# IKEv2 VPN

**General Use IKEv2 VPN for FortiClient**

## FortiGate Configuration

### Phase 1

```
edit "VPN-RA-FC"
    set type dynamic
    set interface "wan1"
    set ike-version 2
    set peertype any
    set net-device disable
    set mode-cfg enable
    set ipv4-dns-server1 10.0.0.254
    set internal-domain-list "<removed>"
    set proposal aes256gcm-prfsha384 aes256gcm-prfsha256 aes256-sha256
    set localid "<removed>"
    set dpd on-idle
    set dhgrp 21 19 14
    set eap enable
    set eap-identity send-request
    set authusrgrp "VPN Users"
    set assign-ip-from name
    set ipv4-split-include "GRP-VPN-ACCESS"
    set ipv4-name "RNG-RA-VPN-Clients"
    set psksecret <removed>
    set dpd-retryinterval 60
next
```

- `internal-domain-list` is a List of DNS Domains that should be resolveable by the connected Device (internal Domains only)
- `localid` is the public DNS Domain of the Firewall (required)
- `psksecret` is the Pre-Shared-Key

### Phase 2

```
edit "VPN-RA-FC-P2-DEFAULT"
    set phase1name "VPN-RA-FC"
    set proposal aes256gcm aes256-sha256
    set dhgrp 21 19 14
    set keepalive enable
    set keylifeseconds 3600
next
```

###   


### Policies

```
config firewall policy
    edit 18
        set name "Allow-VPN-RA-to-LAN"
        set uuid b88f102a-dff6-51f0-6157-49a1d9450327
        set srcintf "VPN-RA-APPLE" "VPN-RA-WINDOWS" "VPN-RA-FC"
        set dstintf "VLAN-LAN-100" "SSID-WLAN-TUN" "SSID-IOT-TUN" "VLAN-DMZ-200"
        set action accept
        set srcaddr "RNG-RA-VPN-Clients"
        set dstaddr "GRP-VPN-ACCESS"
        set schedule "always"
        set service "ALL"
    next
    edit 20
        set name "Allow-VPN-RA-to-WAN"
        set uuid ee369aec-dff9-51f0-c276-83956b56cd9c
        set srcintf "VPN-RA-APPLE" "VPN-RA-FC" "VPN-RA-WINDOWS"
        set dstintf "wan1"
        set action accept
        set srcaddr "RNG-RA-VPN-Clients"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end
```

## Client Configuration

### iOS FortiClient App

<table border="1" id="bkmrk-secure-protocol-ikev" style="border-collapse: collapse; width: 100%;"><colgroup><col style="width: 50.0542%;"></col><col style="width: 50.0542%;"></col></colgroup><tbody><tr><td>Secure Protocol</td><td>IKEv2 VPN</td></tr><tr><td>Name</td><td>&lt;Name&gt;</td></tr><tr><td>Server Address</td><td>Public DNS Domain (same as localid in Tunnel Config)</td></tr><tr><td>Authentication Method</td><td>Pre-shared Key</td></tr><tr><td>Pre-shared Key Secret</td><td>PSK</td></tr><tr><td>EAP-AUTH</td><td>Enabled</td></tr><tr><td>Local ID</td><td>empty</td></tr><tr><td>Remote-ID</td><td>Public DNS Domain (same as localid in Tunnel Config)</td></tr><tr><td>Phase 1 Encryption</td><td>AES256</td></tr><tr><td>Phase 1 Authentication</td><td>SHA256</td></tr><tr><td>Phase 1 DH GRoup</td><td>14</td></tr><tr><td>Phase 1 Key Lifetime</td><td>86400</td></tr><tr><td>Phase 1 Encryption</td><td>AES256</td></tr><tr><td>Phase 1 Authentication</td><td>SHA256</td></tr><tr><td>Phase 1 DH GRoup</td><td>14</td></tr><tr><td>Phase 1 Key Lifetime</td><td>43200</td></tr><tr><td>DPD</td><td>enabled</td></tr><tr><td>PFS</td><td>enabled</td></tr><tr><td>Username</td><td>Client Username (User in FortiGate)</td></tr></tbody></table>