Skip to content
Fortinet

How to setup VPN Using Fortinet’s Fortigate

To set up remote-access VPN on a FortiGate in 2026, build an IPsec dial-up VPN with FortiClient. Fortinet removed SSL VPN tunnel mode in FortiOS 7.6.3 and now recommends IPsec (and ZTNA for app access). This guide covers the IPsec wizard steps, FortiClient config, and the SSL VPN migration path.

Maxim Kazachek Maxim Kazachek · · · 6 min read

To set up remote-access VPN on a Fortinet FortiGate in 2026, build an IPsec dial-up VPN and connect users with FortiClient. IPsec is now the path Fortinet recommends: starting in FortiOS 7.6.3, Fortinet removed SSL VPN tunnel mode from the GUI and CLI and replaced it with standards-based IPsec, which can even run over TCP port 443. This guide walks through the IPsec setup first (the recommended route), then covers where SSL VPN still fits and why you should migrate off it.

Struggling To Choose The Right FortiGate?

Take our quick quiz to get a personalized suggestion for your business.

Start Quiz
Fortinet FortiGate firewall VPN configuration graphic

IPsec VPN vs SSL VPN

IPsec VPN is a standards-based tunnel that secures all traffic between a remote device and your network at the network layer, using IKE for key exchange. SSL VPN is Fortinet’s proprietary tunnel that ran over HTTPS. Fortinet has removed SSL VPN tunnel mode from current FortiOS and now steers remote access to IPsec, with ZTNA as the longer-term model for application-level access.

Configure an IPsec dial-up VPN, not SSL VPN. Fortinet replaced SSL VPN tunnel mode with IPsec in FortiOS 7.6.3, and settings are not carried over on upgrade. If you are still on 7.2.x, plan your migration now: FortiOS 7.2 reaches end of support in September 2026.

Should you use IPsec or SSL VPN on a FortiGate in 2026?

Use IPsec. As of FortiOS 7.6.3, SSL VPN tunnel mode is gone from the FortiGate GUI and CLI, and Fortinet directs all remote-access VPN to standards-based IPsec. IPsec can run over UDP, TCP, or Auto mode (which falls back from UDP to TCP), so you can still reach clients on restrictive networks, including over TCP port 443, without the proprietary SSL tunnel.

As a Fortinet Advanced Partner since 2003, we now build every new FortiGate remote-access deployment on IPsec. For a deeper side-by-side, see SSL VPN vs IPsec VPN: what Fortinet users must know.

FactorIPsec VPN (recommended)SSL VPN tunnel mode
Status in current FortiOSSupported and recommendedRemoved from GUI/CLI in 7.6.3
StandardOpen standard (IKEv2)Fortinet proprietary
TransportUDP, TCP, or Auto (incl. TCP 443)HTTPS (TCP 443)
ClientFortiClient (IKEv2)FortiClient or browser
Future directionPrimary VPN path, plus ZTNAEnd of life

What do you need before setting up a FortiGate IPsec VPN?

You need three things before you start: administrative access to the FortiGate, a reachable public IP or domain on the WAN interface, and the user accounts (or user group) that will connect. Confirm your FortiOS version too, since the steps below assume a current 7.4 or 7.6 build.

  • Administrative access to the FortiGate firewall.
  • A public IP address or domain name on the FortiGate’s external (WAN) interface.
  • User credentials and a user group for VPN access.
  • FortiClient 7.4.4 or later on each remote device (IKEv1 is no longer supported on the client, so IPsec uses IKEv2).

How do you set up an IPsec dial-up (remote access) VPN on a FortiGate?

The fastest path is the built-in VPN Wizard. In the FortiGate GUI, go to VPN > VPN Wizard, choose the Remote Access template, and step through the endpoint, authentication, and policy screens. The wizard creates the Phase 1/Phase 2 tunnel, the firewall policy, and the address objects for you.

Start the wizard: Go to VPN > VPN Wizard, enter a Tunnel name, set the template to Remote Access, and click Begin.

Set the remote device: Choose FortiClient as the remote device type, then select the incoming (WAN) interface that faces the internet.

Choose authentication: Set the authentication method to Pre-shared Key (or Certificate) and select the user group allowed to connect. IKEv2 is used by default.

Define policy and addressing: Set the local (internal) subnet users should reach and the client address range the FortiGate hands out. Enable split tunneling if remote users should only route corporate traffic through the tunnel.

Review and submit: Confirm the summary and click Submit. The wizard builds Phase 1, Phase 2, the firewall policy, and the address objects automatically.

Verify the tunnel: Go to Dashboard > Network, expand the IPsec widget, and confirm the Phase 1 and Phase 2 selectors come up once a client connects.

On restrictive guest or hotel networks where UDP 500/4500 is blocked, set the IPsec transport to Auto or TCP so the tunnel can fall back to TCP port 443. This is the IPsec equivalent of the reachability SSL VPN used to give you, without the proprietary tunnel.

How do you connect FortiClient to a FortiGate IPsec VPN?

On the endpoint, open FortiClient, go to Remote Access, and add a new connection set to IPsec VPN. Point it at the FortiGate and authenticate with the same pre-shared key and credentials you configured on the firewall.

  1. Install FortiClient 7.4.4 or later, then open it and go to Remote Access.
  2. Click Add a new connection and set VPN to IPsec VPN.
  3. Set the Remote Gateway to the FortiGate’s public IP or domain.
  4. Set the Authentication Method to Pre-Shared Key and enter the key (match Phase 1 Local ID if you set one in the wizard).
  5. Save, select the connection, enter the username and password, and click Connect.

Is SSL VPN still an option on FortiGate?

No, not as a tunnel. On FortiOS 7.6.3 and later, SSL VPN tunnel mode is removed from both the GUI and CLI, and its settings are not upgraded from earlier versions. If you upgrade a FortiGate that still relies on SSL VPN without migrating first, remote users lose access. The old SSL VPN steps below are kept only for readers still on legacy 7.0/7.2 builds.

Warning:

SSL VPN tunnel mode is being removed from FortiOS. Fortinet replaced it with IPsec in 7.6.3, and configurations do not migrate automatically. Move your remote access to IPsec (and evaluate ZTNA for application-level access) before you upgrade. For the full migration path, read FortiGate SSL VPN is going away: migrate to IPsec.

If you must run SSL VPN on a legacy build for now: log in to the FortiGate GUI, go to VPN > SSL-VPN Settings, set the listen interface and port, assign a server certificate and client IP range, and map user groups to a portal. Then create a firewall policy from the SSL-VPN tunnel interface to your internal network. Treat this as temporary and schedule the IPsec cutover.

Beyond IPsec, Fortinet’s longer-term direction is ZTNA (Zero Trust Network Access), which grants access to specific applications based on device posture rather than opening a full network tunnel. For most teams, the practical 2026 plan is IPsec for network access now, ZTNA for sensitive apps as you mature.

Which FortiOS version should you run for VPN?

Run a current 7.4 or 7.6 release for production VPN. FortiOS 7.6 is the mature feature branch (7.6.6 is widely recommended, 7.6.7 is the latest), and 7.4 remains a solid long-term-support choice. FortiOS 8.0 was announced at Accelerate 2026 but is not yet recommended for production. If you are on 7.2.x, plan your upgrade: FortiOS 7.2 reaches end of support in September 2026, and the SSL-VPN-to-IPsec change lands in the 7.6 line.

Important:

Do not jump straight to FortiOS 8.0 in production. Standardize on a stable 7.6 build (7.6.6/7.6.7) or 7.4, and migrate any SSL VPN config to IPsec before you cross into 7.6.3 or later.

FortiGate VPN best practices

  • Enforce MFA: require multi-factor authentication on every VPN user, not just admins.
  • Restrict access: scope firewall policies to the specific subnets and services each group needs, not “all”.
  • Patch on schedule: keep FortiOS and FortiClient current, and track Fortinet PSIRT advisories.
  • Monitor and log: review VPN event logs and tunnel status for anomalies. Our managed firewall service handles this for FortiGate fleets end to end.

Sources

Written by Maxim Kazachek

Sr. Systems Engineer

Maxim is a core member of the technical team at BALANCED+, responsible for architecting, deploying, and maintaining the systems infrastructure that clients depend on every day. From on-premises server environments to hybrid cloud deployments, he ensures that every system is configured for performance, security, and resilience. His deep technical knowledge spans Windows and Linux server […]

Frequently Asked Questions

Need IT Expertise?

Our team is ready to help. Book a free consultation and see how we can support your business.