IPsec VPN
IPsec VPN configurations have one <options>
section and one or more <connection>
sections:
<forticlient_configuration>
<vpn>
<ipsecvpn>
<options>
<show_auth_cert_only>1</show_auth_cert_only>
<disconnect_on_log_off>1</disconnect_on_log_off>
<enabled>1</enabled>
<beep_if_error>0</beep_if_error>
<beep_continuously>0</beep_continuously>
<beep_seconds>0</beep_seconds>
<usewincert>1</usewincert>
<use_win_current_user_cert>1</use_win_current_user_cert>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<block_ipv6>1</block_ipv6>
<uselocalcert>0</uselocalcert>
<usesmcardcert>1</usesmcardcert>
<enable_udp_checksum>0</enable_udp_checksum>
<mtu_size>1300</mtu_size>
<disable_default_route>0</disable_default_route>
<check_for_cert_private_key>1</check_for_cert_private_key>
<enhanced_key_usage_mandatory>1</enhanced_key_usage_mandatory
<no_dns_registration>0</no_dns_registration>
<prefer_ipsecvpn_dns>1</prefer_ipsecvpn_dns>
</options>
<connections>
<connection>
<name>ipsecdemo</name>
<single_user_mode>0</single_user_mode>
<type>manual</type>
<disclaimer_msg></disclaimer_msg>
<redundant_sort_method>0</redundant_sort_method>
<failover_sslvpn_connection>SSLVPN_Name</failover_sslvpn_connection>
<machine>0</machine>
<keep_running>0</keep_running>
<ui>
<show_passcode>0</show_passcode>
<show_remember_password>1</show_remember_password>
<show_alwaysup>1</show_alwaysup>
<show_autoconnect>1</show_autoconnect>
<save_username>0</save_username>
<save_password>0</save_password>
</ui>
<ike_settings>
<version>1</version>
<prompt_certificate>0</prompt_certificate>
<implied_SPDO>0</implied_SPDO>
<implied_SPDO_timeout>0</implied_SPDO_timeout>
<server>ipsecdemo.fortinet.com</server>
<authentication_method>Preshared Key</authentication_method>
<auth_data>
<preshared_key>Encdab907ed117eafaadd92f82b3e768b5414e4402dbd4df4585d4202c65940f1b2e9</preshared_key>
</auth_key>
<mode>aggressive</mode>
<dhgroup>5;</dhgroup>
<key_life>28800</key_life>
<localid></localid>
<nat_traversal>1</nat_traversal>
<sase_mode>1</sase_mode>
<mode_config>1</mode_config>
<enable_local_lan>0</enable_local_lan>
<block_outside_dns>0</block_outside_dns>
<nat_alive_freq>5</nat_alive_freq>
<dpd>1</dpd>
<dpd_retry_count>3</dpd_retry_count>
<dpd_retry_interval>5</dpd_retry_interval>
<fgt>1</fgt>
<enable_ike_fragmentation>0</enable_ike_fragmentation>
<run_fcauth_system>0</run_fcauth_system>
<sso_enabled>1</sso_enabled>
<ike_saml_port>10428</ike_saml_port>
<failover_sslvpn_connection>SSLVPN HQ</failover_sslvpn_connection>
<xauth_timeout>120</xauth_timeout>
<xauth>
<enabled>1</enabled>
<prompt_username>1</prompt_username>
<username>Encrypted/NonEncrypted_UsernameString</username>
<password />
<attempts_allowed>1</attempts_allowed>
<use_otp>0</use_otp>
</xauth>
<proposals>
<proposal>3DES|MD5</proposal>
<proposal>3DES|SHA1</proposal>
<proposal>AES128|MD5</proposal>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
<addr>0.0.0.0</addr>
<mask>0.0.0.0</mask>
</network>
</remote_networks>
<ipv4_split_exclude_networks>
<subnetwork>10.10.10.0/255.255.255.0</subnetwork>
<subnetwork>13.106.56.0/25</subnetwork>
<subnetwork>teams.microsoft.com</subnetwork>
</ipv4_split_exclude_networks>
<dhgroup>5</dhgroup>
<key_life_type>seconds</key_life_type>
<key_life_seconds>1800</key_life_seconds>
<key_life_Kbytes>5120</key_life_Kbytes>
<replay_detection>1</replay_detection>
<pfs>1</pfs>
<use_vip>1</use_vip>
<virtualip>
<dnsserver_secondary></dnsserver_secondary>
<type>modeconfig</type>
<ip>0.0.0.0</ip>
<mask>0.0.0.0</mask>
<dnsserver>0.0.0.0</dnsserver>
<winserver>0.0.0.0</winserver>
</virtualip>
<proposals>
<proposal>3DES|MD5</proposal>
<proposal>3DES|SHA1</proposal>
<proposal>AES128|MD5</proposal>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ipsec_settings>
<on_connect>
<script>
<os>windows</os>
<script>
<![CDATA[]]>
</script>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script>
<script>
<![CDATA[]]>
</script>
</script>
</script>
</on_disconnect>
<traffic_control>
<enabled>1</enabled>
<mode>2</mode>
<apps>
<app>%LOCALAPPDATA%\Microsoft\Teams\Current\Teams.exe</app>
<app>%appdata%\Zoom\bin\Zoom.exe</app>
<app>C:\Program Files (x86)\Microsoft\Skype for Desktop\skype.exe</app>
<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mcomm.exe</app>
<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mlauncher.exe</app>
<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mstart.exe</app>
</apps>
<fqdns>
<fqdn>webex.com</fqdn>
<fqdn>gotomeeting.com</fqdn>
<fqdn>youtube.com</fqdn>
</fqdns>
</traffic_control>
<tags>
<allowed>NoVuln</allowed>
<prohibited>CriticalVuln</prohibited>
</tags>
<azure_auto_login>
<enabled>1</enabled>
<azure_app>
<client_id>...</client_id>
<tenant_name>...</tenant_name>
</azure_app>
</azure_auto_login>
<vpn_before_logon>
<username_format>username</username_format>
<vpn_before_logon/>
</connection>
</connections>
</ipsecvpn>
</vpn>
</forticlient_configuration>
The following table provides the XML tags for IPsec VPN, as well as the descriptions and default values where applicable:
XML tag |
Description |
Default value |
---|---|---|
|
||
<show_auth_cert_only> |
Supress dialogs from displaying in FortiClient when using SmartCard certificates. Boolean value: |
0 |
<disconnect_on_log_off> |
Drop the established VPN connection when the user logs off. Boolean value: |
1 |
<enabled> |
Enable IPsec VPN. Boolean value: |
1 |
<beep_if_error> |
Beep if VPN connection attempt fails. Boolean value: |
0 |
<beep_continuously> |
Enable the continuous beep. Boolean value: |
1 |
<beep_seconds> |
Enter a value for the number of seconds after which to beep if an error occurs. |
60 |
<usewincert> |
Use Windows certificates for connections. Boolean value: |
|
<use_win_current_user_cert> |
Use Windows current user certificates for connections. Boolean value: |
1 |
<use_win_local_computer_cert> |
Use Windows local computer certificates for connections. Boolean value: |
1 |
<block_ipv6> |
Drop IPv6 traffic when an IPsec VPN connection is established. Boolean value: |
0 |
<uselocalcert> |
Use local certificates for connections. Boolean value: |
|
<usesmcardcert> |
Use certificates on smart cards. Boolean value: |
|
<enable_udp_checksums> |
Enable UDP checksums. This setting stops FortiClient from calculating and inserting checksums into the UDP packets that it creates. Boolean value: |
0 |
<mtu_size> |
Maximum Transmit Unit (MTU) size for packets on the VPN tunnel. Set from a minimum of |
|
<disable_default_route> |
Disable the default route to the gateway when the tunnel is up and restore after the tunnel is down. Boolean value: |
0 |
<check_for_cert_private_key> |
Enable checks for the Windows certificate private key. When set to Boolean value: |
0 |
<enhanced_key_usage_mandatory> |
Enable certificates with enhanced key usage. Used with Boolean value: |
|
<no_dns_registration> |
When this setting is When this setting is When this setting is |
0 |
<prefer_ipsecvpn_dns> |
When this setting is When this setting is Boolean value: |
1 |
The <connections>
XML tag may contain one or more <connection>
element. Each <connection>
has the following:
<name>
and<type>
: connection name and type- Internet Key Exchange (IKE) settings: information used to establish an IPsec VPN connection
- IPsec settings:
- on_connect: a script to run right after a successful connection
- on_disconnect: a script to run just after a disconnection
The following table provides IPsec VPN connection XML tags, the description, and the default value (where applicable):
XML tag |
Description |
Default Value |
---|---|---|
<name> |
VPN connection name. |
|
<single_user_mode> |
Enable single user mode. If enabled, FortiClient cannot establish new and existing VPN connections or disconnects them if multiple users are logged in. Boolean value: |
0 |
<type> |
IPsec VPN connection type. Enter one of the following: |
|
<disclaimer_msg> |
Enable and enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection. |
|
<redundant_sort_method> |
How FortiClient determines the order to try connecting to the IPsec VPN servers when multiple are defined. FortiClient calculates the order before each IPsec VPN connection attempt:
|
0 |
<failover_sslvpn_connection> |
If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL VPN tunnel. |
|
<machine> |
When this setting is 1, FortiClient can connect to the tunnel without user interaction. See Boolean value: |
|
<keep_running> |
Ensures that the VPN tunnel remains connected if it is already connected. This is useful when there is a temporary network disconnection that causes the tunnel to drop the connection. An EMS-pushed tunnel with Boolean value: |
0 |
The elements of the |
||
<show_passcode> |
Display Passcode instead of Password on the Remote Access tab in the console. Boolean value: |
|
<show_remember_password> |
Display the Save Password checkbox in the console. Boolean value: |
|
<show_alwaysup> |
Display the Always Up checkbox in the console. Boolean value: |
|
<show_autoconnect> |
Display the Auto Connect checkbox in the console. Boolean value: |
|
<save_username> |
Save and display the last username used for VPN connection. Boolean value: |
|
<save_password> |
When enabled, Save Password is enabled for the VPN tunnel in the FortiClient GUI. An EMS-pushed tunnel with Boolean value: |
0 |
|
|
|
<enabled> |
To enable the feature, enter Boolean value: |
|
<mode> |
Enter |
|
<app> |
Specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%,%programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. To find a running application's full path, on the Details tab in Task Manager, add the Image path name column. Once the VPN tunnel is up, FortiClient binds the specified applications to the physical interface. In the example, for the GoToMeeting path, 18068 refers to the current installed version of the GoToMeeting application. |
|
<fqdn> |
Specify which FQDN traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection. In the example, youtube.com equals youtube.com and *.youtube.com. After defining an FQDN, such as youtube.com in the example, if you use any popular browser such as Chrome, Edge, or Firefox to access youtube.com, this traffic does not go through the VPN tunnel. |
|
|
|
|
<allowed> |
Enter the desired Zero Trust tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient allows the endpoint to connect to the VPN tunnel. |
|
<prohibited> |
Enter the desired Zero Trust tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient denies the endpoint from connecting to the VPN tunnel. |
|
|
||
<enabled> |
Enable FortiClient to autoconnect to this IPsec VPN tunnel on a Microsoft Entra ID (formerly known as Azure Active Directory or AD) domain-joined endpoint using the Entra ID credentials. See Autoconnect to IPsec VPN using Entra ID logon session information. Boolean value: |
|
<azure_app><client_id> |
Enter the Entra ID enterprise application client ID. You can find this information on the Entra ID portal. |
|
<azure_app><tenant_name> |
Enter the Azure tenant ID. You can find this information on the Entra ID portal. |
|
<vpn_before_logon><username_format> |
Configure the required username format for the VPN before logon connection to successfully authenticate. This configuration takes effect if the user selects their username from the left panel when logging into Windows instead of typing in their name. Configure one of the following:
|
username |
The VPN connection name is mandatory. If a connection of this type and this name exists, FortiClient overwrites its values with the new ones. |