Fortinet white logo
Fortinet white logo

IPsec VPN

IPsec VPN

IPsec VPN configurations have one <options> section and one or more <connection> sections:

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options>

<show_auth_cert_only>1</show_auth_cert_only>

<disconnect_on_log_off>1</disconnect_on_log_off>

<enabled>1</enabled>

<beep_if_error>0</beep_if_error>

<beep_continuously>0</beep_continuously>

<beep_seconds>0</beep_seconds>

<usewincert>1</usewincert>

<use_win_current_user_cert>1</use_win_current_user_cert>

<use_win_local_computer_cert>1</use_win_local_computer_cert>

<block_ipv6>1</block_ipv6>

<uselocalcert>0</uselocalcert>

<usesmcardcert>1</usesmcardcert>

<enable_udp_checksum>0</enable_udp_checksum>

<mtu_size>1300</mtu_size>

<disable_default_route>0</disable_default_route>

<check_for_cert_private_key>1</check_for_cert_private_key>

<enhanced_key_usage_mandatory>1</enhanced_key_usage_mandatory

<no_dns_registration>0</no_dns_registration>

<prefer_ipsecvpn_dns>1</prefer_ipsecvpn_dns>

</options>

<connections>

<connection>

<name>ipsecdemo</name>

<single_user_mode>0</single_user_mode>

<type>manual</type>

<disclaimer_msg></disclaimer_msg>

<redundant_sort_method>0</redundant_sort_method>

<failover_sslvpn_connection>SSLVPN_Name</failover_sslvpn_connection>

<machine>0</machine>

<keep_running>0</keep_running>

<ui>

<show_passcode>0</show_passcode>

<show_remember_password>1</show_remember_password>

<show_alwaysup>1</show_alwaysup>

<show_autoconnect>1</show_autoconnect>

<save_username>0</save_username>

<save_password>0</save_password>

</ui>

<ike_settings>

<version>1</version>

<prompt_certificate>0</prompt_certificate>

<implied_SPDO>0</implied_SPDO>

<implied_SPDO_timeout>0</implied_SPDO_timeout>

<server>ipsecdemo.fortinet.com</server>

<authentication_method>Preshared Key</authentication_method>

<auth_data>

<preshared_key>Encdab907ed117eafaadd92f82b3e768b5414e4402dbd4df4585d4202c65940f1b2e9</preshared_key>

</auth_key>

<mode>aggressive</mode>

<dhgroup>5;</dhgroup>

<key_life>28800</key_life>

<localid></localid>

<nat_traversal>1</nat_traversal>

<sase_mode>1</sase_mode>

<mode_config>1</mode_config>

<enable_local_lan>0</enable_local_lan>

<block_outside_dns>0</block_outside_dns>

<nat_alive_freq>5</nat_alive_freq>

<dpd>1</dpd>

<dpd_retry_count>3</dpd_retry_count>

<dpd_retry_interval>5</dpd_retry_interval>

<fgt>1</fgt>

<enable_ike_fragmentation>0</enable_ike_fragmentation>

<run_fcauth_system>0</run_fcauth_system>

<sso_enabled>1</sso_enabled>

<ike_saml_port>10428</ike_saml_port>

<failover_sslvpn_connection>SSLVPN HQ</failover_sslvpn_connection>

<xauth_timeout>120</xauth_timeout>

<xauth>

<enabled>1</enabled>

<prompt_username>1</prompt_username>

<username>Encrypted/NonEncrypted_UsernameString</username>

<password />

<attempts_allowed>1</attempts_allowed>

<use_otp>0</use_otp>

</xauth>

<proposals>

<proposal>3DES|MD5</proposal>

<proposal>3DES|SHA1</proposal>

<proposal>AES128|MD5</proposal>

<proposal>AES128|SHA1</proposal>

<proposal>AES256|SHA256</proposal>

</proposals>

</ike_settings>

<ipsec_settings>

<remote_networks>

<network>

<addr>0.0.0.0</addr>

<mask>0.0.0.0</mask>

</network>

</remote_networks>

<ipv4_split_exclude_networks>

<subnetwork>10.10.10.0/255.255.255.0</subnetwork>

<subnetwork>13.106.56.0/25</subnetwork>

<subnetwork>teams.microsoft.com</subnetwork>

</ipv4_split_exclude_networks>

<dhgroup>5</dhgroup>

<key_life_type>seconds</key_life_type>

<key_life_seconds>1800</key_life_seconds>

<key_life_Kbytes>5120</key_life_Kbytes>

<replay_detection>1</replay_detection>

<pfs>1</pfs>

<use_vip>1</use_vip>

<virtualip>

<dnsserver_secondary></dnsserver_secondary>

<!-- server IP address -->

<type>modeconfig</type>

<ip>0.0.0.0</ip>

<mask>0.0.0.0</mask>

<dnsserver>0.0.0.0</dnsserver>

<winserver>0.0.0.0</winserver>

</virtualip>

<proposals>

<proposal>3DES|MD5</proposal>

<proposal>3DES|SHA1</proposal>

<proposal>AES128|MD5</proposal>

<proposal>AES128|SHA1</proposal>

<proposal>AES256|SHA256</proposal>

</proposals>

</ipsec_settings>

<on_connect>

<script>

<os>windows</os>

<script>

<![CDATA[]]>

</script>

</script>

</on_connect>

<on_disconnect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[]]>

</script>

</script>

</script>

</on_disconnect>

<traffic_control>

<enabled>1</enabled>

<mode>2</mode>

<apps>

<app>%LOCALAPPDATA%\Microsoft\Teams\Current\Teams.exe</app>

<app>%appdata%\Zoom\bin\Zoom.exe</app>

<app>C:\Program Files (x86)\Microsoft\Skype for Desktop\skype.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mcomm.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mlauncher.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mstart.exe</app>

</apps>

<fqdns>

<fqdn>webex.com</fqdn>

<fqdn>gotomeeting.com</fqdn>

<fqdn>youtube.com</fqdn>

</fqdns>

</traffic_control>

<tags>

<allowed>NoVuln</allowed>

<prohibited>CriticalVuln</prohibited>

</tags>

<azure_auto_login>

<enabled>1</enabled>

<azure_app>

<client_id>...</client_id>

<tenant_name>...</tenant_name>

</azure_app>

</azure_auto_login>

<vpn_before_logon>

<username_format>username</username_format>

<vpn_before_logon/>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

The following table provides the XML tags for IPsec VPN, as well as the descriptions and default values where applicable:

XML tag

Description

Default value

<ipsecvpn> <options> elements

<show_auth_cert_only>

Supress dialogs from displaying in FortiClient when using SmartCard certificates.

Boolean value: [0 | 1]

0

<disconnect_on_log_off>

Drop the established VPN connection when the user logs off.

Boolean value: [0 | 1]

1

<enabled>

Enable IPsec VPN.

Boolean value: [0 | 1]

1

<beep_if_error>

Beep if VPN connection attempt fails.

Boolean value: [0 | 1]

0

<beep_continuously>

Enable the continuous beep.

Boolean value: [0 | 1]

1

<beep_seconds>

Enter a value for the number of seconds after which to beep if an error occurs.

60

<usewincert>

Use Windows certificates for connections.

Boolean value: [0 | 1]

<use_win_current_user_cert>

Use Windows current user certificates for connections.

Boolean value: [0 | 1]

1

<use_win_local_computer_cert>

Use Windows local computer certificates for connections.

Boolean value: [0 | 1]

1

<block_ipv6>

Drop IPv6 traffic when an IPsec VPN connection is established.

Boolean value: [0 | 1]

0

<uselocalcert>

Use local certificates for connections.

Boolean value: [0 | 1]

<usesmcardcert>

Use certificates on smart cards.

Boolean value: [0 | 1]

<enable_udp_checksums>

Enable UDP checksums. This setting stops FortiClient from calculating and inserting checksums into the UDP packets that it creates.

Boolean value: [0 | 1]

0

<mtu_size>

Maximum Transmit Unit (MTU) size for packets on the VPN tunnel. Set from a minimum of 576 to a maximum of 1500 bytes. The default value is 1300.

1300

<disable_default_route>

Disable the default route to the gateway when the tunnel is up and restore after the tunnel is down.

Boolean value: [0 | 1]

0

<check_for_cert_private_key>

Enable checks for the Windows certificate private key. When set to 1, FortiClient checks for the Windows certificate private key.

Boolean value: [0 | 1]

0

<enhanced_key_usage_mandatory>

Enable certificates with enhanced key usage. Used with <check_for_cert_private_key>. When <check_for_cert_private_key> is set to 1 and <enhanced_key_usage_manadatory> is set to 1, only the certificates with enhanced key usage are listed.

Boolean value: [0 | 1]

<no_dns_registration>

When this setting is 0, FortiClient registers the IPsec VPN adapter's address in the Active Directory (AD) DNS server.

When this setting is 1, FortiClient does not register the IPsec VPN adapter's address in the AD DNS server.

When this setting is 2, FortiClient registers only its own tunnel interface IP address in the AD DNS server.

0

<prefer_ipsecvpn_dns>

When this setting is 0, FortiClient only modifies DNS settings for adapters used for IPsec VPN connections.

When this setting is 1, FortiClient modifies DNS settings for all active adapters.

Boolean value: [0 | 1]

1

The <connections> XML tag may contain one or more <connection> element. Each <connection> has the following:

  • <name> and <type>: connection name and type
  • Internet Key Exchange (IKE) settings: information used to establish an IPsec VPN connection
  • IPsec settings:
    • on_connect: a script to run right after a successful connection
    • on_disconnect: a script to run just after a disconnection

The following table provides IPsec VPN connection XML tags, the description, and the default value (where applicable):

XML tag

Description

Default Value

<name>

VPN connection name.

<single_user_mode>

Enable single user mode. If enabled, FortiClient cannot establish new and existing VPN connections or disconnects them if multiple users are logged in.

Boolean value: [0 | 1]

0

<type>

IPsec VPN connection type. Enter one of the following: [manual | auto]

<disclaimer_msg>

Enable and enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection.

<redundant_sort_method>

How FortiClient determines the order to try connecting to the IPsec VPN servers when multiple are defined. FortiClient calculates the order before each IPsec VPN connection attempt:

  • When the value is 0, FortiClient tries the order explicitly defined in the <server> tag.
  • When the value is 1, FortiClient determines the order by the ping response speed.
  • When the value is 2, FortiClient determines the order by the TCP round trip time.

0

<failover_sslvpn_connection>

If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL VPN tunnel.

<machine>

When this setting is 1, FortiClient can connect to the tunnel without user interaction. See <on_os_start_connect> in VPN options.

Boolean value: [0 | 1]

<keep_running>

Ensures that the VPN tunnel remains connected if it is already connected. This is useful when there is a temporary network disconnection that causes the tunnel to drop the connection.

An EMS-pushed tunnel with <keep_running> enabled displays with Save Password and Always Up enabled and grayed out in the FortiClient GUI.

Boolean value: [0 | 1]

0

<ui> elements

The elements of the <ui></ui> XML tags are set by the FortiGate following an IPsec VPN connection.

<show_passcode>

Display Passcode instead of Password on the Remote Access tab in the console.

Boolean value: [0 | 1]

<show_remember_password>

Display the Save Password checkbox in the console.

Boolean value: [0 | 1]

<show_alwaysup>

Display the Always Up checkbox in the console.

Boolean value: [0 | 1]

<show_autoconnect>

Display the Auto Connect checkbox in the console.

Boolean value: [0 | 1]

<save_username>

Save and display the last username used for VPN connection.

Boolean value: [0 | 1]

<save_password>

When enabled, Save Password is enabled for the VPN tunnel in the FortiClient GUI.

An EMS-pushed tunnel with <save_password> enabled displays with Save Password enabled and grayed out in the FortiClient GUI.

Boolean value: [0 | 1]

0

<traffic_control> elements

<enabled>

To enable the feature, enter 1. To disable the feature, enter 0.

Boolean value: [0 | 1]

<mode>

Enter 2 so that network traffic for all defined applications and FQDNs do not go through the VPN tunnel. You must configure this value as 2 for the feature to function.

<app>

Specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%,%programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces.

To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

Once the VPN tunnel is up, FortiClient binds the specified applications to the physical interface.

In the example, for the GoToMeeting path, 18068 refers to the current installed version of the GoToMeeting application.

<fqdn>

Specify which FQDN traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection.

In the example, youtube.com equals youtube.com and *.youtube.com.

After defining an FQDN, such as youtube.com in the example, if you use any popular browser such as Chrome, Edge, or Firefox to access youtube.com, this traffic does not go through the VPN tunnel.

<tags> elements

<allowed>

Enter the desired Zero Trust tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient allows the endpoint to connect to the VPN tunnel.

<prohibited>

Enter the desired Zero Trust tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient denies the endpoint from connecting to the VPN tunnel.

<azure_auto_login> elements

<enabled>

Enable FortiClient to autoconnect to this IPsec VPN tunnel on a Microsoft Entra ID (formerly known as Azure Active Directory or AD) domain-joined endpoint using the Entra ID credentials. See Autoconnect to IPsec VPN using Entra ID logon session information.

Boolean value: [0 | 1]

<azure_app><client_id>

Enter the Entra ID enterprise application client ID. You can find this information on the Entra ID portal.

<azure_app><tenant_name>

Enter the Azure tenant ID. You can find this information on the Entra ID portal.

<vpn_before_logon><username_format>

Configure the required username format for the VPN before logon connection to successfully authenticate. This configuration takes effect if the user selects their username from the left panel when logging into Windows instead of typing in their name. Configure one of the following:

  • username
  • upn or user principal name. Configure this if the username must be in the format username@domain, such as rpark@fortinet.com.
  • dlln or down-level logon name. Configure this if the username must be in the format domain\username, such as fortinet.com/rpark.

username

The VPN connection name is mandatory. If a connection of this type and this name exists, FortiClient overwrites its values with the new ones.

IPsec VPN

IPsec VPN

IPsec VPN configurations have one <options> section and one or more <connection> sections:

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options>

<show_auth_cert_only>1</show_auth_cert_only>

<disconnect_on_log_off>1</disconnect_on_log_off>

<enabled>1</enabled>

<beep_if_error>0</beep_if_error>

<beep_continuously>0</beep_continuously>

<beep_seconds>0</beep_seconds>

<usewincert>1</usewincert>

<use_win_current_user_cert>1</use_win_current_user_cert>

<use_win_local_computer_cert>1</use_win_local_computer_cert>

<block_ipv6>1</block_ipv6>

<uselocalcert>0</uselocalcert>

<usesmcardcert>1</usesmcardcert>

<enable_udp_checksum>0</enable_udp_checksum>

<mtu_size>1300</mtu_size>

<disable_default_route>0</disable_default_route>

<check_for_cert_private_key>1</check_for_cert_private_key>

<enhanced_key_usage_mandatory>1</enhanced_key_usage_mandatory

<no_dns_registration>0</no_dns_registration>

<prefer_ipsecvpn_dns>1</prefer_ipsecvpn_dns>

</options>

<connections>

<connection>

<name>ipsecdemo</name>

<single_user_mode>0</single_user_mode>

<type>manual</type>

<disclaimer_msg></disclaimer_msg>

<redundant_sort_method>0</redundant_sort_method>

<failover_sslvpn_connection>SSLVPN_Name</failover_sslvpn_connection>

<machine>0</machine>

<keep_running>0</keep_running>

<ui>

<show_passcode>0</show_passcode>

<show_remember_password>1</show_remember_password>

<show_alwaysup>1</show_alwaysup>

<show_autoconnect>1</show_autoconnect>

<save_username>0</save_username>

<save_password>0</save_password>

</ui>

<ike_settings>

<version>1</version>

<prompt_certificate>0</prompt_certificate>

<implied_SPDO>0</implied_SPDO>

<implied_SPDO_timeout>0</implied_SPDO_timeout>

<server>ipsecdemo.fortinet.com</server>

<authentication_method>Preshared Key</authentication_method>

<auth_data>

<preshared_key>Encdab907ed117eafaadd92f82b3e768b5414e4402dbd4df4585d4202c65940f1b2e9</preshared_key>

</auth_key>

<mode>aggressive</mode>

<dhgroup>5;</dhgroup>

<key_life>28800</key_life>

<localid></localid>

<nat_traversal>1</nat_traversal>

<sase_mode>1</sase_mode>

<mode_config>1</mode_config>

<enable_local_lan>0</enable_local_lan>

<block_outside_dns>0</block_outside_dns>

<nat_alive_freq>5</nat_alive_freq>

<dpd>1</dpd>

<dpd_retry_count>3</dpd_retry_count>

<dpd_retry_interval>5</dpd_retry_interval>

<fgt>1</fgt>

<enable_ike_fragmentation>0</enable_ike_fragmentation>

<run_fcauth_system>0</run_fcauth_system>

<sso_enabled>1</sso_enabled>

<ike_saml_port>10428</ike_saml_port>

<failover_sslvpn_connection>SSLVPN HQ</failover_sslvpn_connection>

<xauth_timeout>120</xauth_timeout>

<xauth>

<enabled>1</enabled>

<prompt_username>1</prompt_username>

<username>Encrypted/NonEncrypted_UsernameString</username>

<password />

<attempts_allowed>1</attempts_allowed>

<use_otp>0</use_otp>

</xauth>

<proposals>

<proposal>3DES|MD5</proposal>

<proposal>3DES|SHA1</proposal>

<proposal>AES128|MD5</proposal>

<proposal>AES128|SHA1</proposal>

<proposal>AES256|SHA256</proposal>

</proposals>

</ike_settings>

<ipsec_settings>

<remote_networks>

<network>

<addr>0.0.0.0</addr>

<mask>0.0.0.0</mask>

</network>

</remote_networks>

<ipv4_split_exclude_networks>

<subnetwork>10.10.10.0/255.255.255.0</subnetwork>

<subnetwork>13.106.56.0/25</subnetwork>

<subnetwork>teams.microsoft.com</subnetwork>

</ipv4_split_exclude_networks>

<dhgroup>5</dhgroup>

<key_life_type>seconds</key_life_type>

<key_life_seconds>1800</key_life_seconds>

<key_life_Kbytes>5120</key_life_Kbytes>

<replay_detection>1</replay_detection>

<pfs>1</pfs>

<use_vip>1</use_vip>

<virtualip>

<dnsserver_secondary></dnsserver_secondary>

<!-- server IP address -->

<type>modeconfig</type>

<ip>0.0.0.0</ip>

<mask>0.0.0.0</mask>

<dnsserver>0.0.0.0</dnsserver>

<winserver>0.0.0.0</winserver>

</virtualip>

<proposals>

<proposal>3DES|MD5</proposal>

<proposal>3DES|SHA1</proposal>

<proposal>AES128|MD5</proposal>

<proposal>AES128|SHA1</proposal>

<proposal>AES256|SHA256</proposal>

</proposals>

</ipsec_settings>

<on_connect>

<script>

<os>windows</os>

<script>

<![CDATA[]]>

</script>

</script>

</on_connect>

<on_disconnect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[]]>

</script>

</script>

</script>

</on_disconnect>

<traffic_control>

<enabled>1</enabled>

<mode>2</mode>

<apps>

<app>%LOCALAPPDATA%\Microsoft\Teams\Current\Teams.exe</app>

<app>%appdata%\Zoom\bin\Zoom.exe</app>

<app>C:\Program Files (x86)\Microsoft\Skype for Desktop\skype.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mcomm.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mlauncher.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mstart.exe</app>

</apps>

<fqdns>

<fqdn>webex.com</fqdn>

<fqdn>gotomeeting.com</fqdn>

<fqdn>youtube.com</fqdn>

</fqdns>

</traffic_control>

<tags>

<allowed>NoVuln</allowed>

<prohibited>CriticalVuln</prohibited>

</tags>

<azure_auto_login>

<enabled>1</enabled>

<azure_app>

<client_id>...</client_id>

<tenant_name>...</tenant_name>

</azure_app>

</azure_auto_login>

<vpn_before_logon>

<username_format>username</username_format>

<vpn_before_logon/>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

The following table provides the XML tags for IPsec VPN, as well as the descriptions and default values where applicable:

XML tag

Description

Default value

<ipsecvpn> <options> elements

<show_auth_cert_only>

Supress dialogs from displaying in FortiClient when using SmartCard certificates.

Boolean value: [0 | 1]

0

<disconnect_on_log_off>

Drop the established VPN connection when the user logs off.

Boolean value: [0 | 1]

1

<enabled>

Enable IPsec VPN.

Boolean value: [0 | 1]

1

<beep_if_error>

Beep if VPN connection attempt fails.

Boolean value: [0 | 1]

0

<beep_continuously>

Enable the continuous beep.

Boolean value: [0 | 1]

1

<beep_seconds>

Enter a value for the number of seconds after which to beep if an error occurs.

60

<usewincert>

Use Windows certificates for connections.

Boolean value: [0 | 1]

<use_win_current_user_cert>

Use Windows current user certificates for connections.

Boolean value: [0 | 1]

1

<use_win_local_computer_cert>

Use Windows local computer certificates for connections.

Boolean value: [0 | 1]

1

<block_ipv6>

Drop IPv6 traffic when an IPsec VPN connection is established.

Boolean value: [0 | 1]

0

<uselocalcert>

Use local certificates for connections.

Boolean value: [0 | 1]

<usesmcardcert>

Use certificates on smart cards.

Boolean value: [0 | 1]

<enable_udp_checksums>

Enable UDP checksums. This setting stops FortiClient from calculating and inserting checksums into the UDP packets that it creates.

Boolean value: [0 | 1]

0

<mtu_size>

Maximum Transmit Unit (MTU) size for packets on the VPN tunnel. Set from a minimum of 576 to a maximum of 1500 bytes. The default value is 1300.

1300

<disable_default_route>

Disable the default route to the gateway when the tunnel is up and restore after the tunnel is down.

Boolean value: [0 | 1]

0

<check_for_cert_private_key>

Enable checks for the Windows certificate private key. When set to 1, FortiClient checks for the Windows certificate private key.

Boolean value: [0 | 1]

0

<enhanced_key_usage_mandatory>

Enable certificates with enhanced key usage. Used with <check_for_cert_private_key>. When <check_for_cert_private_key> is set to 1 and <enhanced_key_usage_manadatory> is set to 1, only the certificates with enhanced key usage are listed.

Boolean value: [0 | 1]

<no_dns_registration>

When this setting is 0, FortiClient registers the IPsec VPN adapter's address in the Active Directory (AD) DNS server.

When this setting is 1, FortiClient does not register the IPsec VPN adapter's address in the AD DNS server.

When this setting is 2, FortiClient registers only its own tunnel interface IP address in the AD DNS server.

0

<prefer_ipsecvpn_dns>

When this setting is 0, FortiClient only modifies DNS settings for adapters used for IPsec VPN connections.

When this setting is 1, FortiClient modifies DNS settings for all active adapters.

Boolean value: [0 | 1]

1

The <connections> XML tag may contain one or more <connection> element. Each <connection> has the following:

  • <name> and <type>: connection name and type
  • Internet Key Exchange (IKE) settings: information used to establish an IPsec VPN connection
  • IPsec settings:
    • on_connect: a script to run right after a successful connection
    • on_disconnect: a script to run just after a disconnection

The following table provides IPsec VPN connection XML tags, the description, and the default value (where applicable):

XML tag

Description

Default Value

<name>

VPN connection name.

<single_user_mode>

Enable single user mode. If enabled, FortiClient cannot establish new and existing VPN connections or disconnects them if multiple users are logged in.

Boolean value: [0 | 1]

0

<type>

IPsec VPN connection type. Enter one of the following: [manual | auto]

<disclaimer_msg>

Enable and enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection.

<redundant_sort_method>

How FortiClient determines the order to try connecting to the IPsec VPN servers when multiple are defined. FortiClient calculates the order before each IPsec VPN connection attempt:

  • When the value is 0, FortiClient tries the order explicitly defined in the <server> tag.
  • When the value is 1, FortiClient determines the order by the ping response speed.
  • When the value is 2, FortiClient determines the order by the TCP round trip time.

0

<failover_sslvpn_connection>

If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL VPN tunnel.

<machine>

When this setting is 1, FortiClient can connect to the tunnel without user interaction. See <on_os_start_connect> in VPN options.

Boolean value: [0 | 1]

<keep_running>

Ensures that the VPN tunnel remains connected if it is already connected. This is useful when there is a temporary network disconnection that causes the tunnel to drop the connection.

An EMS-pushed tunnel with <keep_running> enabled displays with Save Password and Always Up enabled and grayed out in the FortiClient GUI.

Boolean value: [0 | 1]

0

<ui> elements

The elements of the <ui></ui> XML tags are set by the FortiGate following an IPsec VPN connection.

<show_passcode>

Display Passcode instead of Password on the Remote Access tab in the console.

Boolean value: [0 | 1]

<show_remember_password>

Display the Save Password checkbox in the console.

Boolean value: [0 | 1]

<show_alwaysup>

Display the Always Up checkbox in the console.

Boolean value: [0 | 1]

<show_autoconnect>

Display the Auto Connect checkbox in the console.

Boolean value: [0 | 1]

<save_username>

Save and display the last username used for VPN connection.

Boolean value: [0 | 1]

<save_password>

When enabled, Save Password is enabled for the VPN tunnel in the FortiClient GUI.

An EMS-pushed tunnel with <save_password> enabled displays with Save Password enabled and grayed out in the FortiClient GUI.

Boolean value: [0 | 1]

0

<traffic_control> elements

<enabled>

To enable the feature, enter 1. To disable the feature, enter 0.

Boolean value: [0 | 1]

<mode>

Enter 2 so that network traffic for all defined applications and FQDNs do not go through the VPN tunnel. You must configure this value as 2 for the feature to function.

<app>

Specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%,%programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces.

To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

Once the VPN tunnel is up, FortiClient binds the specified applications to the physical interface.

In the example, for the GoToMeeting path, 18068 refers to the current installed version of the GoToMeeting application.

<fqdn>

Specify which FQDN traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection.

In the example, youtube.com equals youtube.com and *.youtube.com.

After defining an FQDN, such as youtube.com in the example, if you use any popular browser such as Chrome, Edge, or Firefox to access youtube.com, this traffic does not go through the VPN tunnel.

<tags> elements

<allowed>

Enter the desired Zero Trust tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient allows the endpoint to connect to the VPN tunnel.

<prohibited>

Enter the desired Zero Trust tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient denies the endpoint from connecting to the VPN tunnel.

<azure_auto_login> elements

<enabled>

Enable FortiClient to autoconnect to this IPsec VPN tunnel on a Microsoft Entra ID (formerly known as Azure Active Directory or AD) domain-joined endpoint using the Entra ID credentials. See Autoconnect to IPsec VPN using Entra ID logon session information.

Boolean value: [0 | 1]

<azure_app><client_id>

Enter the Entra ID enterprise application client ID. You can find this information on the Entra ID portal.

<azure_app><tenant_name>

Enter the Azure tenant ID. You can find this information on the Entra ID portal.

<vpn_before_logon><username_format>

Configure the required username format for the VPN before logon connection to successfully authenticate. This configuration takes effect if the user selects their username from the left panel when logging into Windows instead of typing in their name. Configure one of the following:

  • username
  • upn or user principal name. Configure this if the username must be in the format username@domain, such as rpark@fortinet.com.
  • dlln or down-level logon name. Configure this if the username must be in the format domain\username, such as fortinet.com/rpark.

username

The VPN connection name is mandatory. If a connection of this type and this name exists, FortiClient overwrites its values with the new ones.