IKE settings
FortiClient automatically performs IKE based on preshared keys or X.509 digital certificates.
The following table provides the XML tags for IKE settings, as well as the descriptions and default values where applicable.
XML tag |
Description |
Default value |
---|---|---|
<version> |
Determine the IKE version. FortiClient 6.4.1 supports IKE v1 and IKE v2. Enter |
1 |
<prompt_certificate> |
Prompt for certificate on connection. Boolean value: |
|
<implied_SPDO> |
Specify which ports allow traffic. When this setting is Boolean value: |
|
<implied_SPDO_timeout> |
When FortiClient blocks all outbound non-IKE packets when To avoid this deadlock, set When |
|
<server> |
|
|
<authentication_method> |
Authentication method. Enter one of the following:
|
|
|
||
<preshared_key> |
Encrypted value of the preshared key. |
|
FortiClient searches all certificate stores until it finds a match for the certificate name and issuer supplied. The XML sample provided in IPsec VPN only shows XML configuration when using a preshared key. See Sample XML using certificate authentication for example of XML configuration for a System Store X509 certificate. |
||
Elements for common name of the certificate for VPN logon. |
||
<match_type> |
Enter the type of matching to use:
|
|
<pattern> |
Enter the pattern to use for the type of matching. |
|
|
||
<match_type> |
Enter the type of matching to use:
|
|
<pattern> |
Enter the pattern to use for the type of matching. |
|
<mode> |
Connection mode. Enter one of the following: |
|
<dhgroup> |
A list of possible Diffie-Hellman (DH) protocol groups, separated by semicolons. |
|
<key_life> |
Phase 2 key expiry duration, in seconds. |
28800 |
<localid> |
Enter the peer ID configured in the FortiGate phase 1 configuration. If Accept any peer ID has been configured, leave this field blank. |
|
|
Enter the FortiGate certificate subject name or FQDN. The peer ID must match the certificate local ID on the FortiGate for a successful IPsec VPN connection. |
|
<nat_traversal> |
Enable NAT traversal. Boolean value: |
|
<mode_config> |
Enable mode configuration. Boolean value: |
|
<enable_local_lan> |
Enable local LAN when using a full tunnel. This setting does not apply to split tunnels. Boolean value: |
0 |
<block_outside_dns> |
When this setting is When this setting is Boolean value: |
0 |
<nat_alive_freq> |
NAT alive frequency. |
|
<dpd> |
Enable dead peer detection (DPD). Boolean value: |
1 |
<dpd_retry_count> |
Number of times to send unacknowledged DPD messages before declaring peer as dead. |
3 |
<dpd_retry_interval> |
Duration of DPD idle periods, in seconds. |
5 |
<enable_ike_fragmentation> |
Support fragmented IKE packets. |
0 |
<run_fcauth_system> |
When this setting is Boolean value: |
0 |
<xauth_timeout> |
Configure the IKE extended authentication (XAuth) timeout in seconds. Default value is two minutes (120 seconds) if not configured. Enter a value between 120 and 300 seconds. |
120 |
|
||
<enabled> |
Enable IKE XAuth. Boolean value: |
|
<prompt_username> |
Request a username. Boolean value: |
|
<username> |
Encrypted or non-encrypted username on the IPsec server. |
|
Encrypted or non-encrypted password. |
|
|
<attempts_allowed> |
Maximum number of failed login attempts allowed. |
|
<use_otp> |
Use One Time Password (OTP). When disabled, FortiClient does not respond to DPD during XAuth. When enabled, FortiClient responds to DPD during XAuth, which may be necessary when two-factor authentication and DPD are both involved. Boolean value: |
|
|
||
<proposal> |
Encryption and authentication types to use, separated by a pipe. Example: <proposal>3DES|MD5<proposal> Multiple elements accepted. First setting: Encryption type: DES, 3DES, AES128, AES192, AES256 Second setting: Authentication type: MD5, SHA1, SHA256, SHA384, SHA512 |
|
Sample XML using certificate authentication
<ipsecvpn>
...
<connections>
<connection>
...
<ike_settings>
<auth_data>
<certificate>
<common_name>
<match_type>
<![CDATA[wildcard]]>
</match_type>
<pattern>
<![CDATA[*]]>
</pattern>
</common_name>
<issuer>
<match_type>
<![CDATA[simple]]>
</match_type>
<pattern>
<![CDATA[Certificate Authority]]>
</pattern>
</issuer>
</certificate>
</auth_data>
</ike_settings>
...
</connection>
</connections>
...
</ipsecvpn>
This is a balanced but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted. See IPsec VPN for a more complete XML configuration example using a preshared key for authentication.