FortiGate IPsec Dial-Up VPN for Remote Users + SSL VPN Migration

In this video, I walk you through the process of deploying an IPsec Dial-Up VPN (IKEv2) on a FortiGate for remote users using FortiClient. This includes the key planning items (auth, split vs full tunnel, policies) and how to migrate safely if you’re currently using SSL VPN tunnel mode.

Fortinet is removing SSL VPN tunnel mode starting with FortiOS 7.6.3. If you’re planning upgrades or modernizing remote access, IPsec dial-up is one of the most common migration paths (ZTNA is another, covered separately).

If you have any questions or need any assistance with any of these steps, just leave a comment, and I will do my best to respond.

Lab used in this demo:
FortiGate 60F: FortiOS 7.4.9
FortiClient (free): 7.4.0 on Windows
Auth method: Local user
Tunnel type: Split tunnel


===Config snippet===
Create user:
config user local
edit "vpn_user"
set type password
set passwd [YOUR PASSWORD]
next
end

Create Group:
config user group
edit "vpn_group"
set member "vpn_user"
next
end

VPN Phase 1:
config vpn ipsec phase1-interface
edit "vpn-ipsec-test"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 8.8.8.8
set proposal aes256-sha256 aes256-sha512
set dpd on-idle
set dhgrp 20
set eap enable
set authusrgrp ''
set eap-identity send-request
set ipv4-start-ip 10.250.250.10
set ipv4-end-ip 10.250.250.20
set ipv4-split-include "Server Network" (Enter your split tunnel address)
set psksecret [YOUR IPSEC PSK]
set dpd-retryinterval 60
next
end

Phase 2 interface:
config vpn ipsec phase2-interface
edit "vpn-ipsec-test"
set phase1name "vpn-ipsec-test"
set proposal aes256-sha256 aes256-sha512
set dhgrp 20
next
end

Policy:
config firewall policy
edit 0
set name "IPSEC vpn"
set srcintf "vpn-ipsec-test"
set dstintf "internal5"
set action accept
set srcaddr "all"
set dstaddr "Server Network"
set schedule "always"
set service "ALL"
set logtraffic all
set groups "vpn_group"
next
end

Links/references: (This channel is new; it might take some time for these links to work. Sorry about that.)
https://docs.fortinet.com/document/fortiga...

https://fortinetweb.s3.amazonaws.com/docs....

https://community.fortinet.com/t5/FortiGat...

Keywords: FortiGate IPsec dial-up VPN, FortiClient IPsec VPN, SSL VPN to IPsec migration, FortiOS 7.6.3 SSL VPN tunnel mode removed, FortiGate remote access VPN, IKEv2 FortiClient, split tunnel IPsec FortiGate, FortiGate VPN firewall policy, FortiGate VPN address pool, FortiGate 60F VPN configuration, Fortinet remote user VPN, FortiGate VPN troubleshooting