Technical Tip: Automatic FortiClient VPN connection on the PC startup

Jean-Philippe_P · ‎08-11-2023

Description	This article describes how to have an automatic FortiClient VPN connection on the PC startup.
Scope	FortiClient EMS 7.2.1 and FortiClient 7.0.9 and 7.2.1.
Solution	When using Forticlient EMS some can have problems starting the FortiClient VPN automatically when turning on the PC to allow the user to login via the domain. For this issue, let's take this configuration as an example. The code displayed below is the one of the VPN in the EMS server and FortiGate side. With this configuration, the VPN starts automatically when the PC starts up without requiring user interaction and the VPN remains up even when the Windows user logs off. It was tested with FortiClient EMS 7.2.1 and FortiClient 7.0.9 and 7.2.1. It also works for Android. This configuration is for a dial-up IPsec VPN but many parts of the configuration are also usable in SSL: <?xml version="1.0" ?> <forticlient_configuration> <VPN> <enabled>1</enabled> <sslvpn> <options> <enabled>0</enabled> <dnscache_service_control>0</dnscache_service_control> <prefer_sslvpn_dns>1</prefer_sslvpn_dns> <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate> <warn_invalid_server_certificate>0</warn_invalid_server_certificate> <no_dns_registration>0</no_dns_registration> </options> <connections/> </sslvpn> <ipsecvpn> <options> <enabled>1</enabled> <use_win_current_user_cert>0</use_win_current_user_cert> <use_win_local_computer_cert>1</use_win_local_computer_cert> <beep_if_error>1</beep_if_error> <usewincert>1</usewincert> <uselocalcert>0</uselocalcert> <usesmcardcert>0</usesmcardcert> <block_ipv6>1</block_ipv6> <enable_udp_checksum>0</enable_udp_checksum> <disable_default_route>0</disable_default_route> <show_auth_cert_only>0</show_auth_cert_only> <check_for_cert_private_key>0</check_for_cert_private_key> <enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory> <no_dns_registration>0</no_dns_registration> </options> <connections> <connection> <name>YYYYY</name> <machine>1</machine> <keep_running>1</keep_running> <disclaimer_msg/> <sso_enabled>0</sso_enabled> <single_user_mode>0</single_user_mode> <type>manual</type> <ui> <show_remember_password>1</show_remember_password> <show_alwaysup>1</show_alwaysup> <show_autoconnect>1</show_autoconnect> <show_passcode>0</show_passcode> <save_username>0</save_username> </ui> <redundant_sort_method>0</redundant_sort_method> <tags> <allowed/> <prohibited></prohibited> </tags> <host_check_fail_warning><![YYY.]]></host_check_fail_warning> <ike_settings> <server>YYYY</server> <authentication_method>Preshared Key</authentication_method> <fgt>1</fgt> <prompt_certificate>0</prompt_certificate> <xauth> <use_otp>0</use_otp> <enabled>0</enabled> <prompt_username>0</prompt_username> <username/> </xauth> <version>1</version> <mode>aggressive</mode> <key_life>43200</key_life> <localid>YYYYYYY</localid> <implied_SPDO>1</implied_SPDO> <implied_SPDO_timeout>2</implied_SPDO_timeout> <nat_traversal>1</nat_traversal> <enable_local_lan>1</enable_local_lan> <enable_ike_fragmentation>1</enable_ike_fragmentation> <mode_config>1</mode_config> <dpd>1</dpd> <dpd_retry_count>3</dpd_retry_count> <dpd_retry_interval>3</dpd_retry_interval> <run_fcauth_system>1</run_fcauth_system> <auth_data> <preshared_key>YYY</preshared_key> </auth_data> <dhgroup>5</dhgroup> <proposals> <proposal>DES\|SHA1</proposal> <proposal>3DES\|MD5</proposal> </proposals> <nat_alive_freq>5</nat_alive_freq> </ike_settings> <ipsec_settings> <remote_networks> <network> <addr>0.0.0.0</addr> <mask>0.0.0.0</mask> </network> <network> <addr>::/0</addr> <mask>::/0</mask> </network> </remote_networks> <dhgroup>5</dhgroup> <key_life_type>seconds</key_life_type> <key_life_seconds>500</key_life_seconds> <key_life_Kbytes>5200</key_life_Kbytes> <replay_detection>1</replay_detection> <pfs>1</pfs> <use_vip>1</use_vip> <virtualip> <type>modeconfig</type> <ip>0.0.0.0</ip> <mask>0.0.0.0</mask> <dnsserver>0.0.0.0</dnsserver> <winserver>0.0.0.0</winserver> </virtualip> <proposals> <proposal>DES\|MD5</proposal> <proposal>3DES\|SHA1</proposal> </proposals> </ipsec_settings> <warn_invalid_server_certificate>1</warn_invalid_server_certificate> <android_cert_path/> <on_connect> <script> <os>windows</os> <script/> </script> </on_connect> <on_disconnect> <script> <os>windows</os> <script/> </script> </on_disconnect> <traffic_control> <enabled>1</enabled> <mode>2</mode> <isdb_objects> <object> <owner>28</owner> <app>109</app> </object> <object> <owner>28</owner> <app>100</app> </object> <object> <owner>19</owner> <app>293</app> </object> </isdb_objects> <apps> <app>teamviewer.exe</app> </apps> </traffic_control> </connection> </connections> </ipsecvpn> <lockdown> <enabled>0</enabled> <grace_period>120</grace_period> <max_attempts>3</max_attempts> <exceptions> <apps/> <ips/> </exceptions> </lockdown> <options> <allow_personal_vpns>0</allow_personal_vpns> <disable_connect_disconnect>0</disable_connect_disconnect> <show_vpn_before_logon>1</show_vpn_before_logon> <use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon> <keep_running_max_tries>2</keep_running_max_tries> <minimize_window_on_connect>0</minimize_window_on_connect> <use_windows_credentials>0</use_windows_credentials> <show_negotiation_wnd>1</show_negotiation_wnd> <suppress_vpn_notification>0</suppress_vpn_notification> <secure_remote_access>1</secure_remote_access> <on_os_start_connect>TUNNEL_NAME</on_os_start_connect> <on_os_start_connect_has_priority>1</on_os_start_connect_has_priority> <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet> <autoconnect_on_install>1</autoconnect_on_install> <current_connection_name>TUNNEL_NAME</current_connection_name> <current_connection_type>ipsec</current_connection_type> <autoconnect_tunnel>TUNNEL_NAME</autoconnect_tunnel> </options> </vpn> <endpoint_control> <ui> <display_vpn>1</display_vpn> </ui> </endpoint_control> </forticlient_configuration> Phase 1: edit "VPN_FORTIGATE" set type dynamic set interface "WAN" set keylife 43200 set mode aggressive set peertype one set net-device disable set mode-cfg enable set proposal des-sha1 3des-md5 set dpd on-idle set dhgrp 5 set idle-timeout enable set idle-timeoutinterval 120 set peerid "YYYYY" set ipv4-start-ip YYYYY set ipv4-end-ip YYYYY set dns-mode auto set unity-support disable set psksecret YYYYYYYYYYYYYYY set dpd-retryinterval 10 Phase 2: edit "VPN_FORTIGATE_2" set phase1name "VPN_FORTIGATE" set proposal des-md5 3des-sha1 set dhgrp 5 set keepalive enable set keylifeseconds 500