Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Slavko_Zamuda_FTNT
Staff
Staff

Created on ‎04-23-2015 02:24 AM

Article Id 197592

Technical Note: Configuring IPsec dialup using iOS and Certificate authentication

Description
This article describes how to configure IPsec dialup using iOS and Certificate authentication method. The article it does not describe how to create and import certificates to FortiGate/iOS.

Solution
Prerequisites:

Valid certificates needs to be imported that will be used for phase1 IPsec authentication.

All Certificates (also the CA) have to be created with 2048 bit length and SHA1 as signing (MD5 is not working).

The iOS requires that the subjectAltName of the VPN Server's (FortiGate) certificate matches either the hostname (it will check through DNS) or the IP address of the server to which you're trying to connect. That means that IP address of FortiGate interfaces that is used for connecting (e.g. 1.1.1.1) has to be part of FortiGate Local Certificate Subject Name.

The various steps of the configuration by using the CLI are given as an example below.

Configure User:

config user local
    edit "test_user"
        set type password
        set passwd test!test
    next
end

Configure User Group:

config user group
    edit "xauth_gr"
        set member "test_user”
    next
end

Configure user peer:

config user peer
    edit "user_ios_test"
        set ca "CA_Cert_1"
    next
end

Configure phase1 IPsec:

config vpn ipsec phase1-interface
    edit "iPhone"
        set type dynamic
        set interface "wan1"
        set keylife 28800
        set authmethod signature
        set peertype peer
        set mode-cfg enable
        set proposal aes256-md5 aes256-sha1
        set dhgrp 2
        set wizard-type dialup-ios
        set xauthtype pap
        set authusrgrp "xauth_gr"
        set certificate "C_10.108.17.99"
        set peer "user_ios_test"
        set ipv4-start-ip 10.10.10.10
        set ipv4-end-ip 10.10.10.20
        set ipv4-netmask 255.255.255.0
        set dns-mode auto
        set distance 1
    next
end

Configure phase2 IPsec:

config vpn ipsec phase2-interface
    edit "iPhone"
        set phase1name "iPhone"
        set proposal aes256-md5 aes256-sha1
        set pfs disable
        set keepalive enable
        set keylifeseconds 1800
    next
end

Configure address objects:

config firewall address
    edit "LAN_10.40.0.0/22"
        set subnet 10.40.0.0 255.255.252.0
    next
    edit "IPsec_dialup_users_range"
        set type iprange
        set start-ip 10.10.10.10
        set end-ip 10.10.10.20
    next
end

Configure needed firewall policies:

config firewall policy
    edit 1
        set uuid 5b7cb9ae-d2d4-51e4-a9f6-cd98c7d7238b
        set srcintf "iPhone"
        set dstintf "internal1"
        set srcaddr "IPsec_dialup_users_range"
        set dstaddr "LAN_10.40.0.0/22"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Verification of Configuration

The following debug commands may be helpful:

#diag debug application ike -1
#diag debug application fnbamd -1
#diag debug enable

4227
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.