Skip to main content

IKEv2 VPN

General Use IKEv2 VPN for FortiClient

FortiGate Configuration

Phase 1

edit "VPN-RA-FC"
    set type dynamic
    set interface "wan1"
    set ike-version 2
    set peertype any
    set net-device disable
    set mode-cfg enable
    set ipv4-dns-server1 10.0.0.254
    set internal-domain-list "<removed>"
    set proposal aes256gcm-prfsha384 aes256gcm-prfsha256 aes256-sha256
    set localid "<removed>"
    set dpd on-idle
    set dhgrp 21 19 14
    set eap enable
    set eap-identity send-request
    set authusrgrp "VPN Users"
    set assign-ip-from name
    set ipv4-split-include "GRP-VPN-ACCESS"
    set ipv4-name "RNG-RA-VPN-Clients"
    set psksecret <removed>
    set dpd-retryinterval 60
next
  • internal-domain-list is a List of DNS Domains that should be resolveable by the connected Device (internal Domains only)
  • localid is the public DNS Domain of the Firewall (required)
  • psksecret is the Pre-Shared-Key

Phase 2

edit "VPN-RA-FC-P2-DEFAULT"
    set phase1name "VPN-RA-FC"
    set proposal aes256gcm aes256-sha256
    set dhgrp 21 19 14
    set keepalive enable
    set keylifeseconds 3600
next


Policies

config firewall policy
    edit 18
        set name "Allow-VPN-RA-to-LAN"
        set uuid b88f102a-dff6-51f0-6157-49a1d9450327
        set srcintf "VPN-RA-APPLE" "VPN-RA-WINDOWS" "VPN-RA-FC"
        set dstintf "VLAN-LAN-100" "SSID-WLAN-TUN" "SSID-IOT-TUN" "VLAN-DMZ-200"
        set action accept
        set srcaddr "RNG-RA-VPN-Clients"
        set dstaddr "GRP-VPN-ACCESS"
        set schedule "always"
        set service "ALL"
    next
    edit 20
        set name "Allow-VPN-RA-to-WAN"
        set uuid ee369aec-dff9-51f0-c276-83956b56cd9c
        set srcintf "VPN-RA-APPLE" "VPN-RA-FC" "VPN-RA-WINDOWS"
        set dstintf "wan1"
        set action accept
        set srcaddr "RNG-RA-VPN-Clients"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

Client

Configuration

iOS FortiClient App

Secure ProtocolIKEv2 VPN
Name<Name>
Server AddressPublic DNS Domain (same as localid in Tunnel Config)
Authentication MethodPre-shared Key
Pre-shared Key SecretPSK
EAP-AUTHEnabled
Local IDempty
Remote-IDPublic DNS Domain (same as localid in Tunnel Config)
Phase 1 EncryptionAES256
Phase 1 AuthenticationSHA256
Phase 1 DH GRoup14
Phase 1 Key Lifetime86400
Phase 1 EncryptionAES256
Phase 1 AuthenticationSHA256
Phase 1 DH GRoup14
Phase 1 Key Lifetime43200
DPDenabled
PFSenabled
UsernameClient Username (User in FortiGate)
Back to top