IPsec VPN
IPsec VPN configurations have one <options> section and one or more <connection> section.
<forticlient_configuration>
<vpn>
<ipsecvpn>
<options>
<show_auth_cert_only>1</show_auth_cert_only>
<disconnect_on_log_off>1</disconnect_on_log_off>
<enabled>1</enabled>
<beep_if_error>0</beep_if_error>
<beep_continuously>0</beep_continuously>
<beep_seconds>0</beep_seconds>
<usewincert>1</usewincert>
<use_win_current_user_cert>1</use_win_current_user_cert>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<block_ipv6>1</block_ipv6>
<uselocalcert>0</uselocalcert>
<usesmcardcert>1</usesmcardcert>
<enable_udp_checksum>0</enable_udp_checksum>
<mtu_size>1300</mtu_size>
<disable_default_route>0</disable_default_route>
<check_for_cert_private_key>1</check_for_cert_private_key>
<enhanced_key_usage_mandatory>1</enhanced_key_usage_mandatory
</options>
<connections>
<connection>
<name>ipsecdemo</name>
<single_user_mode>0</single_user_mode>
<type>manual</type>
<ui>
<show_passcode>0</show_passcode>
<show_remember_password>1</show_remember_password>
<show_alwaysup>1</show_alwaysup>
<show_autoconnect>1</show_autoconnect>
<save_username>0</save_username>
</ui>
<ike_settings>
<version>1</version>
<prompt_certificate>0</prompt_certificate>
<implied_SPDO>0</implied_SPDO>
<implied_SPDO_timeout>0</implied_SPDO_timeout>
<server>ipsecdemo.fortinet.com</server>
<authentication_method>Preshared Key</authentication_method>
<auth_data>
<preshared_key>Encdab907ed117eafaadd92f82b3e768b5414e4402dbd4df4585d4202c65940f1b2e9</preshared_key>
</auth_key>
<mode>aggressive</mode>
<dhgroup>5;</dhgroup>
<key_life>28800</key_life>
<localid></localid>
<peerid></peerid>
<nat_traversal>1</nat_traversal>
<mode_config>1</mode_config>
<enable_local_lan>0</enable_local_lan>
<nat_alive_freq>5</nat_alive_freq>
<dpd>1</dpd>
<dpd_retry_count>3</dpd_retry_count>
<dpd_retry_interval>5</dpd_retry_interval>
<fgt>1</fgt>
<enable_ike_fragmentation>0</enable_ike_fragmentation>
<run_fcauth_system>0</run_fcauth_system>
<xauth_timeout>120</xauth_timeout>
<xauth>
<enabled>1</enabled>
<prompt_username>1</prompt_username>
<username>Encrypted/NonEncrypted_UsernameString</username>
<password />
<attempts_allowed>1</attempts_allowed>
<use_otp>0</use_otp>
</xauth>
<proposals>
<proposal>3DES|MD5</proposal>
<proposal>3DES|SHA1</proposal>
<proposal>AES128|MD5</proposal>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
<addr>0.0.0.0</addr>
<mask>0.0.0.0</mask>
</network>
</remote_networks>
<dhgroup>5</dhgroup>
<key_life_type>seconds</key_life_type>
<key_life_seconds>1800</key_life_seconds>
<key_life_Kbytes>5120</key_life_Kbytes>
<replay_detection>1</replay_detection>
<pfs>1</pfs>
<use_vip>1</use_vip>
<virtualip>
<dnsserver_secondary></dnsserver_secondary>
<type>modeconfig</type>
<ip>0.0.0.0</ip>
<mask>0.0.0.0</mask>
<dnsserver>0.0.0.0</dnsserver>
<winserver>0.0.0.0</winserver>
</virtualip>
<proposals>
<proposal>3DES|MD5</proposal>
<proposal>3DES|SHA1</proposal>
<proposal>AES128|MD5</proposal>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ipsec_settings>
<on_connect>
<script>
<os>windows</os>
<script>
<script>
<![CDATA[]]>
</script>
</script>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script>
<script>
<![CDATA[]]>
</script>
</script>
</script>
</on_disconnect>
</connection>
</connections>
</ipsecvpn>
</vpn>
</forticlient_configuration>
The following table provides the XML tags for IPsec VPN, as well as the descriptions and default values where applicable.
|
XML Tag |
Description |
Default Value |
|---|---|---|
|
|
||
|
<show_auth_cert_only> |
Supress dialog boxes from displaying in FortiClient when using SmartCard certificates. Boolean value: |
0 |
|
<disconnect_on_log_off> |
Drop the established VPN connection when the user logs off. Boolean value: |
1 |
|
<enabled> |
Enable or disable IPsec VPN. Boolean value: |
1 |
|
<beep_if_error> |
Beep if VPN connection attempt fails. Boolean value: |
0 |
|
<beep_continuously> |
Enable or disable the continuous beep. Boolean value: |
1 |
|
<beep_seconds> |
Enter a value for the number of seconds after which to beep if an error occurs. |
60 |
|
<usewincert> |
Use Microsoft Windows certificates for connections. Boolean value: |
|
|
<use_win_current_user_cert> |
Use Microsoft Windows current user certificates for connections. Boolean value: |
1 |
|
<use_win_local_computer_cert> |
Use Microsoft Windows local computer certificates for connections. Boolean value: |
1 |
|
<block_ipv6> |
Drop IPv6 traffic when an IPsec VPN connection is established. Boolean value: |
0 |
|
<uselocalcert> |
Use local certificates for connections. Boolean value: |
|
|
<usesmcardcert> |
Use certificates on smart cards. Boolean value: |
|
|
<enable_udp_checksums> |
Enable or disable UDP checksums. This setting stops FortiClient from calculating and inserting checksums into the UDP packets that it creates. Boolean value: |
0 |
|
<mtu_size> |
Maximum Transmit Unit (MTU) size for packets on the VPN tunnel. Set from a minimum of |
|
|
<disable_default_route> |
Disable the default route to the gateway when the tunnel is up and restore after the tunnel is down. Boolean value: |
0 |
|
<check_for_cert_private_key> |
Enable or disable checks for the Windows certificate private key. When set to Boolean value: |
0 |
|
<enhanced_key_usage_mandatory> |
Enable or disable certificates with enhanced key usage. Used with Boolean value: |
|
The <connections> XML tag may contain one or more <connection> element. Each <connection> has the following:
- name and type: the name and type of connection
- IKE settings: information used to establish an IPsec VPN connection
- IPsec settings:
- on_connect: a script to run right after a successful connection
- on_disconnect: a script to run just after a disconnection
The following table provides VPN connection XML tags, the description, and the default value (where applicable).
|
XML Tag |
Description |
Default Value |
|---|---|---|
|
<name> |
VPN connection name. |
|
|
<single_user_mode> |
Enable or disable single user mode. If enabled, new and existing VPN connections cannot be established or are disconnected if more than one user is logged in. Boolean value: |
0 |
|
<type> |
IPSec VPN connection type. Select: |
|
|
The elements of the |
||
|
<show_passcode> |
Display Passcode instead of Password on the Remote Access tab in the console. Boolean value: |
|
|
<show_remember_password> |
Display the Save Password checkbox in the console. Boolean value: |
|
|
<show_alwaysup> |
Display the Always Up checkbox in the console. Boolean value: |
|
|
<show_autoconnect> |
Display the Auto Connect checkbox in the console. Boolean value: |
|
|
<save_username> |
Save and display the last username used for VPN connection. Boolean value: |
|
|
The VPN connection name is mandatory. If a connection of this type and this name exists, its values are overwritten with the new ones. |