Fortinet black logo

New Features

Home FortiClient 7.2.0 New Features
7.2.0
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0

Support for IKEv2 for FortiClient (macOS) 7.2.3

Support for IKEv2 for FortiClient (macOS) 7.2.3

FortiClient (macOS) supports using IKEv2 for IPsec VPN to establish a secure communication channel between two devices. IKEv2 is more efficient, flexible, and capable of handling modern networking challenges, such as NAT traversal and dynamic addressing. It simplifies the negotiation process and enhances overall security features, making it a preferred choice for many IPsec VPN implementations.

In the following example, a company with a globally distributed workforce wants to ensure that remote employees can securely access the corporate network from various locations, including home offices and public Wi-Fi networks. The company aims to provide a seamless and secure remote access solution for its employees while maintaining the confidentiality and integrity of sensitive corporate data. A remote employee can connect to an edge FortiGate using FortiClient over IPsec VPN using IKEv2 to access corporate servers.

To configure this feature:
  1. In FortiOS, create an IPsec VPN tunnel that uses IKEv2:
    config vpn IPsec VPN phase1-interface
    edit "p2"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set comments "VPN: p2 (Created by VPN wizard)"
        set eap enable
        set eap-identity send-request
        set authusrgrp "IPsec VPN"
        set ems-sn-check enable
        set ipv4-start-ip 192.168.30.1
        set ipv4-end-ip 192.168.30.150
        set dns-mode auto
        set ipv4-split-include "p2_split"
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret ENC FmomkNlFxMiJkVPBCjm87lrJq/cSSBxI0l4eeERzuSo/iW75r1b7CaFKFyp0GKYs8XsDjx5yM8qe/ZZzMK/TCH5xn2ZMZFq6iBsS2NwzkLYHsV/mE9JUSO10gwTyjXMAxOqZU6MmUXVn20HiYHqn3OgbIPtrLhWQtkk1cGLy7sB117DRJzZXAqV9Gv3k9b6xdXfrfw==
    next
end
  2. In EMS, go to Endpoint Profiles > Remote Access.
  3. Create a new profile or edit an existing one.
  4. Click Add Tunnel.
  5. Under Type, select IPsec VPN.
  6. In the Remote Gateway field, enter the edge FortiGate IP address.
  7. From the Authentication Method dropdown list, select Pre Shared Key.
  8. In the Pre-Shared Key field, enter the key that you configured on the FortiGate IPsec VPN tunnel.

  9. In VPN Settings, under IKE, select Version 2. Click Save.

Previous
Next

Support for IKEv2 for FortiClient (macOS) 7.2.3

FortiClient (macOS) supports using IKEv2 for IPsec VPN to establish a secure communication channel between two devices. IKEv2 is more efficient, flexible, and capable of handling modern networking challenges, such as NAT traversal and dynamic addressing. It simplifies the negotiation process and enhances overall security features, making it a preferred choice for many IPsec VPN implementations.

In the following example, a company with a globally distributed workforce wants to ensure that remote employees can securely access the corporate network from various locations, including home offices and public Wi-Fi networks. The company aims to provide a seamless and secure remote access solution for its employees while maintaining the confidentiality and integrity of sensitive corporate data. A remote employee can connect to an edge FortiGate using FortiClient over IPsec VPN using IKEv2 to access corporate servers.

To configure this feature:
  1. In FortiOS, create an IPsec VPN tunnel that uses IKEv2:
    config vpn IPsec VPN phase1-interface
    edit "p2"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set comments "VPN: p2 (Created by VPN wizard)"
        set eap enable
        set eap-identity send-request
        set authusrgrp "IPsec VPN"
        set ems-sn-check enable
        set ipv4-start-ip 192.168.30.1
        set ipv4-end-ip 192.168.30.150
        set dns-mode auto
        set ipv4-split-include "p2_split"
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret ENC FmomkNlFxMiJkVPBCjm87lrJq/cSSBxI0l4eeERzuSo/iW75r1b7CaFKFyp0GKYs8XsDjx5yM8qe/ZZzMK/TCH5xn2ZMZFq6iBsS2NwzkLYHsV/mE9JUSO10gwTyjXMAxOqZU6MmUXVn20HiYHqn3OgbIPtrLhWQtkk1cGLy7sB117DRJzZXAqV9Gv3k9b6xdXfrfw==
    next
end
  2. In EMS, go to Endpoint Profiles > Remote Access.
  3. Create a new profile or edit an existing one.
  4. Click Add Tunnel.
  5. Under Type, select IPsec VPN.
  6. In the Remote Gateway field, enter the edge FortiGate IP address.
  7. From the Authentication Method dropdown list, select Pre Shared Key.
  8. In the Pre-Shared Key field, enter the key that you configured on the FortiGate IPsec VPN tunnel.

  9. In VPN Settings, under IKE, select Version 2. Click Save.

Previous
Next