Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

IKE settings

Internet Key Exchange (IKE) is performed automatically based on pre-shared keys or X.509 digital certificates.

The following table provides the XML tags for IKE settings, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<version>

Determine IKE version. FortiClient 6.0.8 supports IKE v1 and IKE v2. Enter 1 or 2. If no value is specified, IKE v1 is selected by default.

1

<prompt_certificate>

Prompt for certificate on connect.

Boolean value: [0 | 1]

<implied_SPDO>

Configure what ports allow traffic. When this setting is 0, only traffic from port 500 and 4500 are allowed. When this setting is 1, other traffic is allowed.

Boolean value: [0 | 1]

<implied_SPDO_timeout>

When <implied_SPDO> is set to 1, <implied_SPDO_timeout> is the timeout in seconds.

FortiClient blocks all outbound non-IKE packets when <implied_SPDO> is set to 1. This is a security feature in the IPsec protocol. If the network traffic goes through a captive portal, the intended IPsec VPN server may be unreachable, until the user provides some credentials on a web page. Thus, setting <implied_SPDO> to 1 may have the side effect of blocking access to the captive portal, which in turn blocks access to the IPsec VPN server.

To avoid this deadlock, set <implied_SPDO_timeout> to a value greater than 0. FortiClient allows all outbound traffic (including non-IKE traffic) for the duration configured. Some users find that a value of 30 or 60 seconds suffices. If <implied_SPDO_timeout> is set to 0, the <implied_SPDO> element behaves as if set to 0.

When <implied_SPDO> is set to 0, <implied_SPDO_timeout> is ignored.

<server>

IP address or FQDN.

<authentication_method>

Authentication method. Select one of the following:

  • Preshared Key
  • X509 Certificate
  • Smartcard X509 Certificate
  • System Store X509 Certificate

<auth_data> elements

<preshared_key>

Encrypted value of the preshared key.

<certificate>

Use the <common_name> and <issuer> subelements to provide the certificate name and issuer, respectively. FortiClient searches all certificate stores until it finds a match.

<mode>

Connection mode.

[aggressive | main]

<dhgroup>

A list of possible Diffie-Hellman (DH) protocol groups, separated by semicolons.

<key_life>

Phase 2 key expiry duration, in seconds.

28800

<localid>

Enter the peer ID configured in the FortiGate Phase 1 configuration. If Accept any peer ID has been configured, leave this field blank.

<peerid>

Enter the FortiGate certificate subject name or FQDN. The peer ID must match the certificate local ID on the FortiGate for a successful IPsec VPN connection.

 

<nat_traversal>

Enable or disable NAT traversal.

Boolean value: [0 | 1]

<mode_config>

Enable or disable mode configuration.

Boolean value: [0 | 1]

<enable_local_lan>

Enable or disable local LAN. When the Boolean value is set to 0, local LAN access is disabled when using a full tunnel. When the Boolean value is set to 1, local LAN access is enabled when using a full tunnel. Does not apply to split tunnels.

Boolean value: [0 | 1]

0

<nat_alive_freq>

NAT alive frequency.

<dpd>

Enable or disable Dead Peer Detection (DPD).

Boolean value: [0 | 1]

1

<dpd_retry_count>

Number of times to send unacknowledged DPD messages before declaring peer as dead.

3

<dpd_retry_interval>

Duration of DPD idle periods, in seconds.

5

<enable_ike_fragmentation>

Support fragmented IKE packets.

0

<run_fcauth_system>

When this setting is 1, non-administrator users can use local machine certificates to connect IPsec VPN. When this setting is 0, non-administrator users cannot use machine certificates to connect IPsec VPN.

Boolean value: [0 | 1]

0

<xauth_timeout>

Configure the IKE Extended Authentication (xAuth) timeout in seconds. Default value is two minutes (120 seconds) if not configured. Enter a value between 120 and 300 seconds.

120

<xauth> elements

<enabled>

Select to use IKE Extended Authentication (xAuth).

Boolean value: [0 | 1]

<prompt_username>

Request a username.

Boolean value: [0 | 1]

<username>

Enter the encrypted or non-encrypted user name on IPsec server.

<password>

Enter the encrypted or non-encrypted password.

<attempts_allowed>

Maximum number of failed login attempts allowed.

<use_otp>

Use One Time Password (OTP). When this setting is 0, FortiClient does not respond to DPD during XAuth. When this setting is 1, FortiClient responds to DPD during XAuth, which may be necessary when two-factor authentication and DPD are both involved.

Boolean value: [0 | 1]

0

<proposals> elements

<proposal>

Encryption and authentication types to use, separated by a pipe.

Example:

<proposal>3DES|MD5<proposal>

Multiple elements accepted.

First setting: Encryption type: DES, 3DES, AES128, AES192, AES256

Second setting: Authentication type: MD5, SHA1, SHA256, SHA384, SHA512

IKE settings

Internet Key Exchange (IKE) is performed automatically based on pre-shared keys or X.509 digital certificates.

The following table provides the XML tags for IKE settings, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<version>

Determine IKE version. FortiClient 6.0.8 supports IKE v1 and IKE v2. Enter 1 or 2. If no value is specified, IKE v1 is selected by default.

1

<prompt_certificate>

Prompt for certificate on connect.

Boolean value: [0 | 1]

<implied_SPDO>

Configure what ports allow traffic. When this setting is 0, only traffic from port 500 and 4500 are allowed. When this setting is 1, other traffic is allowed.

Boolean value: [0 | 1]

<implied_SPDO_timeout>

When <implied_SPDO> is set to 1, <implied_SPDO_timeout> is the timeout in seconds.

FortiClient blocks all outbound non-IKE packets when <implied_SPDO> is set to 1. This is a security feature in the IPsec protocol. If the network traffic goes through a captive portal, the intended IPsec VPN server may be unreachable, until the user provides some credentials on a web page. Thus, setting <implied_SPDO> to 1 may have the side effect of blocking access to the captive portal, which in turn blocks access to the IPsec VPN server.

To avoid this deadlock, set <implied_SPDO_timeout> to a value greater than 0. FortiClient allows all outbound traffic (including non-IKE traffic) for the duration configured. Some users find that a value of 30 or 60 seconds suffices. If <implied_SPDO_timeout> is set to 0, the <implied_SPDO> element behaves as if set to 0.

When <implied_SPDO> is set to 0, <implied_SPDO_timeout> is ignored.

<server>

IP address or FQDN.

<authentication_method>

Authentication method. Select one of the following:

  • Preshared Key
  • X509 Certificate
  • Smartcard X509 Certificate
  • System Store X509 Certificate

<auth_data> elements

<preshared_key>

Encrypted value of the preshared key.

<certificate>

Use the <common_name> and <issuer> subelements to provide the certificate name and issuer, respectively. FortiClient searches all certificate stores until it finds a match.

<mode>

Connection mode.

[aggressive | main]

<dhgroup>

A list of possible Diffie-Hellman (DH) protocol groups, separated by semicolons.

<key_life>

Phase 2 key expiry duration, in seconds.

28800

<localid>

Enter the peer ID configured in the FortiGate Phase 1 configuration. If Accept any peer ID has been configured, leave this field blank.

<peerid>

Enter the FortiGate certificate subject name or FQDN. The peer ID must match the certificate local ID on the FortiGate for a successful IPsec VPN connection.

 

<nat_traversal>

Enable or disable NAT traversal.

Boolean value: [0 | 1]

<mode_config>

Enable or disable mode configuration.

Boolean value: [0 | 1]

<enable_local_lan>

Enable or disable local LAN. When the Boolean value is set to 0, local LAN access is disabled when using a full tunnel. When the Boolean value is set to 1, local LAN access is enabled when using a full tunnel. Does not apply to split tunnels.

Boolean value: [0 | 1]

0

<nat_alive_freq>

NAT alive frequency.

<dpd>

Enable or disable Dead Peer Detection (DPD).

Boolean value: [0 | 1]

1

<dpd_retry_count>

Number of times to send unacknowledged DPD messages before declaring peer as dead.

3

<dpd_retry_interval>

Duration of DPD idle periods, in seconds.

5

<enable_ike_fragmentation>

Support fragmented IKE packets.

0

<run_fcauth_system>

When this setting is 1, non-administrator users can use local machine certificates to connect IPsec VPN. When this setting is 0, non-administrator users cannot use machine certificates to connect IPsec VPN.

Boolean value: [0 | 1]

0

<xauth_timeout>

Configure the IKE Extended Authentication (xAuth) timeout in seconds. Default value is two minutes (120 seconds) if not configured. Enter a value between 120 and 300 seconds.

120

<xauth> elements

<enabled>

Select to use IKE Extended Authentication (xAuth).

Boolean value: [0 | 1]

<prompt_username>

Request a username.

Boolean value: [0 | 1]

<username>

Enter the encrypted or non-encrypted user name on IPsec server.

<password>

Enter the encrypted or non-encrypted password.

<attempts_allowed>

Maximum number of failed login attempts allowed.

<use_otp>

Use One Time Password (OTP). When this setting is 0, FortiClient does not respond to DPD during XAuth. When this setting is 1, FortiClient responds to DPD during XAuth, which may be necessary when two-factor authentication and DPD are both involved.

Boolean value: [0 | 1]

0

<proposals> elements

<proposal>

Encryption and authentication types to use, separated by a pipe.

Example:

<proposal>3DES|MD5<proposal>

Multiple elements accepted.

First setting: Encryption type: DES, 3DES, AES128, AES192, AES256

Second setting: Authentication type: MD5, SHA1, SHA256, SHA384, SHA512