FortiOS 5.2 VPN: SSL VPN using FortiClient for iOS

In this recipe, you will create an SSL VPN that remote users connect to using FortiClient running on iOS.

When a user using an iOS device connects to this SSL VPN, they can access servers and data on the internal network. They can also securely browse the Internet using the FortiGate’s Internet connection.

This example uses FortiClient 5.2.0.028 for iOS. FortiClient can be downloaded from www.forticlient.com.

1. Creating users and a user group

Go to User & Device > User > User Definition.

Add as many local users as required with the User Creation Wizard.

Go to User & Device > User > User Groups.

Create a user group for FortiClient users and add the new user(s) to the group.

2. Creating an SSL VPN portal

Go to VPN > SSL > Portals.

Edit the web-access portal. This portal supports web mode by default.

Enable Split Tunneling is not enabled so that all SSL VPN traffic will go through the FortiGate unit.

3. Configuring the SSL VPN tunnel

Go to VPN > SSL > Settings and set Listen on Interface(s) to wan1.

Set Listen on Port to 10443 and Specify custom IP ranges. Use the default IP Range, SSLVPN_TUNNEL_ADDR1.

At the bottom of the page, under Authentication/Portal Mapping, add the FortiClient user group and map it to the web-access portal.

If necessary, map a portal for All Other Users/Groups.

4. Adding security policies for access to the Internet and internal network

Go to Policy & Objects > Policy > IPv4. Create a security policy allowing SSL VPN user to access the internal network.

Set Incoming Interface to ssl.root. Set Source Address to all and Source User to the new user group. Set Outgoing Interface to the local network interface so that the remote user can access the internal network.

Set Destination Address to all, enable NAT, and configure any remaining firewall and security options as desired.

Add a second security policy allowing SSL VPN users to access the Internet.

For this policy, Incoming Interface is set to ssl.root and Outgoing Interface is set to wan1.

5. Configuring FortiClient for SSL VPN in iOS

Install FortiClient on the iOS device. 

Add a new VPN Gateway.

Set Host Name to the FortiGate’s IP (in the example, 172.20.120.236), set Host Port to 10443, and set User Name to match the new user account.

6. Results

Select the VPN in FortiClient. Enter the Password and select Login.

You will be able to connect to the VPN.

On the FortiGate, go to VPN > Monitor > SSL-VPN Monitor to see that the user has connected.