FortiGate IPsec Dial-Up VPN for Remote Users + SSL VPN Migration
In this video, I walk you through the process of deploying an IPsec Dial-Up VPN (IKEv2) on a FortiGate for remote users using FortiClient. This includes the key planning items (auth, split vs full tunnel, policies) and how to migrate safely if you’re currently using SSL VPN tunnel mode. Fortinet is removing SSL VPN tunnel mode starting with FortiOS 7.6.3. If you’re planning upgrades or modernizing remote access, IPsec dial-up is one of the most common migration paths (ZTNA is another, covered separately). If you have any questions or need any assistance with any of these steps, just leave a comment, and I will do my best to respond. Lab used in this demo: FortiGate 60F: FortiOS 7.4.9 FortiClient (free): 7.4.0 on Windows Auth method: Local user Tunnel type: Split tunnel ===Config snippet=== Create user: config user local edit "vpn_user" set type password set passwd [YOUR PASSWORD] next end Create Group: config user group edit "vpn_group" set member "vpn_user" next end VPN Phase 1: config vpn ipsec phase1-interface edit "vpn-ipsec-test" set type dynamic set interface "wan1" set ike-version 2 set peertype any set net-device disable set mode-cfg enable set ipv4-dns-server1 8.8.8.8 set proposal aes256-sha256 aes256-sha512 set dpd on-idle set dhgrp 20 set eap enable set authusrgrp '' set eap-identity send-request set ipv4-start-ip 10.250.250.10 set ipv4-end-ip 10.250.250.20 set ipv4-split-include "Server Network" (Enter your split tunnel address) set psksecret [YOUR IPSEC PSK] set dpd-retryinterval 60 next end Phase 2 interface: config vpn ipsec phase2-interface edit "vpn-ipsec-test" set phase1name "vpn-ipsec-test" set proposal aes256-sha256 aes256-sha512 set dhgrp 20 next end Policy: config firewall policy edit 0 set name "IPSEC vpn" set srcintf "vpn-ipsec-test" set dstintf "internal5" set action accept set srcaddr "all" set dstaddr "Server Network" set schedule "always" set service "ALL" set logtraffic all set groups "vpn_group" next end Links/references: (This channel is new; it might take some time for these links to work. Sorry about that.) https://docs.fortinet.com/document/fo... https://fortinetweb.s3.amazonaws.com/... https://community.fortinet.com/t5/For... Keywords: FortiGate IPsec dial-up VPN, FortiClient IPsec VPN, SSL VPN to IPsec migration, FortiOS 7.6.3 SSL VPN tunnel mode removed, FortiGate remote access VPN, IKEv2 FortiClient, split tunnel IPsec FortiGate, FortiGate VPN firewall policy, FortiGate VPN address pool, FortiGate 60F VPN configuration, Fortinet remote user VPN, FortiGate VPN troubleshooting
SSLVPN replaced by FortiGate with IPsec VPN
FortiGate (FortiOS 7.6) IPsec Dial-Up VPN with Microsoft Entra ID (SAML) for Remote Users
Migrate FortiGate SSL VPN to IPsec Dial-Up VPN (FortiOS 7.6) Now
IPv8 is STUPID!! Why we can't just make IP addresses longer
Comment accéder à son réseau à distance avec FortiGate ? SSL VPN FortiGate expliqué simplement
VPN IPsec using LDAP + IKEv2 on FortiGate
Fortigate -How to Configure IPSec Remote Access VPN-SSLVPN end of support 7.6& Troubleshooting IPsec
FortiGate NAC Demo: Built-In Wired + WiFi NAC (FortiGate + FortiSwitch + FortiAP)
FortiWalkthrough - IKEv2 Native VPN Clients with Certificates and FortiGate
I Hacked This Temu Router. What I Found Should Be Illegal.
Passkeys Explained: Are They Actually Better Than Passwords?
FortiGate Authentication Config & Demo: Active vs Passive Auth, FSSO, and Firewall Policies
Fortigate Remote Access IPSec migration from SSL VPN
STOP using a VPN for Security! (here's why)
Fortinet - IPsec Dial-Up VPN mit FortiOS 7.4
FortiGate Deep Packet Inspection (SSL Decryption) Explained + Full Configuration Guide (with PKI)
FortiGate + FortiClient MFA: Email OTP & FortiToken Mobile for Remote Users
How to Configure IPsec VPN Remote Access on FortiGate Firewall FortiOS 7
FortiGate: Configure IPSec with FortiClient using Certificate authentication/local CA
