IKEv2 VPN
General Use IKEv2 VPN for FortiClient
Phase 1
edit "VPN-RA-FC"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 10.0.0.254
set internal-domain-list "<removed>"
set proposal aes256gcm-prfsha384 aes256gcm-prfsha256 aes256-sha256
set localid "<removed>"
set dpd on-idle
set dhgrp 21 19 14
set eap enable
set eap-identity send-request
set authusrgrp "VPN Users"
set assign-ip-from name
set ipv4-split-include "GRP-VPN-ACCESS"
set ipv4-name "RNG-RA-VPN-Clients"
set psksecret <removed>
set dpd-retryinterval 60
nextinternal-domain-listis a List of DNS Domains that should be resolveable by the connected Device (internal Domains only)localidis the public DNS Domain of the Firewall (required)psksecretis the Pre-Shared-Key
Phase 2
edit "VPN-RA-FC-P2-DEFAULT"
set phase1name "VPN-RA-FC"
set proposal aes256gcm aes256-sha256
set dhgrp 21 19 14
set keepalive enable
set keylifeseconds 3600
nextPolicies
config firewall policy
edit 18
set name "Allow-VPN-RA-to-LAN"
set uuid b88f102a-dff6-51f0-6157-49a1d9450327
set srcintf "VPN-RA-APPLE" "VPN-RA-WINDOWS" "VPN-RA-FC"
set dstintf "VLAN-LAN-100" "SSID-WLAN-TUN" "SSID-IOT-TUN" "VLAN-DMZ-200"
set action accept
set srcaddr "RNG-RA-VPN-Clients"
set dstaddr "GRP-VPN-ACCESS"
set schedule "always"
set service "ALL"
next
edit 20
set name "Allow-VPN-RA-to-WAN"
set uuid ee369aec-dff9-51f0-c276-83956b56cd9c
set srcintf "VPN-RA-APPLE" "VPN-RA-FC" "VPN-RA-WINDOWS"
set dstintf "wan1"
set action accept
set srcaddr "RNG-RA-VPN-Clients"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
end