Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

iOS device as dialup client

This is a sample configuration of dialup IPsec VPN with an iPhone or iPad as the dialup client.

You can configure dialup IPsec VPN with an iOS device as the dialup client using the GUI or CLI.

To configure IPsec VPN with an iOS device as the dialup client on the GUI:
  1. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a VPN name.
    2. For Template Type, select Remote Access.
    3. For Remote Device Type, select Native > iOS Native.
    4. For NAT Configuration, set No NAT Between Sites.
    5. Click Next.
  2. Configure the following settings for Authentication:
    1. For Incoming Interface, select wan1.
    2. For Authentication Method, select Pre-shared Key.
    3. In the Pre-shared Key field, enter your-psk as the key.
    4. From the User Group dropdown list, select vpngroup.
    5. Deselect Require 'Group Name' on VPN client.
    6. Click Next.
  3. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select lan.
    2. Configure the Local Address as local_network.
    3. Configure the Client Address Range as 10.10.2.1-10.10.2.200.
    4. Keep the default values for the Subnet Mask, DNS Server, and Enable IPv4 Split tunnel.
    5. Click Create.
To configure IPsec VPN with an iOS device as the dialup client using the CLI:
  1. In the CLI, configure the user and group.
    config user local
        edit "vpnuser1" 
            set type password
            set passwd your-password
        next 
    end
    config user group
        edit "vpngroup" 
            set member "vpnuser1"
        next 
    end
  2. Configure the internal interface. The LAN interface connects to the corporate internal network. Traffic from this interface routes out the IPsec VPN tunnel. Creating an address group for the protected network behind this FortiGate causes traffic to this network group to go through the IPsec tunnel.
    config system interface 
        edit "lan"
            set vdom "root"
            set ip 10.10.111.1 255.255.255.0
        next
    end
    
    config firewall address
        edit "local_subnet_1" 
            set ip 10.10.111.0 255.255.255.0 
        next 
    end 
    
    config firewall address
        edit "local_subnet_2" 
            set ip 10.10.112.0 255.255.255.0 
        next 
    end 
    
    config firewall addrgrp
        edit "local_network" 
            set member "local_subnet_1" "local_subnet_2" 
        next 
    end 
  3. Configure the WAN interface. The WAN interface is the interface connected to the ISP. It can work in static mode (as shown in this example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface.
    config system interface 
        edit "wan1"
            set vdom "root"
            set ip 172.20.120.123 255.255.255.0
        next
    end
  4. Configure the client address pool. You must create a firewall address to assign an IP address to a client from the address pool.
    config firewall address
        edit "client_range"
            set type iprange
            set comment "VPN client range"
            set start-ip 10.10.2.1
            set end-ip 10.10.2.200
        next
    end
  5. Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature authentication is also an option.
    config vpn ipsec phase1-interface
        edit "for_ios_p1"
            set type dynamic
            set interface "wan1"
            set peertype any
            set net-device enable
            set mode-cfg enable
            set proposal aes256-sha256 aes256-md5 aes256-sha1
            set dpd on-idle
            set dhgrp 14 5 2
            set xauthtype auto
            set authusrgrp "vpngroup"
            set assign-ip-from name
            set ipv4-name "client_range"
            set dns-mode auto
            set ipv4-split-include "local_network"
            set psksecret your-psk
            set dpd-retryinterval 60
        next
    end
  6. Configure the IPsec phase2-interface.
    config vpn ipsec phase2-interface 
        edit "for_ios_p2" 
            set phase1name "for_ios_p1" 
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 
            set pfs disable
            set keepalive enable
        next 
    end 
  7. Configure the firewall policy to allow client traffic flow over the IPsec VPN tunnel.
    config firewall policy 
        edit 1 
            set name "ios_vpn" 
            set srcintf "for_ios_p1" 
            set dstintf "lan" 
            set srcaddr "ios_range" 
            set dstaddr "local_network" 
            set action accept 
            set schedule "always" 
            set service "ALL" 
        next 
    end 
  8. Configure the iOS device.
    1. In the iOS device, go to Settings > General > VPN and select Add VPN Configuration.
    2. Set the Type to IPsec and enter a Description. Set the Server to the FortiGate's Internet-facing interface, and enter the username in Account. Enter the user password, the preshared IPsec VPN secret, then select Done.
    3. Ensure that the IPsec VPN configuration is highlighted (indicated by a checkmark), and select the Not Connected button. The IPsec VPN connects with the user's credentials and secret. The status changes to Connected, and a VPN icon appears at the top of the screen.
  9. Run diagnose commands to check the IPsec phase1/phase2 interface status. The diagnose debug application ike -1 command is the key to troubleshoot why the IPsec tunnel failed to establish.
    1. Run the diagnose vpn ike gateway list command. The system should return the following:
      vd: root/0
      name: for_ios_p1_0
      version: 1
      interface: port1 15
      addr: 172.20.120.123:4500 -> 172.20.120.254:64916
      created: 17s ago
      xauth-user: u1
      assigned IPv4 address: 10.10.2.1/255.255.255.255
      nat: me peer
      IKE SA: created 1/1 established 1/1 time 150/150/150 ms
      IPsec SA: created 1/1 established 1/1 time 10/10/10 ms
      id/spi: 2 3c844e13c75591bf/80c2db92c8d3f602 direction: responder status: established 17-17s ago = 150ms proposal: aes256-sha256 key: 0032ea5ee160d775-51f3bf1f9909101b-b89c7b5a77a07784-2c92cf9c921801ac lifetime/rekey: 3600/3312 DPD sent/recv: 00000000/00000000
    2. Run the diagnose vpn tunnel list command. The system should return the following:
      list all ipsec tunnel in vd 0
      =
      =
      name=for_ios_p1_0 ver=1 serial=172.20.120.123:4500->172.20.120.254:64916
      bound_if=15 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/984 options[03d8]=npu create_dev no-sysctl rgwy-chg rport-chg frag-rfc accept_traffic=1
      parent=for_ios_p1 index=0
      proxyid_num=1 child_num=0 refcnt=12 ilast=23 olast=23 ad=/0
      stat: rxp=0 txp=0 rxb=0 txb=0
      dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
      natt: mode=keepalive draft=32 interval=10 remote_port=64916
      proxyid=for_ios_p1 proto=0 sa=1 ref=2 serial=1 add-route
      src: 0:10.10.111.0-10.10.111.255:0 dst: 0:10.10.2.1-10.10.2.1:0 SA: ref=3 options=a7 type=00 soft=0 mtu=1422 expire=3564/0B replaywin=2048
      seqno=1 esn=0 replaywin_lastseq=00000000 itn=0
      life: type=01 bytes=0/0 timeout=3587/3600 dec: spi=36274d15 esp=aes key=32 5a599d796f8114c83d6589284f036fc33bdf4456541e2154b4ac2217b6aec869
      ah=sha1 key=20 f1efdeb77d6f856a8dd3a30cbc23cb0f8a3e0340
      enc: spi=00b0d9ab esp=aes key=32 e9232d7a1c4f390fd09f8409c2d85f80362d940c08c73f245908ab1ac3af322f
      ah=sha1 key=20 a3890d6c5320756291cad85026d3a78fd42a1b42
      dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=172.20.120.254 npu_lgwy=172.20.120.123 npu_selid=1 dec_npuid=0 enc_npuid=0

iOS device as dialup client

This is a sample configuration of dialup IPsec VPN with an iPhone or iPad as the dialup client.

You can configure dialup IPsec VPN with an iOS device as the dialup client using the GUI or CLI.

To configure IPsec VPN with an iOS device as the dialup client on the GUI:
  1. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a VPN name.
    2. For Template Type, select Remote Access.
    3. For Remote Device Type, select Native > iOS Native.
    4. For NAT Configuration, set No NAT Between Sites.
    5. Click Next.
  2. Configure the following settings for Authentication:
    1. For Incoming Interface, select wan1.
    2. For Authentication Method, select Pre-shared Key.
    3. In the Pre-shared Key field, enter your-psk as the key.
    4. From the User Group dropdown list, select vpngroup.
    5. Deselect Require 'Group Name' on VPN client.
    6. Click Next.
  3. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select lan.
    2. Configure the Local Address as local_network.
    3. Configure the Client Address Range as 10.10.2.1-10.10.2.200.
    4. Keep the default values for the Subnet Mask, DNS Server, and Enable IPv4 Split tunnel.
    5. Click Create.
To configure IPsec VPN with an iOS device as the dialup client using the CLI:
  1. In the CLI, configure the user and group.
    config user local
        edit "vpnuser1" 
            set type password
            set passwd your-password
        next 
    end
    config user group
        edit "vpngroup" 
            set member "vpnuser1"
        next 
    end
  2. Configure the internal interface. The LAN interface connects to the corporate internal network. Traffic from this interface routes out the IPsec VPN tunnel. Creating an address group for the protected network behind this FortiGate causes traffic to this network group to go through the IPsec tunnel.
    config system interface 
        edit "lan"
            set vdom "root"
            set ip 10.10.111.1 255.255.255.0
        next
    end
    
    config firewall address
        edit "local_subnet_1" 
            set ip 10.10.111.0 255.255.255.0 
        next 
    end 
    
    config firewall address
        edit "local_subnet_2" 
            set ip 10.10.112.0 255.255.255.0 
        next 
    end 
    
    config firewall addrgrp
        edit "local_network" 
            set member "local_subnet_1" "local_subnet_2" 
        next 
    end 
  3. Configure the WAN interface. The WAN interface is the interface connected to the ISP. It can work in static mode (as shown in this example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface.
    config system interface 
        edit "wan1"
            set vdom "root"
            set ip 172.20.120.123 255.255.255.0
        next
    end
  4. Configure the client address pool. You must create a firewall address to assign an IP address to a client from the address pool.
    config firewall address
        edit "client_range"
            set type iprange
            set comment "VPN client range"
            set start-ip 10.10.2.1
            set end-ip 10.10.2.200
        next
    end
  5. Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature authentication is also an option.
    config vpn ipsec phase1-interface
        edit "for_ios_p1"
            set type dynamic
            set interface "wan1"
            set peertype any
            set net-device enable
            set mode-cfg enable
            set proposal aes256-sha256 aes256-md5 aes256-sha1
            set dpd on-idle
            set dhgrp 14 5 2
            set xauthtype auto
            set authusrgrp "vpngroup"
            set assign-ip-from name
            set ipv4-name "client_range"
            set dns-mode auto
            set ipv4-split-include "local_network"
            set psksecret your-psk
            set dpd-retryinterval 60
        next
    end
  6. Configure the IPsec phase2-interface.
    config vpn ipsec phase2-interface 
        edit "for_ios_p2" 
            set phase1name "for_ios_p1" 
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 
            set pfs disable
            set keepalive enable
        next 
    end 
  7. Configure the firewall policy to allow client traffic flow over the IPsec VPN tunnel.
    config firewall policy 
        edit 1 
            set name "ios_vpn" 
            set srcintf "for_ios_p1" 
            set dstintf "lan" 
            set srcaddr "ios_range" 
            set dstaddr "local_network" 
            set action accept 
            set schedule "always" 
            set service "ALL" 
        next 
    end 
  8. Configure the iOS device.
    1. In the iOS device, go to Settings > General > VPN and select Add VPN Configuration.
    2. Set the Type to IPsec and enter a Description. Set the Server to the FortiGate's Internet-facing interface, and enter the username in Account. Enter the user password, the preshared IPsec VPN secret, then select Done.
    3. Ensure that the IPsec VPN configuration is highlighted (indicated by a checkmark), and select the Not Connected button. The IPsec VPN connects with the user's credentials and secret. The status changes to Connected, and a VPN icon appears at the top of the screen.
  9. Run diagnose commands to check the IPsec phase1/phase2 interface status. The diagnose debug application ike -1 command is the key to troubleshoot why the IPsec tunnel failed to establish.
    1. Run the diagnose vpn ike gateway list command. The system should return the following:
      vd: root/0
      name: for_ios_p1_0
      version: 1
      interface: port1 15
      addr: 172.20.120.123:4500 -> 172.20.120.254:64916
      created: 17s ago
      xauth-user: u1
      assigned IPv4 address: 10.10.2.1/255.255.255.255
      nat: me peer
      IKE SA: created 1/1 established 1/1 time 150/150/150 ms
      IPsec SA: created 1/1 established 1/1 time 10/10/10 ms
      id/spi: 2 3c844e13c75591bf/80c2db92c8d3f602 direction: responder status: established 17-17s ago = 150ms proposal: aes256-sha256 key: 0032ea5ee160d775-51f3bf1f9909101b-b89c7b5a77a07784-2c92cf9c921801ac lifetime/rekey: 3600/3312 DPD sent/recv: 00000000/00000000
    2. Run the diagnose vpn tunnel list command. The system should return the following:
      list all ipsec tunnel in vd 0
      =
      =
      name=for_ios_p1_0 ver=1 serial=172.20.120.123:4500->172.20.120.254:64916
      bound_if=15 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/984 options[03d8]=npu create_dev no-sysctl rgwy-chg rport-chg frag-rfc accept_traffic=1
      parent=for_ios_p1 index=0
      proxyid_num=1 child_num=0 refcnt=12 ilast=23 olast=23 ad=/0
      stat: rxp=0 txp=0 rxb=0 txb=0
      dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
      natt: mode=keepalive draft=32 interval=10 remote_port=64916
      proxyid=for_ios_p1 proto=0 sa=1 ref=2 serial=1 add-route
      src: 0:10.10.111.0-10.10.111.255:0 dst: 0:10.10.2.1-10.10.2.1:0 SA: ref=3 options=a7 type=00 soft=0 mtu=1422 expire=3564/0B replaywin=2048
      seqno=1 esn=0 replaywin_lastseq=00000000 itn=0
      life: type=01 bytes=0/0 timeout=3587/3600 dec: spi=36274d15 esp=aes key=32 5a599d796f8114c83d6589284f036fc33bdf4456541e2154b4ac2217b6aec869
      ah=sha1 key=20 f1efdeb77d6f856a8dd3a30cbc23cb0f8a3e0340
      enc: spi=00b0d9ab esp=aes key=32 e9232d7a1c4f390fd09f8409c2d85f80362d940c08c73f245908ab1ac3af322f
      ah=sha1 key=20 a3890d6c5320756291cad85026d3a78fd42a1b42
      dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=172.20.120.254 npu_lgwy=172.20.120.123 npu_selid=1 dec_npuid=0 enc_npuid=0