Hi!
Is there a way to set up fortigate as VPN client using one of standard methods (Wireguard/IKE/OpenVPN)?
thanks!
FortiGate can work perfectly fine as a standard IKE/IPsec client. (that’s basically the role of spokes in hub-and-spoke/ADVPN setups)
Plain L2TP is also possible, but IIRC it may be limited to certain models, and not too sure about possibility to encapsulate it in IPsec. (i.e. you won’t be able to hook it up to “privacy VPN” providers over L2TP/IPsec)
Forti-flavored SSL-VPN client mode is available in FortiOS 7.0.
Nothing else.
What’s the use case? Why do you need to do this? IPsec is very standard.
Is there a reason that you can’t use this?
Not that I’ve seen. For setups that need this, I just put another VPN router in front of it and have the FortiGate treat it as a second WAN.
You haven’t provided any info. Site to site vpn uses one side as a vpn client.
From your mention of WireGuard it sounds like you want to connect to a commercial anonymising ‘VPN’ provider. Look up the list of protocols each support and compare to Fortigate - you may be able to use PPTP, gre etc.
For WireGuard use a routerboard or a server.
FGT can act as a standard L2TP and IPsec VPN client, If the VPN server is FGT, then there is a new feature of V7.0 to choose:
My test record:
doc FortiOS 7.0.0 New Features:
IKE/IPsec should work. let me research. thanks for hint!
I need to establish VPN tunnel to public VPN provider that supports IKEv2/Wireguard/OpenVPN and route traffic selectively into the tunnel.
that’s unfortunate, to have such a powerful hardware and setting up VPN separately. looks like it’s a way to go then. thanks!
this is accurate: I want to connect to commercial VPN provider.
they support only OpenVPN/IKEv2/Wireguard.
so far I just installed OpenWRT in VM which is vpn client and secondary router behind fortigate, but it definitely would be much more convenient to use FGT
As for IKE/IPsec, one additional piece of the puzzle, if you’re planning to connect to some of the “private VPN” providers:
Client-side authentication is supported with XAUTH for IKEv1, but in IKEv2 FortiOS does not support EAP. This means that any IKEv2 solution that wants you to provide username/password will not work with FortiGate as the client. You can only do pre-shared key, or certificate-based auth.
If they say IKEv2 is supported that means your basic IPSec VPN and FortiGate can of course used as “client” (“client” as it’s just a VPN router and only difference is you get your IP via DHCP and that makes it “client”)
I use pfSense for this, works awesome with PBR if you only want specific hosts to use the VPN.
Yeah I hear ya. It would be nice — I like doing this for totally free public WiFi using my spare bandwidth. I don’t mind giving out my unused bandwidth but I don’t want to have that get me in trouble.