Support for IKEv2 for FortiClient (macOS) 7.2.3
FortiClient (macOS) supports using IKEv2 for IPsec VPN to establish a secure communication channel between two devices. IKEv2 is more efficient, flexible, and capable of handling modern networking challenges, such as NAT traversal and dynamic addressing. It simplifies the negotiation process and enhances overall security features, making it a preferred choice for many IPsec VPN implementations.
In the following example, a company with a globally distributed workforce wants to ensure that remote employees can securely access the corporate network from various locations, including home offices and public Wi-Fi networks. The company aims to provide a seamless and secure remote access solution for its employees while maintaining the confidentiality and integrity of sensitive corporate data. A remote employee can connect to an edge FortiGate using FortiClient over IPsec VPN using IKEv2 to access corporate servers.
To configure this feature:
- In FortiOS, create an IPsec VPN tunnel that uses IKEv2:
config vpn IPsec VPN phase1-interface edit "p2" set type dynamic set interface "port1" set ike-version 2 set peertype any set net-device disable set mode-cfg enable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set comments "VPN: p2 (Created by VPN wizard)" set eap enable set eap-identity send-request set authusrgrp "IPsec VPN" set ems-sn-check enable set ipv4-start-ip 192.168.30.1 set ipv4-end-ip 192.168.30.150 set dns-mode auto set ipv4-split-include "p2_split" set save-password enable set client-auto-negotiate enable set client-keep-alive enable set psksecret ENC FmomkNlFxMiJkVPBCjm87lrJq/cSSBxI0l4eeERzuSo/iW75r1b7CaFKFyp0GKYs8XsDjx5yM8qe/ZZzMK/TCH5xn2ZMZFq6iBsS2NwzkLYHsV/mE9JUSO10gwTyjXMAxOqZU6MmUXVn20HiYHqn3OgbIPtrLhWQtkk1cGLy7sB117DRJzZXAqV9Gv3k9b6xdXfrfw== next end
- In EMS, go to Endpoint Profiles > Remote Access.
- Create a new profile or edit an existing one.
- Click Add Tunnel.
- Under Type, select IPsec VPN.
- In the Remote Gateway field, enter the edge FortiGate IP address.
- From the Authentication Method dropdown list, select Pre Shared Key.
- In the Pre-Shared Key field, enter the key that you configured on the FortiGate IPsec VPN tunnel.
- In VPN Settings, under IKE, select Version 2. Click Save.