FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 198776
Description
The attachments to this article provide a FortiGate to iPhone IPSec VPN setup guide including the GUI configurations steps (Japanese and English versions).

The article also gives a FortiGate CLI configuration example for a FortiGate to iPhone IPSec setting.

This configuration is not compatable with v4.0 MR3, for this firmware version refer to the related article "Technical Note : iPhone and iPad Dialup User IPSec VPN sample configuration for FortiOS v4.0 MR3".

Scope
FortiOS firmware version 4.0 MR1
FortiOS firmware version 4.0 MR2
 
Article does NOT apply to: FortiOS firmware version 4.0 MR3

Solution
The following FortiGate CLI configuration provides an example for a FortiGate to iPhone IPSec setting. Refer to iPhone product documentation for the iPhone configuration.

Create Users, User Groups and Address Objects:

config user local
   edit "testuser1"
      set status enable
      set type password
      set passwd <password>
   next
end

config user group
   edit "iPhoneVPN"
      set group-type firewall
      set ldap-memberof ''
         set member " testuser1" 
      set profile ''
      set authtimeout 0
      set ftgd-wf-ovrd deny
   next
end

config firewall address

   edit "LAN"
      set associated-interface "switch"
      set comment ''
      set type ipmask
      set subnet 10.1.1.0 255.255.255.0
   next

   edit "iPhoneVPNUsers"
      set associated-interface "Any"
      set comment ''
      set type ipmask
      set subnet 172.16.101.0 255.255.255.0
   next
end

Configure IPSec Phase 1:
config vpn ipsec phase1-interface
   edit "iPhone"
      set type dynamic
      set interface "wan1"
      set ip-version 4
      set local-gw 0.0.0.0
      set localid ''
      set dpd enable
      set nattraversal enable
      set dhgrp 2
      set proposal 3des-sha1 3des-md5
      set keylife 28800
      set authmethod psk
      set peertype any
      set xauthtype auto
      set mode main
      set mode-cfg enable
      set authusrgrp "iPhoneVPN"
      set default-gw 0.0.0.0
      set default-gw-priority 0
      set dpd-retrycount 3
      set dpd-retryinterval 5
      set assign-ip enable
      set mode-cfg-ip-version 4
      set assign-ip-from range
      set add-route enable
      set ipv4-start-ip 172.16.101.1
      set ipv4-end-ip 172.16.101.254
      set ipv4-netmask 255.255.255.0
      set ipv4-dns-server1 0.0.0.0
      set ipv4-dns-server2 0.0.0.0
      set ipv4-dns-server3 0.0.0.0
      set ipv4-wins-server1 0.0.0.0
      set ipv4-wins-server2 0.0.0.0
      set ipv4-split-include "LAN"
      set unity-support enable
      set domain ''
      set banner ''
      set psksecret <psk>
      set keepalive 10
      set distance 1
      set priority 0
   next
end
Configure IPSec Phase 2:
config vpn ipsec phase2-interface
   edit "iPhone-P2"
      set dst-addr-type subnet
      set dst-port 0
      set keepalive disable
      set keylife-type seconds
      set pfs enable
      set phase1name "iPhone"
      set proposal aes256-sha1 aes256-sha256
      set protocol 0
      set replay enable
      set route-overlap use-new
      set single-source disable
      set src-addr-type subnet
      set src-port 0
      set dhgrp 2
      set dst-subnet 0.0.0.0 0.0.0.0
      set keylifeseconds 1800
      set src-subnet 0.0.0.0 0.0.0.0
   next
end
Configure Firewall Policies:

VPN => LAN
config firewall policy
   edit 1
      set srcintf "iPhone"
      set dstintf "switch"
         set srcaddr "iPhoneVPNUsers" 
         set dstaddr "LAN" 
      set action accept
      set status enable
      set logtraffic enable
      set per-ip-shaper ''
      set session-ttl 0
      set wccp disable
      set disclaimer disable
      set natip 0.0.0.0 0.0.0.0
      set match-vip disable
      set diffserv-forward disable
      set diffserv-reverse disable
      set tcp-mss-sender 0
      set tcp-mss-receiver 0
      set comments ''
      set endpoint-check disable
      set label ''
      set identity-based disable
      set schedule "always"
         set service "ANY" 
      set profile-status disable
      set traffic-shaper ''
      set nat disable
   next
end
LAN => VPN
config firewall policy
   edit 2
      set srcintf "switch"
      set dstintf "iPhone"
         set srcaddr "LAN" 
         set dstaddr "iPhoneVPNUsers" 
      set action accept
      set status enable
      set logtraffic enable
      set per-ip-shaper ''
      set session-ttl 0
      set wccp disable
      set disclaimer disable
      set natip 0.0.0.0 0.0.0.0
      set match-vip disable
      set diffserv-forward disable
      set diffserv-reverse disable
      set tcp-mss-sender 0
      set tcp-mss-receiver 0
      set comments ''
      set endpoint-check disable
      set label ''
      set identity-based disable
      set schedule "always"
         set service "ANY" 
      set profile-status disable
      set traffic-shaper ''
      set nat disable
   next
end




Related Articles

Technical Note : iPhone VPN support on the FortiGate (IPSec , PPtP , SSL)

Technical Note: iPhone and iPad Dialup User IPsec VPN sample configuration

Contributors