Experience with foritgate VPN?

i just purchased a fortiwifi 50B appliance and im having some issues configuring the vpn function to work. there customer support is HORRIBLE! anyhow, i have a small office with 4 computers on the network and would like the ability to connect remotely to those units on occassion. currently im leaning towards IPSEC. can anyone help me configure this correctly?

here is my current network setup

DSL modem (Integra Telecom - NexusLink) > Fortiwifi 50B > Dlink DGS-2208 switch > PC [ 3PC, 1 WHS for quickbooks]

thanks in advance.

There is in no way nearly enough information in your post to help you.

The short answer is make sure your modem will pass IPSEC traffic, then either contact Fortinet or read some of their docs on how to setup a VPN.

thanks for the start StarTrek4U. how can you tell if the modem is capable of passing ipsec?

Generally the IPSEC traffic is going to be encapsulated in UDP over port 4500 (NAT-T) because of the use of dynamic PAT on one or more sides of the tunnel. You really don't have to worry about getting native ESP packets across the modem in most instances.

How about some more information? Is you modem passing a public IP address along to your firewall? If you have a private IP on the outside then VPN isn't going to work very well.

Take a look at shrewsoftvpn. They offer a client for IPSEC, but more importantly they have wikis on how to setup VPNs on a bunch of different devices.

Here's a little how to that I wrote awhile back to configure a fortigate w/ either shrewsoft or ipsecuritas. Although after playing around a bit, I will say that I like their SSL vpn a lot more, so you may look into getting that set up. Also don't be scared off that you can only get the SSL vpn client for windows from the fortigate itself, if you login to support, you can download the mac or linux clients too.

Setting up a VPN on a Fortigate device is actually pretty easy once you've done it once or twice, and from what I've seen seems to be very quick to connect and highly reliable.
These instructions are for a Fortigate device running fortios 4.0, although they are almost identical on fortios 3.0


1) Log into the Fortigate device.

2) Browse to the users tab, and create a new user

3) Click on user-group under the users tab and create a new firewall group with the users in it that you wish to allow to access the vpn, lets call this group "VPN Users".

4) Click on VPN>IPSec and create a phase1 connection.

5) I named my connection "VPN Client Phase 1"

6) Set the Remote gateway type to dialup user, and set the local interface to the wan interface that users will be connecting to from the outside world.

7) Set the mode to Aggressive with a Preshared Key and enter your preshared Key.

8) Under Peer options select "Accept any peer ID"

9) Click "Advanced" to set the advanced options

10) Leave "Enable IPSec Interface Mode" unchecked

11) Set encyption to 3DES on both 1 and 2, and set authentication to SHA1 on 1 and MD5 on 2.

12) Leave the "DH Group" set to 5.

13) Set the "Key Life" to 28800, and leave to "Local ID" blank.

14) Under XAUTH set to "Enable as Server", with server type set to "Auto"

15) Next to "User Group" select the group of users that you wish to allow to use this VPN.

16) Make sure "NAT Traversal" and "Dead Peer Detection" are checked.

17) Click "OK" to save Phase 1.
18) Create a phase 2 connection

19) Name your connection and select the phase 1 connection you would like to tie this phase 2 connection to, I name my connection "VPN Client Phase 2"

20) Click "Advanced" to set the advanced options

21) Under Encryption I set 1 to 3DES and 2 to AES128, with the authentication on both set to SHA1

22) Leave "Replay Detection" and "Perfect Forward Secrecy" checked

23) Make sure the "DH" group is set to 5

24) Set the Key Life to 1800 seconds

25) Leave autokey and dhcp-ipsec disabled

26) Click "OK" to save the phase 2 connection

27) Go to Firewall>Address and create a new address

28) This address will define all the computers inside the Lan, so name this address "LAN" and set the type to "Subnet/IP Range"

29) Set the subnet of your network, in my case it would be "192.168.10.0/24", since my network covers 192.168.10.1-254

30) Set the interface to internal, or whichever interface your LAN is connected to.

31) Click "OK" to save the new address

32) Go to Firewall>Policy and create a new firewall policy

33) Configure the source interface/zone to whichever inferface you LAN is connected to, in most cases it will be the "internal" interface.

34) Set the source address to the "LAN" address that you just created.

35) Set the destination interface to the interface that your users in the outside world will be connected to, in most cases "Wan1"

36) Set the destination address to all.

37) Set schedule to "Always", service to "All", and action to "IPSEC"

38) Under "VPN Tunnel" select the VPN you are configuring the firewall rule for, in my case it is "VPN Client Phase1", and make sure "allow inbound and outbound are checked.

39) Click "OK" to save the firewall rule.

40) Your VPN is now configured,

thanks it worked! i can log into the network from home now, but how do i actually see my work desktop?

It depends on how you want to access it, most likely you will want to turn on rdp on your work desktop, and then use Remote Desktop to remote in from home.