Fortinet white logo
Fortinet white logo

EMS Administration Guide

IPsec VPN support for traffic going through FortiADC

IPsec VPN support for traffic going through FortiADC

IPsec VPN can support traffic that first goes through FortiADC. Only IKEv2 tunnels support this feature.

The example uses the following product versions:

Product

Version

FortiClient

7.2.4

FortiClient EMS

FortiGate

7.4.3

FortiADC

6.1.3

In this example use case, an organization has implemented a comprehensive security strategy that includes the use of IPsec (Internet Protocol Security) for securing communications between its network resources. By combining the secure communication that IPsec provides with the traffic optimization capabilities of FortiADC, the company can achieve a robust, secure, and high-performance network infrastructure for interconnecting branch offices with the central data center. Also, this setup enables efficient data exchange while maintaining the confidentiality and integrity of the transmitted information.

The following illustrates the flow in the diagram:

  1. FortiClient sends a request to IKE port 4500 with the SNI information from EMS.
  2. FortiADC sends the SNI to the API server and receives the real server (RS) IP address.
  3. FortiADC sends a packet to the RS IP address:port and response.
  4. VPN is setup and an IKE UDP 4500 packet is sent automatically.

The following assumes that you already have an SNI API server configured with Go service running on port 3001.

To configure FortiADC:
  1. Configure a load balance profile for IKE traffic:
    config load-balance profile
      edit "IKERESOURCE"
        set type udp
        set inner-protocol ike
      next
    end
  2. Configure the SNI API server. In this example, 10.152.35.156 is the SNI API server IP address, and 3001 is the port used:
    config load-balance sniproxy-domain
      set url http://10.152.35.156:3001/api/v1/system/sni-resolvers?region=region1
      set url-udp http://10.152.35.156:3001/api/v1/system/sni-resolvers?region=region1
    end
  3. Configure the RS pool and add members (the FortiOS firewall IP address) to the pool:
    config load-balance pool
      edit "FGT-POOL"
        set health-check-list LB_HLTHCK_ICMP LB_HLTHCK_HTTPS LB_HLTHCK_TCP_ECHO LB_HLTHCK_HTTP 
        set real-server-ssl-profile NONE
        config  pool_member
          edit 1
            set pool_member_service_port 0
            set pool_member_cookie rs1
            set real-server FGT2
          next
        end
      next
    end
  4. Configure a virtual server. FortiClient will initiate an IPsec connection to 192.168.1.7, the remote gateway and FortiADC interface IP address, on port 4500:
    config load-balance virtual-server
      edit "INTERNALIPSEC"
        set interface port1
        set ip 192.168.1.7
        set port 4500 
        set load-balance-profile IKERESOURCE
        set load-balance-method LB_METHOD_SNIPROXY
        set load-balance-pool FGT-POOL
        set traffic-log enable
        set traffic-group default
        set fortiview enable
      next
    end
To create an IPsec VPN IKEv2 tunnel in FortiOS:
config vpn ipsec phase1-interface
    edit "ADC Tunnel"
        set type dynamic
        set interface "port2"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set comments "VPN: ADC Tunnel (Created by VPN wizard)"
        set eap enable
        set eap-identity send-request
        set authusrgrp "IPSEC"
        set ipv4-start-ip 20.21.21.1
        set ipv4-end-ip 20.21.21.250
        set dns-mode auto
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret ENC FzFV1gODmlxtAzxGdBQgxyAs7EvbfThS6hbrqFrBWgAQ3LAaxZ8i7V2XsjFSOJ0D5xp/cWODWxPyUBxL/j5ItiT/DG9Hl6l28uA7gMeAzagGs+avmaauE4vu3/TX+wTQ2cAD19zpiBu7I33l0EMM8hnmKTgwG3stznB/A4oKfEG72nQvrxk4TyXMRmjKdoQIvOz2SA==
    next
end
To configure EMS:
  1. In EMS, go to Endpoint Profiles > Remote Access.
  2. Create a new profile or edit an existing one.
  3. Under VPN Tunnels, click Add Tunnel.
  4. Select Manual.
  5. Configure Basic Settings:
    1. In the Name field, configure the desired tunnel name.
    2. For Type, select IPsec VPN.
    3. In the Remote Gateway field, enter the remote gateway, which is the same as the FortiADC IP address. In this example it is 192.168.1.7
    4. From the Authentication Method dropdown list, select Pre Shared Key.
    5. In the Pre-Shared Key field, enter the same key that you configured in FortiOS.

  6. Configure other fields as desired, and save.
  7. Click XML, then Edit.
  8. Under <ike_settings>, set <sase_mode> to 1. This sets the IPsec port to 4500. The following shows the XML configuration:
    <forticlient_configuration>
        <vpn>
            <enabled>1</enabled>
            <sslvpn>
                <connections/>
                <options>
                    <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
                    <use_gui_saml_auth>0</use_gui_saml_auth>
                    <no_dns_registration>0</no_dns_registration>
                    <preferred_dtls_tunnel>0</preferred_dtls_tunnel>
                    <negative_split_tunnel_metric/>
                    <warn_invalid_server_certificate>1</warn_invalid_server_certificate>
                    <dnscache_service_control>0</dnscache_service_control>
                    <prefer_sslvpn_dns>1</prefer_sslvpn_dns>
                    <enabled>1</enabled>
                </options>
            </sslvpn>
            <ipsecvpn>
                <connections>
                    <connection>
                        <name>IPSECV2-ADC - internal</name>
                        <uid>650F4D40-6942-4E25-B927-7EE6C5D99878</uid>
                        <machine>0</machine>
                        <keep_running>0</keep_running>
                        <disclaimer_msg/>
                        <sso_enabled>0</sso_enabled>
                        <single_user_mode>0</single_user_mode>
                        <type>manual</type>
                        <ui>
                            <show_remember_password>1</show_remember_password>
                            <show_alwaysup>1</show_alwaysup>
                            <show_autoconnect>1</show_autoconnect>
                            <show_passcode>0</show_passcode>
                            <save_username>0</save_username>
                        </ui>
                        <redundant_sort_method>0</redundant_sort_method>
                        <tags>
                            <allowed/>
                            <prohibited/>
                        </tags>
                        <host_check_fail_warning/>
                        <ike_settings>
                            <server>192.168.1.7</server>
                            <authentication_method>Preshared Key</authentication_method>
                            <fgt>1</fgt>
                            <prompt_certificate>1</prompt_certificate>
                            <xauth>
                                <use_otp>0</use_otp>
                                <enabled>1</enabled>
                                <prompt_username>1</prompt_username>
                            </xauth>
                            <version>2</version>
                            <mode>aggressive</mode>
                            <key_life>86400</key_life>
                            <localid/>
                            <implied_SPDO>0</implied_SPDO>
                            <implied_SPDO_timeout>0</implied_SPDO_timeout>
                            <nat_traversal>1</nat_traversal>
                            <sase_mode>1</sase_mode>
                            <nat_alive_freq>5</nat_alive_freq>
                            <enable_local_lan>1</enable_local_lan>
                            <enable_ike_fragmentation>0</enable_ike_fragmentation>
                            <mode_config>1</mode_config>
                            <dpd>1</dpd>
                            <run_fcauth_system>0</run_fcauth_system>
                            <sso_enabled>0</sso_enabled>
                            <ike_saml_port>443</ike_saml_port>
                            <dpd_retry_count>3</dpd_retry_count>
                            <dpd_retry_interval>5</dpd_retry_interval>
                            <xauth_timeout>120</xauth_timeout>
                            <auth_data>
                                <preshared_key>Enc 7de9d08db7716deba8e66e5526eac5d952c1afb46e2edd5d51646228a1a2</preshared_key>
                            </auth_data>
                            <dhgroup>5</dhgroup>
                            <proposals>
                                <proposal>AES128|SHA1</proposal>
                                <proposal>AES256|SHA256</proposal>
                            </proposals>
                        </ike_settings>
                        <ipsec_settings>
                            <remote_networks>
                                <network>
                                    <addr>0.0.0.0</addr>
                                    <mask>0.0.0.0</mask>
                                </network>
                                <network>
                                    <addr>::/0</addr>
                                    <mask>::/0</mask>
                                </network>
                            </remote_networks>
                            <dhgroup>5</dhgroup>
                            <key_life_type>seconds</key_life_type>
                            <key_life_seconds>43200</key_life_seconds>
                            <key_life_Kbytes>5200</key_life_Kbytes>
                            <replay_detection>1</replay_detection>
                            <pfs>1</pfs>
                            <use_vip>1</use_vip>
                            <virtualip>
                                <type>modeconfig</type>
                                <ip>0.0.0.0</ip>
                                <mask>0.0.0.0</mask>
                                <dnsserver>0.0.0.0</dnsserver>
                                <winserver>0.0.0.0</winserver>
                            </virtualip>
                            <proposals>
                                <proposal>AES128|SHA1</proposal>
                                <proposal>AES256|SHA256</proposal>
                            </proposals>
                        </ipsec_settings>
                        <android_cert_path/>
                        <warn_invalid_server_certificate>1</warn_invalid_server_certificate>
                        <on_connect>
                            <script>
                                <os>windows</os>
                                <script/>
                            </script>
                            <script>
                                <os>MacOSX</os>
                                <script/>
                            </script>
                            <script>
                                <os>linux</os>
                                <script/>
                            </script>
                        </on_connect>
                        <on_disconnect>
                            <script>
                                <os>windows</os>
                                <script/>
                            </script>
                            <script>
                                <os>MacOSX</os>
                                <script/>
                            </script>
                            <script>
                                <os>linux</os>
                                <script/>
                            </script>
                        </on_disconnect>
                        <traffic_control>
                            <enabled>0</enabled>
                            <mode>1</mode>
                        </traffic_control>
                    </connection>
                </connections>
                <options>
                    <usewincert>1</usewincert>
                    <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
                    <uselocalcert>0</uselocalcert>
                    <beep_if_error>0</beep_if_error>
                    <check_for_cert_private_key>0</check_for_cert_private_key>
                    <no_dns_registration>0</no_dns_registration>
                    <enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory>
                    <disable_default_route>0</disable_default_route>
                    <use_win_current_user_cert>1</use_win_current_user_cert>
                    <enable_udp_checksum>0</enable_udp_checksum>
                    <show_auth_cert_only>0</show_auth_cert_only>
                    <usesmcardcert>1</usesmcardcert>
                    <block_ipv6>1</block_ipv6>
                    <use_win_local_computer_cert>1</use_win_local_computer_cert>
                    <enabled>1</enabled>
                </options>
            </ipsecvpn>
            <lockdown>
                <grace_period>120</grace_period>
                <max_attempts>3</max_attempts>
                <exceptions>
                    <apps/>
                    <ips/>
                </exceptions>
                <enabled>0</enabled>
            </lockdown>
            <options>
                <suppress_vpn_notification>0</suppress_vpn_notification>
                <secure_remote_access>0</secure_remote_access>
                <keep_running_max_tries>0</keep_running_max_tries>
                <use_windows_credentials>0</use_windows_credentials>
                <allow_personal_vpns>1</allow_personal_vpns>
                <show_vpn_before_logon>0</show_vpn_before_logon>
                <use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
                <on_os_start_connect/>
                <disable_connect_disconnect>0</disable_connect_disconnect>
                <show_negotiation_wnd>0</show_negotiation_wnd>
                <on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
                <autoconnect_on_install>0</autoconnect_on_install>
                <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
                <minimize_window_on_connect>1</minimize_window_on_connect>
            </options>
        </vpn>
        <endpoint_control>
            <ui>
                <display_vpn>1</display_vpn>
            </ui>
        </endpoint_control>
    </forticlient_configuration>
  9. Save. After FortiClient receives the profile changes from EMS, it can connect to an IPsec VPN tunnel pushed from FortiADC.
To verify this configuration:
  1. In FortiOS, go to Dashboard > Network.
  2. Expand the IPsec widget.
  3. Verify that the IPsec VPN tunnel is up.
  4. If desired, you can enable and view FortiOS:
    FGVMULTM12345 # diagnose debug enable
    
    FGVMULTM212345 # diagnose debug application ike -1
    Debug messages will be on for 30 minutes.
    
    FGVMULTM12345 # ike V=root:0: comes 192.168.1.11:4500->192.168.1.1:4500,ifindex=5,vrf=0,len=508....
    ike V=root:0: IKEv2 exchange=SA_INIT id=fd23616068ea787b/0000000000000000 len=504
    ike 0: in FD23616068EA787B00000000000000002120220800000000000001F82200005C0200002C010100040300000C0100000C800E00800300000802000002030000080300000200000008040000050000002C020100040300000C0100000C800E00800300000802000005030000080300000C0000000804000005280000C80005000002985CB0E49090C90FF1B01C95C5CBE283C13C57C98C796D1AB5301AB30E5D5BD3C3B438A41F95CFDD8C2FC1086DCD18F6B3A6EAAF8AF9E54022F8FA0B4FC16BAAF42AA3F4DDB5CC2846F09CD0CDA74B513851EAB6F9A8EAB128B0DB8D5B4F819EA4C775B037A77BD35813230C0708077C34EB02BD3F8A71613B84365F5FCE93528C2C54FF72ADA276E7C4B37DF6C6A9AAAE2CA0370957B4385345ED403118D6A0D68A49834069CC7543F0597AD83FA75FE90967A40A31F3F8CE28ABFBDE25822B000014BDDC4BD20AF71BA16FFE6AA24508B0162B0000144C53427B6D465D1B337BB755A37A7FEF2B000014B4F01CA951E9DA8D0BAFBBD34AD3044E29000014C1DC4350476B98A429B91781914CA43E290000180100F103464354454D5338383234303930333135290000180100F103464354454D53383832343039303331352900001C0000400408C1FCB91852BE008BC80B00D5AD2667C42A04940000001C000040053DDAE5A62679ABFBD748AFCB830BBB25F2195192
    Ike V=root:0:fd23616068ea787b/0000000000000000:897: responder received SA_INIT msg
    ike V=root:0:fd23616068ea787b/0000000000000000:897: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF
    ike V=root:0:fd23616068ea787b/0000000000000000:897: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E
    ike V=root:0:fd23616068ea787b/0000000000000000:897: VID unknown (16): C1DC4350476B98A429B91781914CA43E
    ike V=root:0:fd23616068ea787b/0000000000000000:897: received notify type 61699
    ike V=root:0:fd23616068ea787b/0000000000000000:897: ignoring unauthenticated notify payload (61699)
    ike V=root:0:fd23616068ea787b/0000000000000000:897: received notify type 61699
    ike V=root:0:fd23616068ea787b/0000000000000000:897: ignoring unauthenticated notify payload (61699)
    ike V=root:0:fd23616068ea787b/0000000000000000:897: received notify type NAT_DETECTION_SOURCE_IP
    ike V=root:0:fd23616068ea787b/0000000000000000:897: received notify type NAT_DETECTION_DESTINATION_IP
    ike V=root:0:fd23616068ea787b/0000000000000000:897: incoming proposal:
    ike V=root:0:fd23616068ea787b/0000000000000000:897: proposal id = 1:
    ike V=root:0:fd23616068ea787b/0000000000000000:897:   protocol = IKEv2:
    ike V=root:0:fd23616068ea787b/0000000000000000:897:      encapsulation = IKEv2/none
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=ENCR, val=AES_CBC (key_len = 128)
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=INTEGR, val=AUTH_HMAC_SHA_96
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=PRF, val=PRF_HMAC_SHA
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=DH_GROUP, val=MODP1536.
    ike V=root:0:fd23616068ea787b/0000000000000000:897: proposal id = 2:
    ike V=root:0:fd23616068ea787b/0000000000000000:897:   protocol = IKEv2:
    ike V=root:0:fd23616068ea787b/0000000000000000:897:      encapsulation = IKEv2/none
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=ENCR, val=AES_CBC (key_len = 128)
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=PRF, val=PRF_HMAC_SHA2_256
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=DH_GROUP, val=MODP1536.
    ike V=root:0:fd23616068ea787b/0000000000000000:897: matched proposal id 2
    ike V=root:0:fd23616068ea787b/0000000000000000:897: proposal id = 2:
    ike V=root:0:fd23616068ea787b/0000000000000000:897:   protocol = IKEv2:
    ike V=root:0:fd23616068ea787b/0000000000000000:897:      encapsulation = IKEv2/none
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=ENCR, val=AES_CBC (key_len = 128)
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=PRF, val=PRF_HMAC_SHA2_256
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=DH_GROUP, val=MODP1536.
    ike V=root:0:fd23616068ea787b/0000000000000000:897: lifetime=86400
    ike V=root:0:fd23616068ea787b/0000000000000000:897: SA proposal chosen, matched gateway ADC Tunnel
    ike V=root:0:ADC Tunnel: created connection: 0xf9e2ff0 5 192.168.1.1->192.168.1.11:4500.
    ike V=root:0:ADC Tunnel:897: processing notify type NAT_DETECTION_SOURCE_IP
    ike V=root:0:ADC Tunnel:897: processing NAT-D payload
    ike V=root:0:ADC Tunnel:897: NAT detected: PEER
    ike V=root:0:ADC Tunnel:897: process NAT-D
    ike V=root:0:ADC Tunnel:897: processing notify type NAT_DETECTION_DESTINATION_IP
    ike V=root:0:ADC Tunnel:897: processing NAT-D payload
    ike V=root:0:ADC Tunnel:897: NAT detected: ME PEER
    ike V=root:0:ADC Tunnel:897: process NAT-D
    ike V=root:0:ADC Tunnel:897: enable FortiClient endpoint compliance check, use 169.254.7.1
    ike V=root:0:ADC Tunnel:897: responder preparing SA_INIT msg
    ike V=root:0:ADC Tunnel:897: generate DH public value request queued
    ike V=root:0:ADC Tunnel:897: responder preparing SA_INIT msg
    ike V=root:0:ADC Tunnel:897: compute DH shared secret request queued
    ike V=root:0:ADC Tunnel:897: responder preparing SA_INIT msg
    ike V=root:0:ADC Tunnel:897: create NAT-D hash local 192.168.1.1/4500 remote 192.168.1.11/4500
    ike 0:ADC Tunnel:897: out FD23616068EA787B8A56F0004EEC7C3D212022200000000000000160220000300000002C020100040300000C0100000C800E00800300000802000005030000080300000C0000000804000005280000C80005000000AE7B893BC5E3A52AA663A0334F31B4E900C9F5635E5CE2817A0FD7734EA390EEDF0898E22540B9AE00E8C4E1DECB51DA24B0A7C326FF6286ADF943020E4027FF73A6E4752FEA8B133EBAB7553723BDC61E43FBC99C2D95FA88BC5BF8E322B7598FAB4F5C55A13B2226D71DF952B088256A57D88E16C671881DDD028AC24D9E4ACA40DC26017C87C0553EDDE75D031FCFC0DBB74B4F26E9EE0AC662A66FAD4E48A3D2232E0BDB7552E3855535D340BF34B28873D28C8FABB2FCAC5194A5373E29000014DE6499159A9592FF9CF6A338697810782900001C0000400412CB23AF2CCA5494532E14CE0775D4D1CFA05EA40000001C0000400514E0C02BB1C1041736812AF33F10C047BDEB6A36
    ike V=root:0:ADC Tunnel:897: sent IKE msg (SA_INIT_RESPONSE): 192.168.1.1:4500->192.168.1.11:4500, len=352, vrf=0, id=fd23616068ea787b/8a56f0004eec7c3d, oif=5
    ike 0:ADC Tunnel:897: IKE SA fd23616068ea787b/8a56f0004eec7c3d SK_ei 16:5204278EAA78717A3D501DB8ED8FD673
    ike 0:ADC Tunnel:897: IKE SA fd23616068ea787b/8a56f0004eec7c3d SK_er 16:7B38711FE8D81E238370F4D9D75B4954
    ike 0:ADC Tunnel:897: IKE SA fd23616068ea787b/8a56f0004eec7c3d SK_ai 32:68CF5D7F413B68413D0E6411181CD5F0EE4AA630D72274B56E6790A7EE7568F8
    ike 0:ADC Tunnel:897: IKE SA fd23616068ea787b/8a56f0004eec7c3d SK_ar 32:6033D1AFE65E3A3B65B1D6B58B0B7CC7083D077684039D03897CF68F23C96DAE
    ike V=root:0: comes 192.168.1.11:4500->192.168.1.1:4500,ifindex=5,vrf=0,len=612....
    ike V=root:0: IKEv2 exchange=AUTH id=fd23616068ea787b/8a56f0004eec7c3d:00000001 len=608
    ike 0: in FD23616068EA787B8A56F0004EEC7C3D2E202308000000010000026023000244B257D3A5A3F8787BF85F7EAA6C68421A1613119EB8BB13C7FF639E41A46A81372B058C22714F93996558DCAEC8062BD8B1D1E9521B52D41E32A0CAF350D9865ECEB0E65118D7E6E4B6531A0F459D852390B9A560FEFFF4191C52FFB9A123C58A18EA5F9D7DF7B39823A92FBB5FEDFA291A7936B14D3EC484252C3D199A4260FC7AC9AFD89377376397B7A043B9969ED189E6590A9F68A5832A56E8D114E75C8736806DF7B85DA894EA7B7582894051CBE24AD640DC00BADF578DFC5BCA6F2895F71FDB1F3D4BE11DFD6C2D63F3735C3931BCE9109BDD47110112FEC282A94EB7C855F401F2BD53403E6F302506914CA81888C8AE0AD9E1E90F252F8C1AD288BC1C5295FE046A176F107F79E6397E4428C30160FFEEACEA0B2BCCA9BC34DA2E35EE233745B0A05665E8A95747D760282784B987DAB28DDCF50348B2550B414BE20297647BD15500EC8D4E6E5113BC403772153A671DA8587920F7C7E1C9E3A9341F3C5094DC01DC4E3539B19E178DB92A6D282D891FDAC63CB9F95F1821DBE530FD9C42106E0AE2DB13C8722039335FAE1A840E1BA2BC125AA48279530799BB48D91DF3DC5F000917B21DAD85BB55E2A14EC068DA364FA8941F0DFA25C267349C21F7125E7836B19ACC6E42FB581061D7D4F81D2D581B42C96BFE4E710B14148D4E1EEA2D8C6C361566F8BABFDB5A66A1A59E07F25BAC6CA8AD8698C8E0B2D0F73D7E06697504110A83ACC586E4C3227AEF2CE616041F18C464A0CC31374E1A18993FD8B92ABF2C4A1C900A7EF444684BD683E8013A237D8E7E6780831EF13D24
    ike 0:ADC Tunnel:897: dec FD23616068EA787B8A56F0004EEC7C3D2E202308000000010000023A230000042900000C01000000C0A8010B29000008000040002F00012E0000F1005645523D310A4643545645523D372E322E342E303937320A5549443D39354630373530334342373234424530383332303846393745454239434638320A49503D3139322E3136382E312E31310A4D41433D30302D31352D35642D32332D61382D34613B30302D31352D35642D32332D61382D35613B0A484F53543D4445534B544F502D493134495656430A555345523D69707365630A4F535645523D4D6963726F736F66742057696E646F777320313020456E74657270726973652045646974696F6E2C2036342D62697420286275696C64203139303435290A5245475F5354415455533D300A454D53534E3D464354454D53383832343039303331350A454D5349443D30303030303030303030303030303030303030303030303030303030303030300A002100005401000000000700104643543830303136343738393239393400010000000200000003000000040000000D00000019000000080000000F0000000A0000000B000070010000540A0000540B0000700000002C00005402000028010304038DE23FFD0300000C0100000C800E00800300000803000002000000080500000000000028020304038DE23FFD0300000C0100000C800E0080030000080300000C00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF
    ike V=root:0:ADC Tunnel:897: responder received AUTH msg
    ike V=root:0:ADC Tunnel:897: processing notify type INITIAL_CONTACT
    ike V=root:0:ADC Tunnel:897: processing notify type FORTICLIENT_CONNECT
    ike V=root:0:ADC Tunnel:897: received FCT data len = 294, data = 'VER=1
    FCTVER=7.2.4.0972
    UID=95F07503CB724BE083208F97EEB9CF82
    IP=192.168.1.11
    MAC=00-15-5d-23-a8-4a;00-15-5d-23-a8-5a;
    HOST=DESKTOP-I14IVVC
    USER=ipsec
    OSVER=Microsoft Windows 10 Enterprise Edition, 64-bit (build 19045)
    REG_STATUS=0
    EMSSN=FCTEMS12345
    EMSID=00000000000000000000000000000000
    '
    ike V=root:0:ADC Tunnel:897: received FCT-UID : 123456
    ike V=root:0:ADC Tunnel:897: peer identifier IPV4_ADDR 192.168.1.11
    ike V=root:0:ADC Tunnel:897: re-validate gw ID
    ike V=root:0:ADC Tunnel:897: gw validation OK
    ike V=root:0:ADC Tunnel:897: responder preparing EAP identity request
    ike 0:ADC Tunnel:897: enc 2700000C01000000C0A8010130000028020000002CC85F24CD85A4D9BBD5130FD954CDE9631E41538971618AC5CA89FFDA271E450000000901B8000501020102
    ike 0:ADC Tunnel:897: out FD23616068EA787B8A56F0004EEC7C3D2E2023200000000100000080240000642D7B15B7617F0AAB77FB620A310E31571D63B20BDE4BF92244B54828CCEA823498115B71F5CF9E3A6CE97DDB9C2256805BA9204032A89FF3D43D7772BFF51C427158D5E20A7CCE25EEF29F6B9AFEFCB4ED31E7DFDB6171994083D5F59A0DDF25
    ike V=root:0:ADC Tunnel:897: sent IKE msg (AUTH_RESPONSE): 192.168.1.1:4500->192.168.1.11:4500, len=128, vrf=0, id=fd23616068ea787b/8a56f0004eec7c3d:00000001, oif=5
    ike V=root:0: comes 192.168.1.11:4500->192.168.1.1:4500,ifindex=5,vrf=0,len=84....
    ike V=root:0: IKEv2 exchange=AUTH id=fd23616068ea787b/8a56f0004eec7c3d:00000002 len=80
  5. After the VPN connection succeeds, ping internal servers located behind the FortiGate from the endpoint to verify that it can access them. Ping should succeed:

    ping 192.168.2.4 Pinging 192.168.2.4 with 32 bytes of data: Reply from 192.168.2.4: bytes=32 time=1ms TTL=127 Reply from 192.168.2.4: bytes=32 time<1ms TTL=127 Reply from 192.168.2.4: bytes=32 time=1ms TTL=127 Reply from 192.168.2.4: bytes=32 time<1ms TTL=127 Ping statistics for 192.168.2.4: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms

IPsec VPN support for traffic going through FortiADC

IPsec VPN support for traffic going through FortiADC

IPsec VPN can support traffic that first goes through FortiADC. Only IKEv2 tunnels support this feature.

The example uses the following product versions:

Product

Version

FortiClient

7.2.4

FortiClient EMS

FortiGate

7.4.3

FortiADC

6.1.3

In this example use case, an organization has implemented a comprehensive security strategy that includes the use of IPsec (Internet Protocol Security) for securing communications between its network resources. By combining the secure communication that IPsec provides with the traffic optimization capabilities of FortiADC, the company can achieve a robust, secure, and high-performance network infrastructure for interconnecting branch offices with the central data center. Also, this setup enables efficient data exchange while maintaining the confidentiality and integrity of the transmitted information.

The following illustrates the flow in the diagram:

  1. FortiClient sends a request to IKE port 4500 with the SNI information from EMS.
  2. FortiADC sends the SNI to the API server and receives the real server (RS) IP address.
  3. FortiADC sends a packet to the RS IP address:port and response.
  4. VPN is setup and an IKE UDP 4500 packet is sent automatically.

The following assumes that you already have an SNI API server configured with Go service running on port 3001.

To configure FortiADC:
  1. Configure a load balance profile for IKE traffic:
    config load-balance profile
      edit "IKERESOURCE"
        set type udp
        set inner-protocol ike
      next
    end
  2. Configure the SNI API server. In this example, 10.152.35.156 is the SNI API server IP address, and 3001 is the port used:
    config load-balance sniproxy-domain
      set url http://10.152.35.156:3001/api/v1/system/sni-resolvers?region=region1
      set url-udp http://10.152.35.156:3001/api/v1/system/sni-resolvers?region=region1
    end
  3. Configure the RS pool and add members (the FortiOS firewall IP address) to the pool:
    config load-balance pool
      edit "FGT-POOL"
        set health-check-list LB_HLTHCK_ICMP LB_HLTHCK_HTTPS LB_HLTHCK_TCP_ECHO LB_HLTHCK_HTTP 
        set real-server-ssl-profile NONE
        config  pool_member
          edit 1
            set pool_member_service_port 0
            set pool_member_cookie rs1
            set real-server FGT2
          next
        end
      next
    end
  4. Configure a virtual server. FortiClient will initiate an IPsec connection to 192.168.1.7, the remote gateway and FortiADC interface IP address, on port 4500:
    config load-balance virtual-server
      edit "INTERNALIPSEC"
        set interface port1
        set ip 192.168.1.7
        set port 4500 
        set load-balance-profile IKERESOURCE
        set load-balance-method LB_METHOD_SNIPROXY
        set load-balance-pool FGT-POOL
        set traffic-log enable
        set traffic-group default
        set fortiview enable
      next
    end
To create an IPsec VPN IKEv2 tunnel in FortiOS:
config vpn ipsec phase1-interface
    edit "ADC Tunnel"
        set type dynamic
        set interface "port2"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set comments "VPN: ADC Tunnel (Created by VPN wizard)"
        set eap enable
        set eap-identity send-request
        set authusrgrp "IPSEC"
        set ipv4-start-ip 20.21.21.1
        set ipv4-end-ip 20.21.21.250
        set dns-mode auto
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret ENC FzFV1gODmlxtAzxGdBQgxyAs7EvbfThS6hbrqFrBWgAQ3LAaxZ8i7V2XsjFSOJ0D5xp/cWODWxPyUBxL/j5ItiT/DG9Hl6l28uA7gMeAzagGs+avmaauE4vu3/TX+wTQ2cAD19zpiBu7I33l0EMM8hnmKTgwG3stznB/A4oKfEG72nQvrxk4TyXMRmjKdoQIvOz2SA==
    next
end
To configure EMS:
  1. In EMS, go to Endpoint Profiles > Remote Access.
  2. Create a new profile or edit an existing one.
  3. Under VPN Tunnels, click Add Tunnel.
  4. Select Manual.
  5. Configure Basic Settings:
    1. In the Name field, configure the desired tunnel name.
    2. For Type, select IPsec VPN.
    3. In the Remote Gateway field, enter the remote gateway, which is the same as the FortiADC IP address. In this example it is 192.168.1.7
    4. From the Authentication Method dropdown list, select Pre Shared Key.
    5. In the Pre-Shared Key field, enter the same key that you configured in FortiOS.

  6. Configure other fields as desired, and save.
  7. Click XML, then Edit.
  8. Under <ike_settings>, set <sase_mode> to 1. This sets the IPsec port to 4500. The following shows the XML configuration:
    <forticlient_configuration>
        <vpn>
            <enabled>1</enabled>
            <sslvpn>
                <connections/>
                <options>
                    <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
                    <use_gui_saml_auth>0</use_gui_saml_auth>
                    <no_dns_registration>0</no_dns_registration>
                    <preferred_dtls_tunnel>0</preferred_dtls_tunnel>
                    <negative_split_tunnel_metric/>
                    <warn_invalid_server_certificate>1</warn_invalid_server_certificate>
                    <dnscache_service_control>0</dnscache_service_control>
                    <prefer_sslvpn_dns>1</prefer_sslvpn_dns>
                    <enabled>1</enabled>
                </options>
            </sslvpn>
            <ipsecvpn>
                <connections>
                    <connection>
                        <name>IPSECV2-ADC - internal</name>
                        <uid>650F4D40-6942-4E25-B927-7EE6C5D99878</uid>
                        <machine>0</machine>
                        <keep_running>0</keep_running>
                        <disclaimer_msg/>
                        <sso_enabled>0</sso_enabled>
                        <single_user_mode>0</single_user_mode>
                        <type>manual</type>
                        <ui>
                            <show_remember_password>1</show_remember_password>
                            <show_alwaysup>1</show_alwaysup>
                            <show_autoconnect>1</show_autoconnect>
                            <show_passcode>0</show_passcode>
                            <save_username>0</save_username>
                        </ui>
                        <redundant_sort_method>0</redundant_sort_method>
                        <tags>
                            <allowed/>
                            <prohibited/>
                        </tags>
                        <host_check_fail_warning/>
                        <ike_settings>
                            <server>192.168.1.7</server>
                            <authentication_method>Preshared Key</authentication_method>
                            <fgt>1</fgt>
                            <prompt_certificate>1</prompt_certificate>
                            <xauth>
                                <use_otp>0</use_otp>
                                <enabled>1</enabled>
                                <prompt_username>1</prompt_username>
                            </xauth>
                            <version>2</version>
                            <mode>aggressive</mode>
                            <key_life>86400</key_life>
                            <localid/>
                            <implied_SPDO>0</implied_SPDO>
                            <implied_SPDO_timeout>0</implied_SPDO_timeout>
                            <nat_traversal>1</nat_traversal>
                            <sase_mode>1</sase_mode>
                            <nat_alive_freq>5</nat_alive_freq>
                            <enable_local_lan>1</enable_local_lan>
                            <enable_ike_fragmentation>0</enable_ike_fragmentation>
                            <mode_config>1</mode_config>
                            <dpd>1</dpd>
                            <run_fcauth_system>0</run_fcauth_system>
                            <sso_enabled>0</sso_enabled>
                            <ike_saml_port>443</ike_saml_port>
                            <dpd_retry_count>3</dpd_retry_count>
                            <dpd_retry_interval>5</dpd_retry_interval>
                            <xauth_timeout>120</xauth_timeout>
                            <auth_data>
                                <preshared_key>Enc 7de9d08db7716deba8e66e5526eac5d952c1afb46e2edd5d51646228a1a2</preshared_key>
                            </auth_data>
                            <dhgroup>5</dhgroup>
                            <proposals>
                                <proposal>AES128|SHA1</proposal>
                                <proposal>AES256|SHA256</proposal>
                            </proposals>
                        </ike_settings>
                        <ipsec_settings>
                            <remote_networks>
                                <network>
                                    <addr>0.0.0.0</addr>
                                    <mask>0.0.0.0</mask>
                                </network>
                                <network>
                                    <addr>::/0</addr>
                                    <mask>::/0</mask>
                                </network>
                            </remote_networks>
                            <dhgroup>5</dhgroup>
                            <key_life_type>seconds</key_life_type>
                            <key_life_seconds>43200</key_life_seconds>
                            <key_life_Kbytes>5200</key_life_Kbytes>
                            <replay_detection>1</replay_detection>
                            <pfs>1</pfs>
                            <use_vip>1</use_vip>
                            <virtualip>
                                <type>modeconfig</type>
                                <ip>0.0.0.0</ip>
                                <mask>0.0.0.0</mask>
                                <dnsserver>0.0.0.0</dnsserver>
                                <winserver>0.0.0.0</winserver>
                            </virtualip>
                            <proposals>
                                <proposal>AES128|SHA1</proposal>
                                <proposal>AES256|SHA256</proposal>
                            </proposals>
                        </ipsec_settings>
                        <android_cert_path/>
                        <warn_invalid_server_certificate>1</warn_invalid_server_certificate>
                        <on_connect>
                            <script>
                                <os>windows</os>
                                <script/>
                            </script>
                            <script>
                                <os>MacOSX</os>
                                <script/>
                            </script>
                            <script>
                                <os>linux</os>
                                <script/>
                            </script>
                        </on_connect>
                        <on_disconnect>
                            <script>
                                <os>windows</os>
                                <script/>
                            </script>
                            <script>
                                <os>MacOSX</os>
                                <script/>
                            </script>
                            <script>
                                <os>linux</os>
                                <script/>
                            </script>
                        </on_disconnect>
                        <traffic_control>
                            <enabled>0</enabled>
                            <mode>1</mode>
                        </traffic_control>
                    </connection>
                </connections>
                <options>
                    <usewincert>1</usewincert>
                    <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
                    <uselocalcert>0</uselocalcert>
                    <beep_if_error>0</beep_if_error>
                    <check_for_cert_private_key>0</check_for_cert_private_key>
                    <no_dns_registration>0</no_dns_registration>
                    <enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory>
                    <disable_default_route>0</disable_default_route>
                    <use_win_current_user_cert>1</use_win_current_user_cert>
                    <enable_udp_checksum>0</enable_udp_checksum>
                    <show_auth_cert_only>0</show_auth_cert_only>
                    <usesmcardcert>1</usesmcardcert>
                    <block_ipv6>1</block_ipv6>
                    <use_win_local_computer_cert>1</use_win_local_computer_cert>
                    <enabled>1</enabled>
                </options>
            </ipsecvpn>
            <lockdown>
                <grace_period>120</grace_period>
                <max_attempts>3</max_attempts>
                <exceptions>
                    <apps/>
                    <ips/>
                </exceptions>
                <enabled>0</enabled>
            </lockdown>
            <options>
                <suppress_vpn_notification>0</suppress_vpn_notification>
                <secure_remote_access>0</secure_remote_access>
                <keep_running_max_tries>0</keep_running_max_tries>
                <use_windows_credentials>0</use_windows_credentials>
                <allow_personal_vpns>1</allow_personal_vpns>
                <show_vpn_before_logon>0</show_vpn_before_logon>
                <use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
                <on_os_start_connect/>
                <disable_connect_disconnect>0</disable_connect_disconnect>
                <show_negotiation_wnd>0</show_negotiation_wnd>
                <on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
                <autoconnect_on_install>0</autoconnect_on_install>
                <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
                <minimize_window_on_connect>1</minimize_window_on_connect>
            </options>
        </vpn>
        <endpoint_control>
            <ui>
                <display_vpn>1</display_vpn>
            </ui>
        </endpoint_control>
    </forticlient_configuration>
  9. Save. After FortiClient receives the profile changes from EMS, it can connect to an IPsec VPN tunnel pushed from FortiADC.
To verify this configuration:
  1. In FortiOS, go to Dashboard > Network.
  2. Expand the IPsec widget.
  3. Verify that the IPsec VPN tunnel is up.
  4. If desired, you can enable and view FortiOS:
    FGVMULTM12345 # diagnose debug enable
    
    FGVMULTM212345 # diagnose debug application ike -1
    Debug messages will be on for 30 minutes.
    
    FGVMULTM12345 # ike V=root:0: comes 192.168.1.11:4500->192.168.1.1:4500,ifindex=5,vrf=0,len=508....
    ike V=root:0: IKEv2 exchange=SA_INIT id=fd23616068ea787b/0000000000000000 len=504
    ike 0: in FD23616068EA787B00000000000000002120220800000000000001F82200005C0200002C010100040300000C0100000C800E00800300000802000002030000080300000200000008040000050000002C020100040300000C0100000C800E00800300000802000005030000080300000C0000000804000005280000C80005000002985CB0E49090C90FF1B01C95C5CBE283C13C57C98C796D1AB5301AB30E5D5BD3C3B438A41F95CFDD8C2FC1086DCD18F6B3A6EAAF8AF9E54022F8FA0B4FC16BAAF42AA3F4DDB5CC2846F09CD0CDA74B513851EAB6F9A8EAB128B0DB8D5B4F819EA4C775B037A77BD35813230C0708077C34EB02BD3F8A71613B84365F5FCE93528C2C54FF72ADA276E7C4B37DF6C6A9AAAE2CA0370957B4385345ED403118D6A0D68A49834069CC7543F0597AD83FA75FE90967A40A31F3F8CE28ABFBDE25822B000014BDDC4BD20AF71BA16FFE6AA24508B0162B0000144C53427B6D465D1B337BB755A37A7FEF2B000014B4F01CA951E9DA8D0BAFBBD34AD3044E29000014C1DC4350476B98A429B91781914CA43E290000180100F103464354454D5338383234303930333135290000180100F103464354454D53383832343039303331352900001C0000400408C1FCB91852BE008BC80B00D5AD2667C42A04940000001C000040053DDAE5A62679ABFBD748AFCB830BBB25F2195192
    Ike V=root:0:fd23616068ea787b/0000000000000000:897: responder received SA_INIT msg
    ike V=root:0:fd23616068ea787b/0000000000000000:897: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF
    ike V=root:0:fd23616068ea787b/0000000000000000:897: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E
    ike V=root:0:fd23616068ea787b/0000000000000000:897: VID unknown (16): C1DC4350476B98A429B91781914CA43E
    ike V=root:0:fd23616068ea787b/0000000000000000:897: received notify type 61699
    ike V=root:0:fd23616068ea787b/0000000000000000:897: ignoring unauthenticated notify payload (61699)
    ike V=root:0:fd23616068ea787b/0000000000000000:897: received notify type 61699
    ike V=root:0:fd23616068ea787b/0000000000000000:897: ignoring unauthenticated notify payload (61699)
    ike V=root:0:fd23616068ea787b/0000000000000000:897: received notify type NAT_DETECTION_SOURCE_IP
    ike V=root:0:fd23616068ea787b/0000000000000000:897: received notify type NAT_DETECTION_DESTINATION_IP
    ike V=root:0:fd23616068ea787b/0000000000000000:897: incoming proposal:
    ike V=root:0:fd23616068ea787b/0000000000000000:897: proposal id = 1:
    ike V=root:0:fd23616068ea787b/0000000000000000:897:   protocol = IKEv2:
    ike V=root:0:fd23616068ea787b/0000000000000000:897:      encapsulation = IKEv2/none
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=ENCR, val=AES_CBC (key_len = 128)
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=INTEGR, val=AUTH_HMAC_SHA_96
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=PRF, val=PRF_HMAC_SHA
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=DH_GROUP, val=MODP1536.
    ike V=root:0:fd23616068ea787b/0000000000000000:897: proposal id = 2:
    ike V=root:0:fd23616068ea787b/0000000000000000:897:   protocol = IKEv2:
    ike V=root:0:fd23616068ea787b/0000000000000000:897:      encapsulation = IKEv2/none
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=ENCR, val=AES_CBC (key_len = 128)
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=PRF, val=PRF_HMAC_SHA2_256
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=DH_GROUP, val=MODP1536.
    ike V=root:0:fd23616068ea787b/0000000000000000:897: matched proposal id 2
    ike V=root:0:fd23616068ea787b/0000000000000000:897: proposal id = 2:
    ike V=root:0:fd23616068ea787b/0000000000000000:897:   protocol = IKEv2:
    ike V=root:0:fd23616068ea787b/0000000000000000:897:      encapsulation = IKEv2/none
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=ENCR, val=AES_CBC (key_len = 128)
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=PRF, val=PRF_HMAC_SHA2_256
    ike V=root:0:fd23616068ea787b/0000000000000000:897:         type=DH_GROUP, val=MODP1536.
    ike V=root:0:fd23616068ea787b/0000000000000000:897: lifetime=86400
    ike V=root:0:fd23616068ea787b/0000000000000000:897: SA proposal chosen, matched gateway ADC Tunnel
    ike V=root:0:ADC Tunnel: created connection: 0xf9e2ff0 5 192.168.1.1->192.168.1.11:4500.
    ike V=root:0:ADC Tunnel:897: processing notify type NAT_DETECTION_SOURCE_IP
    ike V=root:0:ADC Tunnel:897: processing NAT-D payload
    ike V=root:0:ADC Tunnel:897: NAT detected: PEER
    ike V=root:0:ADC Tunnel:897: process NAT-D
    ike V=root:0:ADC Tunnel:897: processing notify type NAT_DETECTION_DESTINATION_IP
    ike V=root:0:ADC Tunnel:897: processing NAT-D payload
    ike V=root:0:ADC Tunnel:897: NAT detected: ME PEER
    ike V=root:0:ADC Tunnel:897: process NAT-D
    ike V=root:0:ADC Tunnel:897: enable FortiClient endpoint compliance check, use 169.254.7.1
    ike V=root:0:ADC Tunnel:897: responder preparing SA_INIT msg
    ike V=root:0:ADC Tunnel:897: generate DH public value request queued
    ike V=root:0:ADC Tunnel:897: responder preparing SA_INIT msg
    ike V=root:0:ADC Tunnel:897: compute DH shared secret request queued
    ike V=root:0:ADC Tunnel:897: responder preparing SA_INIT msg
    ike V=root:0:ADC Tunnel:897: create NAT-D hash local 192.168.1.1/4500 remote 192.168.1.11/4500
    ike 0:ADC Tunnel:897: out FD23616068EA787B8A56F0004EEC7C3D212022200000000000000160220000300000002C020100040300000C0100000C800E00800300000802000005030000080300000C0000000804000005280000C80005000000AE7B893BC5E3A52AA663A0334F31B4E900C9F5635E5CE2817A0FD7734EA390EEDF0898E22540B9AE00E8C4E1DECB51DA24B0A7C326FF6286ADF943020E4027FF73A6E4752FEA8B133EBAB7553723BDC61E43FBC99C2D95FA88BC5BF8E322B7598FAB4F5C55A13B2226D71DF952B088256A57D88E16C671881DDD028AC24D9E4ACA40DC26017C87C0553EDDE75D031FCFC0DBB74B4F26E9EE0AC662A66FAD4E48A3D2232E0BDB7552E3855535D340BF34B28873D28C8FABB2FCAC5194A5373E29000014DE6499159A9592FF9CF6A338697810782900001C0000400412CB23AF2CCA5494532E14CE0775D4D1CFA05EA40000001C0000400514E0C02BB1C1041736812AF33F10C047BDEB6A36
    ike V=root:0:ADC Tunnel:897: sent IKE msg (SA_INIT_RESPONSE): 192.168.1.1:4500->192.168.1.11:4500, len=352, vrf=0, id=fd23616068ea787b/8a56f0004eec7c3d, oif=5
    ike 0:ADC Tunnel:897: IKE SA fd23616068ea787b/8a56f0004eec7c3d SK_ei 16:5204278EAA78717A3D501DB8ED8FD673
    ike 0:ADC Tunnel:897: IKE SA fd23616068ea787b/8a56f0004eec7c3d SK_er 16:7B38711FE8D81E238370F4D9D75B4954
    ike 0:ADC Tunnel:897: IKE SA fd23616068ea787b/8a56f0004eec7c3d SK_ai 32:68CF5D7F413B68413D0E6411181CD5F0EE4AA630D72274B56E6790A7EE7568F8
    ike 0:ADC Tunnel:897: IKE SA fd23616068ea787b/8a56f0004eec7c3d SK_ar 32:6033D1AFE65E3A3B65B1D6B58B0B7CC7083D077684039D03897CF68F23C96DAE
    ike V=root:0: comes 192.168.1.11:4500->192.168.1.1:4500,ifindex=5,vrf=0,len=612....
    ike V=root:0: IKEv2 exchange=AUTH id=fd23616068ea787b/8a56f0004eec7c3d:00000001 len=608
    ike 0: in FD23616068EA787B8A56F0004EEC7C3D2E202308000000010000026023000244B257D3A5A3F8787BF85F7EAA6C68421A1613119EB8BB13C7FF639E41A46A81372B058C22714F93996558DCAEC8062BD8B1D1E9521B52D41E32A0CAF350D9865ECEB0E65118D7E6E4B6531A0F459D852390B9A560FEFFF4191C52FFB9A123C58A18EA5F9D7DF7B39823A92FBB5FEDFA291A7936B14D3EC484252C3D199A4260FC7AC9AFD89377376397B7A043B9969ED189E6590A9F68A5832A56E8D114E75C8736806DF7B85DA894EA7B7582894051CBE24AD640DC00BADF578DFC5BCA6F2895F71FDB1F3D4BE11DFD6C2D63F3735C3931BCE9109BDD47110112FEC282A94EB7C855F401F2BD53403E6F302506914CA81888C8AE0AD9E1E90F252F8C1AD288BC1C5295FE046A176F107F79E6397E4428C30160FFEEACEA0B2BCCA9BC34DA2E35EE233745B0A05665E8A95747D760282784B987DAB28DDCF50348B2550B414BE20297647BD15500EC8D4E6E5113BC403772153A671DA8587920F7C7E1C9E3A9341F3C5094DC01DC4E3539B19E178DB92A6D282D891FDAC63CB9F95F1821DBE530FD9C42106E0AE2DB13C8722039335FAE1A840E1BA2BC125AA48279530799BB48D91DF3DC5F000917B21DAD85BB55E2A14EC068DA364FA8941F0DFA25C267349C21F7125E7836B19ACC6E42FB581061D7D4F81D2D581B42C96BFE4E710B14148D4E1EEA2D8C6C361566F8BABFDB5A66A1A59E07F25BAC6CA8AD8698C8E0B2D0F73D7E06697504110A83ACC586E4C3227AEF2CE616041F18C464A0CC31374E1A18993FD8B92ABF2C4A1C900A7EF444684BD683E8013A237D8E7E6780831EF13D24
    ike 0:ADC Tunnel:897: dec FD23616068EA787B8A56F0004EEC7C3D2E202308000000010000023A230000042900000C01000000C0A8010B29000008000040002F00012E0000F1005645523D310A4643545645523D372E322E342E303937320A5549443D39354630373530334342373234424530383332303846393745454239434638320A49503D3139322E3136382E312E31310A4D41433D30302D31352D35642D32332D61382D34613B30302D31352D35642D32332D61382D35613B0A484F53543D4445534B544F502D493134495656430A555345523D69707365630A4F535645523D4D6963726F736F66742057696E646F777320313020456E74657270726973652045646974696F6E2C2036342D62697420286275696C64203139303435290A5245475F5354415455533D300A454D53534E3D464354454D53383832343039303331350A454D5349443D30303030303030303030303030303030303030303030303030303030303030300A002100005401000000000700104643543830303136343738393239393400010000000200000003000000040000000D00000019000000080000000F0000000A0000000B000070010000540A0000540B0000700000002C00005402000028010304038DE23FFD0300000C0100000C800E00800300000803000002000000080500000000000028020304038DE23FFD0300000C0100000C800E0080030000080300000C00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF
    ike V=root:0:ADC Tunnel:897: responder received AUTH msg
    ike V=root:0:ADC Tunnel:897: processing notify type INITIAL_CONTACT
    ike V=root:0:ADC Tunnel:897: processing notify type FORTICLIENT_CONNECT
    ike V=root:0:ADC Tunnel:897: received FCT data len = 294, data = 'VER=1
    FCTVER=7.2.4.0972
    UID=95F07503CB724BE083208F97EEB9CF82
    IP=192.168.1.11
    MAC=00-15-5d-23-a8-4a;00-15-5d-23-a8-5a;
    HOST=DESKTOP-I14IVVC
    USER=ipsec
    OSVER=Microsoft Windows 10 Enterprise Edition, 64-bit (build 19045)
    REG_STATUS=0
    EMSSN=FCTEMS12345
    EMSID=00000000000000000000000000000000
    '
    ike V=root:0:ADC Tunnel:897: received FCT-UID : 123456
    ike V=root:0:ADC Tunnel:897: peer identifier IPV4_ADDR 192.168.1.11
    ike V=root:0:ADC Tunnel:897: re-validate gw ID
    ike V=root:0:ADC Tunnel:897: gw validation OK
    ike V=root:0:ADC Tunnel:897: responder preparing EAP identity request
    ike 0:ADC Tunnel:897: enc 2700000C01000000C0A8010130000028020000002CC85F24CD85A4D9BBD5130FD954CDE9631E41538971618AC5CA89FFDA271E450000000901B8000501020102
    ike 0:ADC Tunnel:897: out FD23616068EA787B8A56F0004EEC7C3D2E2023200000000100000080240000642D7B15B7617F0AAB77FB620A310E31571D63B20BDE4BF92244B54828CCEA823498115B71F5CF9E3A6CE97DDB9C2256805BA9204032A89FF3D43D7772BFF51C427158D5E20A7CCE25EEF29F6B9AFEFCB4ED31E7DFDB6171994083D5F59A0DDF25
    ike V=root:0:ADC Tunnel:897: sent IKE msg (AUTH_RESPONSE): 192.168.1.1:4500->192.168.1.11:4500, len=128, vrf=0, id=fd23616068ea787b/8a56f0004eec7c3d:00000001, oif=5
    ike V=root:0: comes 192.168.1.11:4500->192.168.1.1:4500,ifindex=5,vrf=0,len=84....
    ike V=root:0: IKEv2 exchange=AUTH id=fd23616068ea787b/8a56f0004eec7c3d:00000002 len=80
  5. After the VPN connection succeeds, ping internal servers located behind the FortiGate from the endpoint to verify that it can access them. Ping should succeed:

    ping 192.168.2.4 Pinging 192.168.2.4 with 32 bytes of data: Reply from 192.168.2.4: bytes=32 time=1ms TTL=127 Reply from 192.168.2.4: bytes=32 time<1ms TTL=127 Reply from 192.168.2.4: bytes=32 time=1ms TTL=127 Reply from 192.168.2.4: bytes=32 time<1ms TTL=127 Ping statistics for 192.168.2.4: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms