Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • (Android) Administration Guide

    Home FortiClient 7.4.0 (Android) Administration Guide
    7.4.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0

    IKE parameters

    IKE parameters

    IKE SA parameters

    Encryption algorithms

    • Supported encryption algorithms are: 3DES, AES CBC, AES CTR, AES GCM with 8, 12, and 16 octet ICV, and ChaCha20-Poly1305 with 16 octet ICV. Key lengths available for algorithms that need key lengths are 128, 192, and 256.
    • EMS supports 3DES and AES and AES-GCM algorithms with the 128 and 256 key sizes. It also supports AES with 192 key size.
    • DES and ChaChaPoly is not supported.
    • FortiClient uses AES-GCM16.

    Integrity algorithms

    • Supported integrity algorithms are AES-CMAC-96, AES-XCBC-96, SHA1-96, SHA256-128, SHA384-192, and SHA512-256.
    • You can also not configure an integrity algorithm.
    • In EMS, you can select one (an integrity algorithm if the AES encryption algorithm is not GCM, otherwise a PRF). The workaround is to stick to the same algorithm for both integrity and PRF. For example, if the EMS selection is to use a SHA256 integrity algorithm, FortiClient also uses a SHA256 PRF and vice-versa.

    Pseudorandom functions

    • The supported pseudorandom functions are AES128-CMAC, AES128-XCBC, SHA1, SHA256, SHA384, SHA512.
    • EMS does not allow users to pick AES algorithms, so only the SHA pseudorandom functions are supported.

    Diffie-Hellman (DH) Groups

    Supported DH groups are 2, 5, 14, 15, 16, and 31. You can also select no DH group.

    Local Identification

    Supported Local ID types are

    • IPv4 addresses (ID type 1)
    • IPv6 addresses (ID type 5)
    • FQDNs (ID type 2)
    • RFC 822 email addresses (ID type 3)
    • Key IDs (ID type 11)

    The DER ASN1 DN type (ID type 9) is unsupported by the built-in client but is defined in the Android SDK. It may become supported by the client but there are no guarantees.

    Remote Identification

    Supports the same ID types as the local ID. There is an option to disable remote ID checking.

    Remote ID checking is disabled.

    MOBIKE

    The MOBIKE option is currently not enabled in FortiClient (Android).

    Rekeying

    Support is available for configuring soft (seconds before a rekey request is sent) and hard (seconds before the SA expires) lifetimes.

    The EMS only defines one parameter called Key Life (given in seconds). On FortiClient (Android), this value is the hard lifetime, then the soft lifetime is derived by halving this value. The hard lifetime value must be a value between 86400 seconds and 300 seconds. If the Key Life value falls outside of this range, FortiClient (Android) ignores the value and use the built-in client default of 14400 seconds for the hard lifetime and 7200 seconds for the soft lifetime.

    Child SA Parameters

    Child SAs support the same encryption and integrity algorithms as IKE SAs. The IKE SA DH groups are also supported but the DH group set in the Child SA config will only be used when the Child SA is rekeyed and not during the initial IKE AUTH setup.

    Lifetimes

    The Child SA offers the same soft and hard lifetime configuration as IKE SA. Like the IKE SA parameters, the Child SA uses the Key Life value in EMS as the hard lifetime and derive the soft lifetime by dividing this value in half.

    The Child SA hard lifetime must fall between 14400 and 300 seconds. Additionally, the EMS allows for the Key Life value for the Child SA to be defined in kilobytes, which is not supported by the Android client.

    In the case where the Key Life value falls outside the supported lifetime range or is not set to be defined in Seconds (i.e. set to Kbytes or Both), FortiClient uses the default hard lifetime of 7200 seconds and the default soft lifetime of 3600 seconds.

    Previous
    Next

    IKE parameters

    IKE parameters

    IKE SA parameters

    Encryption algorithms

    • Supported encryption algorithms are: 3DES, AES CBC, AES CTR, AES GCM with 8, 12, and 16 octet ICV, and ChaCha20-Poly1305 with 16 octet ICV. Key lengths available for algorithms that need key lengths are 128, 192, and 256.
    • EMS supports 3DES and AES and AES-GCM algorithms with the 128 and 256 key sizes. It also supports AES with 192 key size.
    • DES and ChaChaPoly is not supported.
    • FortiClient uses AES-GCM16.

    Integrity algorithms

    • Supported integrity algorithms are AES-CMAC-96, AES-XCBC-96, SHA1-96, SHA256-128, SHA384-192, and SHA512-256.
    • You can also not configure an integrity algorithm.
    • In EMS, you can select one (an integrity algorithm if the AES encryption algorithm is not GCM, otherwise a PRF). The workaround is to stick to the same algorithm for both integrity and PRF. For example, if the EMS selection is to use a SHA256 integrity algorithm, FortiClient also uses a SHA256 PRF and vice-versa.

    Pseudorandom functions

    • The supported pseudorandom functions are AES128-CMAC, AES128-XCBC, SHA1, SHA256, SHA384, SHA512.
    • EMS does not allow users to pick AES algorithms, so only the SHA pseudorandom functions are supported.

    Diffie-Hellman (DH) Groups

    Supported DH groups are 2, 5, 14, 15, 16, and 31. You can also select no DH group.

    Local Identification

    Supported Local ID types are

    • IPv4 addresses (ID type 1)
    • IPv6 addresses (ID type 5)
    • FQDNs (ID type 2)
    • RFC 822 email addresses (ID type 3)
    • Key IDs (ID type 11)

    The DER ASN1 DN type (ID type 9) is unsupported by the built-in client but is defined in the Android SDK. It may become supported by the client but there are no guarantees.

    Remote Identification

    Supports the same ID types as the local ID. There is an option to disable remote ID checking.

    Remote ID checking is disabled.

    MOBIKE

    The MOBIKE option is currently not enabled in FortiClient (Android).

    Rekeying

    Support is available for configuring soft (seconds before a rekey request is sent) and hard (seconds before the SA expires) lifetimes.

    The EMS only defines one parameter called Key Life (given in seconds). On FortiClient (Android), this value is the hard lifetime, then the soft lifetime is derived by halving this value. The hard lifetime value must be a value between 86400 seconds and 300 seconds. If the Key Life value falls outside of this range, FortiClient (Android) ignores the value and use the built-in client default of 14400 seconds for the hard lifetime and 7200 seconds for the soft lifetime.

    Child SA Parameters

    Child SAs support the same encryption and integrity algorithms as IKE SAs. The IKE SA DH groups are also supported but the DH group set in the Child SA config will only be used when the Child SA is rekeyed and not during the initial IKE AUTH setup.

    Lifetimes

    The Child SA offers the same soft and hard lifetime configuration as IKE SA. Like the IKE SA parameters, the Child SA uses the Key Life value in EMS as the hard lifetime and derive the soft lifetime by dividing this value in half.

    The Child SA hard lifetime must fall between 14400 and 300 seconds. Additionally, the EMS allows for the Key Life value for the Child SA to be defined in kilobytes, which is not supported by the Android client.

    In the case where the Key Life value falls outside the supported lifetime range or is not set to be defined in Seconds (i.e. set to Kbytes or Both), FortiClient uses the default hard lifetime of 7200 seconds and the default soft lifetime of 3600 seconds.

    Previous
    Next