VPN technology enables remote users to securely connect to private networks over the internet, providing a critical security layer for modern distributed work environments and interconnected offices. FortiGate firewalls offer robust IPsec VPN capabilities that allow organizations to establish encrypted tunnels across public networks, ensuring that sensitive data remains protected from unauthorized access and interception. The IPsec protocol operates at the network layer of the OSI model, running on top of the IP protocol to secure all transmitted data. This comprehensive guide synthesizes information from multiple technical sources to provide a complete overview of configuring IPsec VPNs on FortiGate firewalls for both remote access and site-to-site scenarios.

Compared to SSL VPNs, which are better suited for temporary connections or individual user access, IPsec VPNs are ideal for establishing persistent network links, such as connecting branch offices or providing continuous remote access to corporate resources. By creating encrypted pathways between networks or between individual devices and networks, FortiGate IPsec VPNs ensure that unauthorized parties cannot access protected resources or intercept sensitive information in transit.

Understanding FortiGate IPsec VPN Fundamentals

Core Concepts and Terminology

An IPsec VPN on FortiGate creates encrypted tunnels on the internet that protect all data transmitted through them. The protocol suite consists of two main phases:

  • Phase 1: Establishes a secure channel between the two VPN gateways through authentication and cryptographic algorithms
  • Phase 2: Negotiates the encryption parameters for the actual data transfer through the tunnel

FortiGate simplifies configuration through its built-in IPsec Wizard, which guides administrators through setup for common scenarios. The wizard automatically generates necessary firewall policies and static routes, reducing configuration complexity and potential errors.

Preparation and Prerequisites

Before configuring an IPsec VPN on FortiGate, ensure you have:

  • Network topology clearly defined, including IP addressing schemes for all interfaces
  • Access credentials for FortiGate administrative interface
  • Interface assignments established (WAN ports for external connections, LAN ports for internal networks)
  • Remote endpoint information including IP addresses and any pre-shared keys or certificates
  • Firewall licensing validated if using licensed FortiGate features (though basic VPN functionality is typically available)

Configuring Remote Access IPsec VPN (Windows FortiClient to FortiGate)

Step 1: Initial FortiGate Network Configuration

Begin by setting up the basic network parameters on your FortiGate firewall:

  1. Access the FortiGate web interface via a configured management port (typically Port2 with IP 192.168.0.1)
  2. Enable DHCP server on your LAN interface (Port2) with an appropriate address range (e.g., 192.168.0.10-192.168.0.20)
  3. Configure DNS settings (you can use public DNS like 4.2.2.4 or your internal DNS servers)

Step 2: Creating Authentication Infrastructure

Before configuring the VPN itself, establish user authentication:

  1. Navigate to User & Authentication > User Groups
  2. Create a new user group (e.g., "VPN_GRP_A001") with Type set to "Firewall"
  3. Navigate to User & Authentication > User Definition
  4. Create a local user account, assigning it to the newly created VPN group
  5. Set appropriate authentication methods (for basic setups, username/password with optional two-factor authentication)

Step 3: IPsec Wizard Configuration for Remote Access

FortiGate's IPsec Wizard simplifies remote access VPN setup:

  1. Navigate to VPN > IPsec Wizard
  2. Select Remote Access as the Template Type
  3. Choose FortiClient as the Remote Device Type
  4. Configure the following parameters:
    • Name: Descriptive name for the VPN connection
    • Incoming Interface: Your WAN port (typically Port1)
    • Authentication Method: Pre-shared key (set a strong, unique key)
    • User Group: Select the group created in Step 2
    • Local Interface: Your LAN interface (typically Port2)
    • Client Address Range: Define an IP pool for connecting clients (e.g., 172.16.0.1-172.16.0.10)
    • Subnet Mask: Typically 255.255.255.0 for client addressing

Step 4: FortiClient Configuration on Windows

To establish VPN connections from Windows machines:

  1. Download and install FortiClient from the official Fortinet website
  2. Launch FortiClient and navigate to the VPN configuration section
  3. Create a new IPsec VPN connection with these parameters:
    • Connection Name: Descriptive name for the connection
    • Remote Gateway: Public IP address or hostname of your FortiGate's WAN interface
    • Authentication Method: Pre-shared key (enter the same key configured on FortiGate)
    • Username and Password: Credentials for the user account created earlier

Step 5: Verification and Testing

After completing configuration:

  1. Initiate the VPN connection from FortiClient
  2. Verify tunnel establishment in FortiGate under VPN > IPsec Tunnels
  3. Test connectivity by pinging internal resources from the connected Windows machine
  4. Check Logs & Reports > Event > VPN Event for any connection issues or authentication errors

Configuring Site-to-Site IPsec VPN (FortiGate to FortiGate)

Network Architecture Considerations

Site-to-site VPNs connect entire networks securely. For a typical two-site configuration:

  • Site 1 (FG1): WAN IP 10.10.10.1/24, LAN subnet 192.168.20.0/24
  • Site 2 (FG2): WAN IP 10.10.10.2/24, LAN subnet 192.168.10.0/24

Both firewalls require internet connectivity for initial licensing validation and ongoing tunnel maintenance, though the tunnel itself can operate without continuous internet access once established.

Step 1: FortiGate 1 Configuration

Configure the first FortiGate device:

  1. Navigate to VPN > IPsec Wizard
  2. Select Site to Site as the Template Type and FortiGate as Remote Device Type
  3. Choose No NAT between sites if both sites have public IPs
  4. Configure authentication:
    • Remote IP Address: 10.10.10.2 (FG2's WAN IP)
    • Outgoing Interface: Port3 (or your designated WAN interface)
    • Pre-shared Key: Enter a secure key (must match on both ends)
  5. Define policy and routing:
    • Local Interface: Port2 (LAN interface)
    • Local Subnet: 192.168.20.0/24
    • Remote Subnet: 192.168.10.0/24

Step 2: FortiGate 2 Configuration

Configure the second FortiGate device with reciprocal settings:

  1. Navigate to VPN > IPsec Wizard
  2. Select Site to Site as the Template Type and FortiGate as Remote Device Type
  3. Choose No NAT between sites
  4. Configure authentication:
    • Remote IP Address: 10.10.10.1 (FG1's WAN IP)
    • Outgoing Interface: Port3 (or your designated WAN interface)
    • Pre-shared Key: Same key configured on FG1
  5. Define policy and routing:
    • Local Interface: Port2 (LAN interface)
    • Local Subnet: 192.168.10.0/24
    • Remote Subnet: 192.168.20.0/24

Step 3: Tunnel Establishment and Verification

After configuring both ends:

  1. Navigate to VPN > IPsec Tunnels on either FortiGate
  2. Locate the newly created tunnel (likely shown as "Inactive")
  3. Double-click on "Inactive" to access tunnel details
  4. Right-click on the tunnel and select Bring Up > All Phase 2 Selectors
  5. Verify tunnel status changes to "Up" on both ends
  6. Test connectivity by pinging devices across the tunnel
  7. Review VPN events in Logs & Reports > Event > VPN Event

Troubleshooting Common IPsec VPN Issues

Tunnel Fails to Establish

If your IPsec tunnel won't come up:

  1. Verify Phase 1 parameters match exactly on both ends, including encryption algorithms, hash algorithms, and Diffie-Hellman groups
  2. Check pre-shared keys for exact match (case-sensitive)
  3. Confirm network connectivity between WAN interfaces (try pinging the remote gateway)
  4. Review firewall policies to ensure traffic is allowed between VPN endpoints
  5. Examine security fabric settings that might interfere with VPN traffic

Authentication Failures

For authentication-related issues:

  1. Verify user credentials in User Definition
  2. Check user group assignments and ensure the correct group is selected in VPN configuration
  3. Confirm two-factor authentication settings if applicable
  4. Review certificate validity if using certificate-based authentication
  5. Check FortiClient configuration for correct authentication method selection

Performance and Stability Problems

If the tunnel is established but experiencing issues:

  1. Review MTU settings – IPsec encapsulation reduces usable packet size
  2. Check for IP address conflicts between local and remote subnets
  3. Monitor tunnel stability in VPN event logs for frequent rekeying or disconnections
  4. Verify routing configuration – ensure traffic destined for remote networks routes through the tunnel
  5. Consider split tunneling for remote access VPNs if full tunneling causes performance issues

Frequently Asked Questions

What's the difference between IPsec VPN and SSL VPN on FortiGate?

IPsec VPN operates at the network layer, creating an encrypted tunnel for all IP traffic between networks or devices. It's ideal for persistent connections like site-to-site links or continuous remote access. SSL VPN operates at the application layer and is typically used for temporary, user-specific access through a web browser. For connections that don't require 24-hour uptime or aren't between large networks, SSL VPN may be simpler to configure and maintain.

Why does my site-to-site VPN tunnel show as "Inactive" even after configuration?

An "Inactive" status typically means the tunnel hasn't been manually initiated or there's no traffic triggering it. To activate: navigate to VPN > IPsec Tunnels, double-click on "Inactive," right-click the tunnel, and select Bring Up > All Phase 2 Selectors. The tunnel should transition to "Up" status. If it remains inactive, check Phase 1 and Phase 2 parameter matching, network connectivity between endpoints, and firewall policies allowing VPN traffic.

Can I configure IPsec VPN without using the wizard?

Yes, FortiGate supports manual IPsec configuration for advanced scenarios not covered by the wizard. Navigate to VPN > IPsec Tunnels and select "Create New" to access manual configuration options. This approach provides granular control over Phase 1 and Phase 2 parameters, custom firewall policies, and specialized routing configurations but requires deeper understanding of IPsec protocols.

How do I verify my IPsec VPN is working correctly after configuration?

Use these verification steps:

  1. Check VPN > IPsec Tunnels for "Up" status
  2. Review Logs & Reports > Event > VPN Event for successful establishment messages
  3. Test connectivity by pinging devices across the tunnel from both sides
  4. Verify traffic flow in Logs & Reports > Traffic for tunneled traffic
  5. Check Monitor > IPsec Monitor for detailed tunnel statistics and status

What should I do if remote users can connect but cannot access internal resources?

This common issue typically involves firewall policies or routing:

  1. Verify firewall policies exist allowing traffic from the VPN interface to internal networks
  2. Check address objects correctly define the VPN client IP range
  3. Ensure split tunneling is disabled if you want all traffic routed through the VPN
  4. Confirm internal resources aren't using IP addresses overlapping with the VPN client range
  5. Check DNS settings on the VPN clients to ensure proper name resolution

How do I improve the security of my FortiGate IPsec VPN?

Enhance VPN security with these measures:

  1. Use certificate-based authentication instead of pre-shared keys when possible
  2. Implement two-factor authentication for remote access users
  3. Configure strong cryptographic algorithms (AES256 for encryption, SHA256 or SHA512 for hashing)
  4. Set shorter rekey intervals for sensitive communications
  5. Enable dead peer detection to identify and respond to tunnel failures promptly
  6. Regularly update FortiOS to patch known vulnerabilities