FortiGate VPN Configuration: IPsec and SSL VPN Guide
FortiGate VPN configuration covers IPsec site-to-site tunnels for encrypted branch connectivity and SSL VPN or ZTNA access for remote users. Every mode is defined with secure encryption proposals and the right firewall policies.
VPN Types on FortiGate
FortiGate offers four core VPN approaches: IPsec site-to-site, IPsec dialup (remote user), SSL VPN (web and tunnel mode), and ZTNA. The choice depends on the type of endpoints and security requirements.
Site-to-site IPsec joins two fixed locations (e.g., HQ and a branch) with a persistent encrypted tunnel. Dialup IPsec and SSL VPN let mobile/remote users reach the organization.
ZTNA (Zero Trust Network Access) is a newer approach that replaces broad VPN access with application-level authorization based on identity and device posture, integrated with the Security Fabric.
VPN policies are written with the same logic as ordinary firewall policies; for details, see our firewall policy management guide.
IPsec Site-to-Site Tunnel Configuration
IPsec site-to-site is built by matching Phase 1 (IKE) and Phase 2 (IPsec) parameters between two FortiGates; you then define routing and firewall policies for the tunnel interface.
Use VPN > IPsec Wizard and select the site-to-site template. In Phase 1, set the remote gateway IP, authentication method (usually a pre-shared key), and encryption/hash proposals. The proposals on both sides must match exactly.
In Phase 2, define the local and remote subnets to protect. After the tunnel is up, add static routes steering traffic for those subnets to the tunnel interface, plus firewall policies in both directions.
| Phase | Parameters set |
|---|---|
| Phase 1 (IKE) | Remote gateway, auth (PSK/cert), encryption, DH group |
| Phase 2 (IPsec) | Local/remote subnets, PFS, lifetime |
| Routing | Static route for remote subnet (tunnel interface) |
| Policy | Firewall rule in both directions |
Remote Access with SSL VPN
SSL VPN lets users securely reach the organization via the browser (web mode) or FortiClient (tunnel mode); the portal, user groups, and reachable resources are centrally defined.
In the SSL VPN portal, configure which resources are published, the tunnel-mode IP range, and split-tunneling behavior. Authenticate users against local or external (LDAP/RADIUS) identity sources.
An important note: with FortiOS 7.6, Fortinet began deprecating SSL VPN tunnel/web mode on certain low-memory models in particular. New deployments should consider IPsec dialup or ZTNA.
To scan user traffic with UTM, add security profiles to your VPN policies; for setup context, return to our installation guide.
Moving to ZTNA and Modern Access
ZTNA grants access only to authorized applications with identity and device-posture verification instead of opening the entire network; this sharply narrows the attack surface versus broad VPN access.
FortiGate ZTNA works with FortiClient and the Security Fabric to continuously verify each access request. The 'never trust, always verify' principle applies regardless of user location.
ZTNA positions itself as a natural successor where SSL VPN is being deprecated, reducing lateral-movement risk through application-level access.
We cover where ZTNA fits in the overall architecture in our what is FortiGate guide.
Best Practices for VPN Security
VPN security requires multi-factor authentication, strong encryption proposals, restricting unnecessary access, regular firmware updates, and monitoring VPN logs.
- Enforce multi-factor authentication (MFA) on all remote-access VPNs.
- Disable weak encryption/hash proposals (e.g., DES, MD5).
- Use split tunneling only when needed and deliberately.
- Keep firmware current against VPN vulnerabilities.
- Centrally monitor VPN session logs.
To centrally collect VPN logs and catch anomalies, see our logging with FortiAnalyzer article.
Frequently Asked Questions
Should I use IPsec or SSL VPN on FortiGate?
For persistent connectivity between fixed locations, IPsec site-to-site is ideal. SSL VPN was historically used for mobile users, but for new deployments IPsec dialup or ZTNA is recommended.
What are Phase 1 and Phase 2?
In IPsec, Phase 1 (IKE) establishes a secure management channel and authenticates; Phase 2 defines the IPsec security associations and protected subnets that carry the actual data traffic.
Is SSL VPN really being removed?
Fortinet began deprecating SSL VPN tunnel/web mode on some low-memory models in FortiOS 7.6. On those models, prefer IPsec or ZTNA; on high-memory platforms the situation may vary per release notes.
Is FortiClient required for VPN?
A client is needed for IPsec and SSL VPN tunnel mode; FortiClient is the common choice. SSL VPN web mode provides clientless access via the browser.
Does ZTNA fully replace VPN?
In many remote-access scenarios ZTNA replaces broad VPN access with narrower, application-level access. For site-to-site connectivity, IPsec is still the standard.
How do I make VPN more secure?
Enforce MFA, use strong encryption proposals, restrict access with least privilege, keep firmware current, and continuously monitor VPN logs.
Conclusion
FortiGate offers a broad range of secure access from site-to-site IPsec to ZTNA. With the right mode, strong encryption, and multi-factor authentication, remote access becomes both usable and secure; where SSL VPN is deprecated, ZTNA provides a modern successor.
To design your VPN and ZTNA architecture, talk to the Sora Yazılım network security team.