IPsec VPN
IPsec VPN configurations have one <options>
section and one or more <connection>
sections.
<forticlient_configuration>
<vpn>
<ipsecvpn>
<options>
<show_auth_cert_only>1</show_auth_cert_only>
<disconnect_on_log_off>1</disconnect_on_log_off>
<enabled>1</enabled>
<beep_if_error>0</beep_if_error>
<beep_continuously>0</beep_continuously>
<beep_seconds>0</beep_seconds>
<usewincert>1</usewincert>
<use_win_current_user_cert>1</use_win_current_user_cert>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<block_ipv6>1</block_ipv6>
<uselocalcert>0</uselocalcert>
<usesmcardcert>1</usesmcardcert>
<enable_udp_checksum>0</enable_udp_checksum>
<mtu_size>1300</mtu_size>
<disable_default_route>0</disable_default_route>
<check_for_cert_private_key>1</check_for_cert_private_key>
<enhanced_key_usage_mandatory>1</enhanced_key_usage_mandatory
<no_dns_registration>0</no_dns_registration>
</options>
<connections>
<connection>
<name>ipsecdemo</name>
<single_user_mode>0</single_user_mode>
<type>manual</type>
<disclaimer_msg></disclaimer_msg>
<redundant_sort_method>0</redundant_sort_method>
<failover_sslvpn_connection>SSLVPN_Name</failover_sslvpn_connection>
<machine>0</machine>
<keep_running>0</keep_running>
<ui>
<show_passcode>0</show_passcode>
<show_remember_password>1</show_remember_password>
<show_alwaysup>1</show_alwaysup>
<show_autoconnect>1</show_autoconnect>
<save_username>0</save_username>
</ui>
<ike_settings>
<version>1</version>
<prompt_certificate>0</prompt_certificate>
<implied_SPDO>0</implied_SPDO>
<implied_SPDO_timeout>0</implied_SPDO_timeout>
<server>ipsecdemo.fortinet.com</server>
<authentication_method>Preshared Key</authentication_method>
<auth_data>
<preshared_key>Encdab907ed117eafaadd92f82b3e768b5414e4402dbd4df4585d4202c65940f1b2e9</preshared_key>
</auth_key>
<mode>aggressive</mode>
<dhgroup>5;</dhgroup>
<key_life>28800</key_life>
<localid></localid>
<nat_traversal>1</nat_traversal>
<mode_config>1</mode_config>
<enable_local_lan>0</enable_local_lan>
<block_outside_dns>0</block_outside_dns>
<nat_alive_freq>5</nat_alive_freq>
<dpd>1</dpd>
<dpd_retry_count>3</dpd_retry_count>
<dpd_retry_interval>5</dpd_retry_interval>
<fgt>1</fgt>
<enable_ike_fragmentation>0</enable_ike_fragmentation>
<run_fcauth_system>0</run_fcauth_system>
<failover_sslvpn_connection>SSLVPN HQ</failover_sslvpn_connection>
<xauth_timeout>120</xauth_timeout>
<xauth>
<enabled>1</enabled>
<prompt_username>1</prompt_username>
<username>Encrypted/NonEncrypted_UsernameString</username>
<password />
<attempts_allowed>1</attempts_allowed>
<use_otp>0</use_otp>
</xauth>
<proposals>
<proposal>3DES|MD5</proposal>
<proposal>3DES|SHA1</proposal>
<proposal>AES128|MD5</proposal>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
<addr>0.0.0.0</addr>
<mask>0.0.0.0</mask>
</network>
</remote_networks>
<ipv4_split_exclude_networks>
<subnetwork>10.10.10.0/255.255.255.0</subnetwork>
<subnetwork>13.106.56.0/25</subnetwork>
<subnetwork>teams.microsoft.com</subnetwork>
</ipv4_split_exclude_networks>
<dhgroup>5</dhgroup>
<key_life_type>seconds</key_life_type>
<key_life_seconds>1800</key_life_seconds>
<key_life_Kbytes>5120</key_life_Kbytes>
<replay_detection>1</replay_detection>
<pfs>1</pfs>
<use_vip>1</use_vip>
<virtualip>
<dnsserver_secondary></dnsserver_secondary>
<type>modeconfig</type>
<ip>0.0.0.0</ip>
<mask>0.0.0.0</mask>
<dnsserver>0.0.0.0</dnsserver>
<winserver>0.0.0.0</winserver>
</virtualip>
<proposals>
<proposal>3DES|MD5</proposal>
<proposal>3DES|SHA1</proposal>
<proposal>AES128|MD5</proposal>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ipsec_settings>
<on_connect>
<script>
<os>windows</os>
<script>
<![CDATA[]]>
</script>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script>
<script>
<![CDATA[]]>
</script>
</script>
</script>
</on_disconnect>
<traffic_control>
<enabled>1</enabled>
<mode>2</mode>
<apps>
<app>%LOCALAPPDATA%\Microsoft\Teams\Current\Teams.exe</app>
<app>%appdata%\Zoom\bin\Zoom.exe</app>
<app>C:\Program Files (x86)\Microsoft\Skype for Desktop\skype.exe</app>
<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mcomm.exe</app>
<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mlauncher.exe</app>
<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mstart.exe</app>
</apps>
<fqdns>
<fqdn>webex.com</fqdn>
<fqdn>gotomeeting.com</fqdn>
<fqdn>youtube.com</fqdn>
</fqdns>
</traffic_control>
<tags>
<allowed>NoVuln</allowed>
<prohibited>CriticalVuln</prohibited>
</tags>
</connection>
</connections>
</ipsecvpn>
</vpn>
</forticlient_configuration>
The following table provides the XML tags for IPsec VPN, as well as the descriptions and default values where applicable.
XML tag |
Description |
Default value |
---|---|---|
|
||
<show_auth_cert_only> |
Supress dialog boxes from displaying in FortiClient when using SmartCard certificates. Boolean value: |
0 |
<disconnect_on_log_off> |
Drop the established VPN connection when the user logs off. Boolean value: |
1 |
<enabled> |
Enable IPsec VPN. Boolean value: |
1 |
<beep_if_error> |
Beep if VPN connection attempt fails. Boolean value: |
0 |
<beep_continuously> |
Enable the continuous beep. Boolean value: |
1 |
<beep_seconds> |
Enter a value for the number of seconds after which to beep if an error occurs. |
60 |
<usewincert> |
Use Windows certificates for connections. Boolean value: |
|
<use_win_current_user_cert> |
Use Windows current user certificates for connections. Boolean value: |
1 |
<use_win_local_computer_cert> |
Use Windows local computer certificates for connections. Boolean value: |
1 |
<block_ipv6> |
Drop IPv6 traffic when an IPsec VPN connection is established. Boolean value: |
0 |
<uselocalcert> |
Use local certificates for connections. Boolean value: |
|
<usesmcardcert> |
Use certificates on smart cards. Boolean value: |
|
<enable_udp_checksums> |
Enable UDP checksums. This setting stops FortiClient from calculating and inserting checksums into the UDP packets that it creates. Boolean value: |
0 |
<mtu_size> |
Maximum Transmit Unit (MTU) size for packets on the VPN tunnel. Set from a minimum of |
|
<disable_default_route> |
Disable the default route to the gateway when the tunnel is up and restore after the tunnel is down. Boolean value: |
0 |
<check_for_cert_private_key> |
Enable checks for the Windows certificate private key. When set to Boolean value: |
0 |
<enhanced_key_usage_mandatory> |
Enable certificates with enhanced key usage. Used with Boolean value: |
|
<no_dns_registration> |
When this setting is When this setting is When this setting is |
0 |
The <connections>
XML tag may contain one or more <connection>
element. Each <connection>
has the following:
- name and type: the name and type of connection
- Internet Key Exchange (IKE) settings: information used to establish an IPsec VPN connection
- IPsec settings:
- on_connect: a script to run right after a successful connection
- on_disconnect: a script to run just after a disconnection
The following table provides VPN connection XML tags, the description, and the default value (where applicable).
XML tag |
Description |
Default Value |
---|---|---|
<name> |
VPN connection name. |
|
<single_user_mode> |
Enable single user mode. If enabled, new and existing VPN connections cannot be established or are disconnected if more than one user is logged in. Boolean value: |
0 |
<type> |
IPsec VPN connection type. Enter one of the following: |
|
<disclaimer_msg> |
Enable and enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection. |
|
<redundant_sort_method> |
How FortiClient determines the order in which to try connection to the IPsec VPN servers when more than one is defined. FortiClient calculates the order before each IPsec VPN connection attempt.
|
0 |
<failover_sslvpn_connection> |
If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL VPN tunnel. |
|
<machine> |
When this setting is 1, FortiClient can connect to the tunnel without user interaction. See Boolean value: |
|
<keep_running> |
Ensures that the VPN tunnel remains connected if it is already connected. This is useful when there is a temporary network disconnection that causes the tunnel to drop the connection. |
0 |
The elements of the |
||
<show_passcode> |
Display Passcode instead of Password on the Remote Access tab in the console. Boolean value: |
|
<show_remember_password> |
Display the Save Password checkbox in the console. Boolean value: |
|
<show_alwaysup> |
Display the Always Up checkbox in the console. Boolean value: |
|
<show_autoconnect> |
Display the Auto Connect checkbox in the console. Boolean value: |
|
<save_username> |
Save and display the last username used for VPN connection. Boolean value: |
|
|
|
|
<enabled> |
To enable the feature, enter Boolean value: |
|
<mode> |
Enter |
|
<app> |
Specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%,%programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. To find a running application's full path, on the Details tab in Task Manager, add the Image path name column. Once the VPN tunnel is up, FortiClient binds the specified applications to the physical interface. In the example, for the GoToMeeting path, 18068 refers to the current installed version of the GoToMeeting application. |
|
<fqdn> |
Specify which FQDN traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection. In the example, youtube.com equals youtube.com and *.youtube.com. After defining an FQDN, such as youtube.com in the example, if you use any popular browser such as Chrome, Edge, or Firefox to access youtube.com, this traffic does not go through the VPN tunnel. |
|
|
|
|
<allowed> |
Enter the desired Zero Trust tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient allows the endpoint to connect to the VPN tunnel. |
|
<prohibited> |
Enter the desired Zero Trust tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient denies the endpoint from connecting to the VPN tunnel. |
|
The VPN connection name is mandatory. If a connection of this type and this name exists, FortiClient overwrites its values with the new ones. |