<version>

Determine the IKE version. FortiClient supports IKE v1 and IKE v2. Enter 1 or 2.

<prompt_certificate>

Prompt for certificate on connection.

Boolean value: [0 | 1]

<implied_SPDO>

Specify which ports allow traffic. When this setting is 0, FortiClient only allows traffic from ports 500 and 4500. When this setting is 1, FortiClient allows other traffic during the connection phase, including Internet traffic.

Boolean value: [0 | 1]

<implied_SPDO_timeout>

When <implied_SPDO> is set to 1, <implied_SPDO_timeout> is the timeout in seconds.

FortiClient blocks all outbound non-IKE packets when <implied_SPDO> is set to 1. This is a security feature in the IPsec protocol. If the network traffic goes through a captive portal, the intended IPsec VPN server may be unreachable, until the user provides some credentials on a web page. Thus, setting <implied_SPDO> to 1 may have the side effect of blocking access to the captive portal, which in turn blocks access to the IPsec VPN server.

To avoid this deadlock, set <implied_SPDO_timeout> to a value greater than 0. FortiClient allows all outbound traffic (including non-IKE traffic) for the duration configured. Some users find that a value of 30 or 60 seconds suffices. If <implied_SPDO_timeout> is set to 0, the <implied_SPDO> element behaves as if set to 0.

When <implied_SPDO> is set to 0, <implied_SPDO_timeout> is ignored.

<server>

IP address or FQDN.

<authentication_method>

Authentication method. Enter one of the following:

• Preshared Key
• X509 Certificate
• Smartcard X509 Certificate
• System Store X509 Certificate

<cert_subjectcheck>

When enabled, if the CN type of the server certificate is FQDN (see FortiOS documentation), FortiClient validates the remote gateway hostname to match the CN in the subject field of the server certificate of the IPsec phase1 interface, which is configured on the FortiGate under the following command:

config vpn ipsec phase1-interface
	edit "<interface>"
		set authmethod signature
		set certificate "<certificate>"
	next
end

If there is no match, the VPN connection does not succeed.

Boolean value: [0 | 1]

<preshared_key>

Encrypted value of the preshared key.

<match_type>

Enter the type of matching to use:

• simple: exact match
• wildcard: wildcard
• regex: regular expressions

<pattern>

Enter the pattern to use for the type of matching.

<match_type>

Enter the type of matching to use:

• simple: exact match
• wildcard: wildcard

<pattern>

Enter the pattern to use for the type of matching.

<match_type>

Enter the type of matching to use. Choose from:

• simple: exact match
• wildcard: wildcard
• regex: regular expressions

<pattern>

Enter the pattern to use for the type of matching.

<mode>

Connection mode. Enter one of the following: [aggressive | main]

<dhgroup>

A list of possible Diffie-Hellman (DH) protocol groups, separated by semicolons.

<key_life>

Phase 2 key expiry duration, in seconds.

<localid>

Enter the peer ID configured in the FortiGate phase 1 configuration. If Accept any peer ID has been configured, leave this field blank.

<peerid>

Enter the FortiGate certificate subject name or FQDN. The peer ID must match the certificate local ID on the FortiGate for a successful IPsec VPN connection.

<nat_traversal>

Enable NAT traversal.

Boolean value: [0 | 1]

<sase_mode>

When enabled, the IPsec VPN forces the new connection port (including the first message) to use port 4500. All traffic that goes through this IPsec VPN tunnel is seen on port 4500. IKE_SA_INIT also has the EMS serial number as its payload. You must enable this feature to provide IPsec VPN-based SASE.

For this feature to function correctly, you must configure the following on the FortiGate:

config system settings

set ike-port 4500

end

This feature only supports IKEv2 and requires NAT traversal to be enabled.

Boolean value: [0 | 1]

<mode_config>

Enable mode configuration.

Boolean value: [0 | 1]

<enable_local_lan>

Enable local LAN when using a full tunnel. This setting does not apply to split tunnels.

Boolean value: [0 | 1]

<block_outside_dns>

When you enable this setting, Windows uses only the VPN-pushed DNS server when using a full tunnel.

When you disable this setting, FortiClient retains the outside DNS server configuration when the tunnel is up.

Boolean value: [0 | 1]

<nat_alive_freq>

NAT alive frequency.

<dpd>

Enable dead peer detection (DPD).

Boolean value: [0 | 1]

<dpd_retry_count>

Number of times to send unacknowledged DPD messages before declaring peer as dead.

Maximum value is 10. If the specified value is greater than the maximum (10), FortiClient uses the maximum value (10) instead.

<dpd_retry_interval>

Duration of DPD idle periods, in seconds.

Maximum value is 3600. If the specified value is greater than the maximum (3600), FortiClient uses the maximum value (3600) instead.

<enable_ike_fragmentation>

Enable support of fragmented IKE packets to avoid packet loss and ensure reliable IPsec VPN tunnel establishment. See the following for more details:

• IKE fragmentation example
• IKEv1 fragmentation and IKEv2 fragmentation sections in FortiOS documentation for more details.

Boolean value: [0 | 1]

<run_fcauth_system>

When you enable this setting, non-administrators can use local machine certificates to connect IPsec VPN.

When you disable this setting, non-administrators cannot use machine certificates to connect IPsec VPN.

Boolean value: [0 | 1]

<sso_enabled>

Enable SAML single sign on (SSO) login for the VPN tunnel. For this feature to function, the administrator must configure the necessary options on the service and identity providers. See IPsec VPN SAML-based authentication.

Boolean value: [0 | 1]

<use_external_browser>

Display the SAML authentication prompt in an external browser instead of in the FortiClient GUI.

If you configure <version> as 2 and <sso_enabled> as 1, FortiClient automatically enables this field. Only IKEv2 tunnels support using an external browser for IPsec VPN.

Boolean value: [0 | 1]

<ike_saml_port>

Enter the port number that FortiClient uses to communicate with the FortiGate, which acts as the SAML service provider.

<failover_sslvpn_connection>

If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL VPN tunnel. In the example, the SSL VPN tunnel name is "SSL VPN HQ".

<xauth_timeout>

Configure the IKE extended authentication (XAuth) timeout in seconds. Enter a value between 120 and 300 seconds.

<session_resume>

Enable session resumption. If FortiClient loses the network connection or the client device goes to sleep, the FortiGate starts a client-resume sleep period. When the network connectivity is restored or the device wakes, FortiClient attempts to resume the session.

If FortiClient resumes the session within the set interval, the FortiGate detects that the client has resumed and maintains the existing session. The FortiOS administrator configures the interval using set client-resume-interval.

If FortiClient does not resume the session within the set interval, the session expires on the FortiGate and the tunnel is deleted. FortiClient must initiate a new full IKEv2 negotiation for reconnection.

Boolean value: [0 | 1]

<networkid>

Configure a network ID value between 0 to 255 to differentiate between multiple IKEv2 certificate-based phase 1 tunnels. See FortiOS documentation for more details.

The network ID is a Fortinet proprietary attribute used to select the correct phase 1 between IPsec peers, so that multiple IKEv2 tunnels can be established between the same local and remote gateway pairs.

In a dialup VPN, network-id is in the first initiator message of an IKEv2 phase 1 negotiation. The responder (hub) uses the network-id to match a phase 1 configuration with a matching network-id. The hub can then differentiate multiple dialup phase 1s that are bound to the same underlay interface and IP address. Without a network-id, the hub cannot have multiple phase 1 dialup tunnels on the same interface.

In static phase 1 configurations, network-id is used with the pair of gateway IP addresses to negotiate the correct tunnel with a matching network-id. This allows IPsec VPN peers to use the same pair of underlay IP addresses to establish multiple IPsec VPN tunnels. Without it, only a single tunnel can be established over the same pair of underlay IP addresses.

The <networkid> option is not supported on FortiClient iOS or Android.

<eap_method>

Configure one of the following for the EAP method:

• 1: requires EAP-MSCHAPv2 authentication
• 2: requires EAP-TTLS/PAP authentication

  For LDAP-based user authentication using IKEv2, the EAP-TTLS authentication method allows credentials to be securely transmitted to FortiGate over a TLS tunnel and ensures secure user authentication.

  FortiClient (iOS) and (Android) do not support EAP-TTLS/PAP authentication.

<remove_password_for_unexpected_eap_failure>

Configure whether to remove the old saved password when FortiClient does not receive the expected “expiring due to EAP failure” message.

Boolean value: [0 | 1]

<fido_auth>

Enable to allow Yubikey (FIDO2) authentication for SAML SSO VPN connections in the FortiClient embedded (internal) browser for macOS.

Boolean value: [0 | 1]

<saml_cert_selection>

Enable to allow certificate selection for identity provider client certificate challenge. If you disable this setting, the FortiClient internal browser allows the system to select the default option for the client certificate challenge.

This setting only applies to FortiClient (macOS).

Boolean value: [0 | 1]

<transport_mode>

Configure the desired transport mode for this connection. Possible values are:

• 0: UDP transport mode. This is the default and used for most VPN connections. Configure a custom port number if desired. If you select this option, you only need to configure <udp_port> and do not need to configure <tcp_port>. The value for <udp_port> should match the port number configured on FortiOS via the following command:

  config system settings

  set ike-port 500

  end

  After IKE packets are negotiated over UDP on the configured port, if no NAT is detected and ESP packets are allowed to pass through the internet, ESP packets do not need to be encapsulated inside UDP headers. In this scenario, the recommended setting on FortiOS is set nattraversal disable, as disabling NAT-T avoids the additional overhead of encapsulating and decapsulating ESP packets. This typically provides optimal VPN performance on the endpoint and FortiGate when NAT-T is unneeded.

  If NAT is detected and you prefer NAT-T with ESP encapsulation over UDP, consider using auto mode, <transport_mode>2</transport_mode> as the following describes. In auto mode, once the IKE negotiation completes, ESP packets are transferred over UDP on the default port (UDP/4500).

• 1: TCP transport mode. This is recommended for use in restrictive networks. Configure a custom port number if desired. If you select this mode, you only need to configure <tcp_port> and do not need to configure udp_port. The value for <tcp_port> should match the port number configured on FortiOS via the following command:

  config system settings

  set ike-tcp-port 443

  end

  Use this mode when NAT is detected or if both UDP and ESP are blocked. In this scenario, IKE and ESP packets are encapsulated inside TCP, typically on port 443, to ensure the traffic can pass through strict network environments.

• 2: Auto mode. FortiOS dynamically selects the transport mode. If you configure auto mode, you must configure both the udp_port and <tcp_port> fields. The values must match those set on FortiOS using the following commands:

  config system settings

  set ike-port 500

  set ike-tcp-port 443

  end

  You must also configure the following phase 1 settings on FortiOS 7.4.2 and later versions:

  config vpn ipsec phase1

  edit

  set nattraversal forced

  set transport udp-fallback-tcp

  next

  end

  On FortiOS 7.6, you can configure the following phase 1 settings:

  config vpn ipsec phase1

  edit

  set nattraversal forced

  set transport auto

  next

  end

  If using FortiOS 7.4.1 or an earlier version, FortiClient will connect to IPsec VPN using UDP mode as udp-fallback-tcp and auto are unavailable.

  This mode dynamically uses UDP or TCP based on network conditions and NAT detection, automatically falling back to TCP/443 if UDP or ESP traffic is blocked.

<udp_port>

If <transport_mode> is configured as 0 or 2, configure a custom port for UDP. If <udp_port> is not configured, the default port is used.

<tcp_port>

If <transport_mode> is configured as 1 or 2, configure a custom port for UDP. If this element is not configured, the default port is used.

<keep_fqdn_resolution_consistency>

Keep IPsec VPN connection gateway IP address consistent by keeping resolved FQDN in hosts file before FortiClient establishes IPsec VPN connection.

Boolean value: [0 | 1]

<enabled>

Enable IKE XAuth.

Boolean value: [0 | 1]

<prompt_username>

Request a username.

Boolean value: [0 | 1]

<username>

Encrypted or non-encrypted username on the IPsec server.

<password>

Encrypted or non-encrypted password.

<attempts_allowed>

Maximum number of failed login attempts allowed.

<proposal>

Encryption and authentication types to use, separated by a pipe.

Example:

<proposal>3DES|MD5<proposal>

Multiple elements accepted.

First setting: Encryption type: DES, 3DES, AES128, AES192, AES256

Second setting: Authentication type: MD5, SHA1, SHA256, SHA384, SHA512

<enabled>

Enable FortiClient to autoconnect to this IPsec VPN tunnel on a Microsoft Entra ID domain-joined endpoint using the Entra ID credentials. See Autoconnect to IPsec VPN using Entra ID logon session information.

Boolean value: [0 | 1]

<azure_app><client_id>

Enter the Entra ID enterprise application client ID. You can find this information on the Entra ID portal.