The new Creation Wizard makes life easier for users that are unfamiliar with the creation of VPNs. However, not all of the meanings of the fields are intuitive and there are some limitations and requirements that users should be aware of.
While the wizard does simplify tunnel configuration, such as building both phases 1 and 2 of the tunnel, it does not do everything. For example, policies still have to be created so the tunnel can pass data back and forth.
When using the wizard, there are a few pieces of information that you are going to want at your fingertips, or have configured before starting the wizard.
Every VPN tunnel needs a unique name that policies can use as a reference. After the tunnel has been completed this name will show up in the drop down menu that lists all of the on the FortiGate. The normal best practices approach applies here.
Use this option when the remote users will be connecting with the FortiClient software that is installed on their device.
Use this option when the remote users will be connecting with the VPN client that is designed by Cisco. While the setting specifically mentions iOS devices, the Cisco VPN client on a Mac also works.
If the RSA Signature option is chosen, the next field will be called Certificate Name. A certificate is more secure than a Pre-Shared Key, but more effort to configure.
This user group refers to the group to which the users logging into the VPN belong. Each tunnel can only be assigned one user group, so if the users are currently spread across multiple groups or are not part of any group, the options are either to create a group that consists of all the users accessing a single tunnel or to create a tunnel for each of the groups. Remember that everyone in the group will have the credentials to access the tunnel.
This will be the interface port on your FortiGate with which you want to associate this tunnel. For instance, if the remote user wants to use the Public used on your port when they are connecting, then that is the interface that gets assigned here.
The address range is a pool of IP addresses that will be assigned to any device connecting to the VPN. This range does not have to be a proper range and it can stop and start at any point. For example both 192.168.1.1 – 192.168.1.255 or 192.168.1.3 – 192.168.1.17 would be valid ranges.
These addresses are not assigned to the visiting computers in the way that a server assigns addresses. These addresses are what the NATed addresses will be. The reason for NATing is that most connections will be from private networks and it is common for people to use standard private IP address ranges. If the remote computer is on a 192.168.1.0 subnet and your network uses the same address range on one of its networks, then the routing could become confusing. Avoid this confusion by assigning remote computers to an address range that you know isn’t part of your existing internal network.
The is for the addresses that are being assigned to the remote devices. By having a subnet, the device knows when it needs to go to a to reach an address.
The remote device can be assigned the same server that the FortiGate uses.
The remote device can be assigned a specific DNS server, by IP address. The requirement is that the address be reachable by the computer while connected to the tunnel. If split tunneling is not enabled and the IP address is not reachable from the FortiGate the DNS server will be useless.
Split tunneling allows the remote computer to use both the VPN connection to the networks controlled by the FortiGate (provided it is allowed by policy) and networks allowed by its regular network connections. If split tunneling were not allowed, all network traffic would have to go through the VPN tunnel. [Default setting: enabled]
This option defines which addresses the remote computer can access through the FortiGate. The drop down menu lists addresses that have been defined in the FortiGate’s Addresses section. When split tunneling is enabled, this can be used to restrict the access to only those network addresses in your network that you want the remote users to access. If split tunneling is disabled, because all of the remote users’ traffic goes through the FortiGate, you could also control which sites on the Internet the remote user can access.