Integration Guide for FortiGate VPN

Before starting, make sure GreenRADIUS is configured with users imported from your LDAP and can communicate with your FortiGate

Configuring GreenRADIUS for FortiGate VPN

In the GreenRADIUS web admin interface, add the FortiGate VPN as a RADIUS client.

  1. Click the Global Configuration tab
  2. Click the Client-based Authentication Policies icon
  3. Enter the IP address of the FortiGate. Then enter the same RADIUS secret twice. Then click the Add button.

RADIUS Client Configuration

Configuring the FortiGate VPN

Add GreenRADIUS as a RADIUS Server

  1. Log in to FortiGate
  2. Open the User & Authentication menu, select RADIUS Servers, and click the "+ Create New" button

RADIUS Server Configuration

  1. Configure the following fields

    • Name: GreenRADIUS
    • Authentication method: Specify PAP
    • Primary Server IP/Name: [the IP address of GreenRADIUS]
    • Primary Server Secret: [the same RADIUS secret configured in GreenRADIUS for the FortiGate RADIUS client]
  2. Use the Test Connectivity and Test User Credentials buttons to verify the above settings

  3. Click OK

RADIUS Server Configuration

Create a user group

  1. From the User & Authentication menu, select User Groups, and click the "+ Create New" button

New user group

  1. Configure the following fields:
    • Name: [as desired, for example, "GRS Authentication"]
    • Type: Firewall
    • Members: [leave this field empty]
    • Remote Groups: Click the "+ Add" button, set Remote Server as "GreenRADIUS" and Groups as "Any"

New user group

  1. Click OK
  2. The new user group should now be listed

New User Group

IPsec VPN Configuration

  1. From the VPN menu, select VPN Wizard Set "Tunnel name" and select template "Remote Access" and then click Begin

New IPsec tunnel

  1. Configure the following fields:
    • VPN Client Type: FortiClient
    • Pre-shared key: [This is a credential for the VPN and should differ from any user password]
    • IKE: Version 1
    • User authentication method group: [select the one created above]
  2. Click Next

IPsec tunnel config

  1. Configure the following fields:
    • Addresses to assign to connected endpoints: [as desired]
    • Subnet for connected endpoints: [as per your network settings]
  2. Click Next

IPsec tunnel config

  1. In the FortiClient settings, set as desired, however, we recommend not saving passwords, especially if OTPs will be used as the second factor.
  2. Configure the following fields:
    • Incoming interface that binds to tunnel: [Firewall WAN]
    • Local Interface: [LAN interface of your network]
    • Local Address: [the local network address]
  3. Click Next

IPsec tunnel config

  1. Review the configuration, then Submit

IPsec tunnel config

  1. The IPsec integration with GreenRADIUS is now complete. In the FortiClient, the required settings are:
  • VPN: IPsec VPN
  • Remote Gateway: IP address or hostname of your FortiGate
  • Authentication Method: Pre-shared key, and enter the key configured above
  • VPN Settings: [Please make sure that it matches the information in the Firewall configuration]

IPsec tunnel config

(Above) FortiClient end settings

IPsec tunnel config

(Above) Firewall end settings

IPsec tunnel config

(Above) Phase 1 proposal FortiClient end settings

IPsec tunnel config

(Above) Phase 1 proposal Firewall end settings

IPsec tunnel config

(Above) Phase 2 selector Firewall end settings

IPsec tunnel config

(Above) Phase 2 FortiClient end settings

  1. Try a login on the FortiClient

IPsec tunnel config

SSL VPN Configuration

Note: The same group configured above can be used

  1. From the VPN menu, select SSL-VPN Settings
  2. Configure the following fields:
    • Enable SSL VPN: Yes (green)
    • Listen on Interface(s): [as desired, for example, WAN]
    • Listen on Port: [as desired, for example, 10443]
    • Server Certificate: [If you have a server certificate, set it to the authentication certificate]
    • Under Authentication/Portal Mapping:
      • Edit "All Other Users/Groups" and set the Portal to "full-access"
      • Click "+ Create New" and create a mapping for the desired user group, setting the Portal to "full-access"

SSL VPN configuration

New mapping

  1. Click Apply
  2. On the FortiClient, configure the required details below:
    • VPN: SSL VPN
    • Remote Gateway: [IP address or hostname of your FortiGate]
    • Customize port: [the port configured above]

SSL VPN on FortiClient

  1. Try a login on the FortiClient

SSL VPN login

Web Analytics Made Easy -
StatCounter

Updated 2025-07-10
© 2025 Green Rocket Security Inc. All rights reserved.