Technical Note : FortiGate-to-iPhone IPSec VPN configuration guide (Japanese and English version)
Products
FortiGate v4.0 MR1
FortiGate v4.0 MR2
Description
The attachments to this article provide a FortiGate to iPhone IPSec VPN setup guide including the GUI configurations steps (Japanese and English versions).
The article also gives a FortiGate CLI configuration example for a FortiGate to iPhone IPSec setting.
This configuration is not compatable with v4.0 MR3, for this firmware version refer to the related article "Technical Note : iPhone and iPad Dialup User IPSec VPN sample configuration for FortiOS v4.0 MR3".
Scope
FortiOS firmware version 4.0 MR1
FortiOS firmware version 4.0 MR2
Article does NOT applyto: FortiOS firmware version 4.0 MR3
Solution
The following FortiGate CLI configuration provides an example for a FortiGate to iPhone IPSec setting. Refer to iPhone product documentation for the iPhone configuration.
Create Users, User Groups and Address Objects:
config user local edit "testuser1" set status enable set type password set passwd <password> next end
config user group edit "iPhoneVPN" set group-type firewall set ldap-memberof '' set member " testuser1" set profile '' set authtimeout 0 set ftgd-wf-ovrd deny next end
config firewall address
edit "LAN" set associated-interface "switch" set comment '' set type ipmask set subnet 10.1.1.0 255.255.255.0 next
edit "iPhoneVPNUsers" set associated-interface "Any" set comment '' set type ipmask set subnet 172.16.101.0 255.255.255.0 next end
Configure IPSec Phase 1:
config vpn ipsec phase1-interface edit "iPhone" set type dynamic set interface "wan1" set ip-version 4 set local-gw 0.0.0.0 set localid '' set dpd enable set nattraversal enable set dhgrp 2 set proposal 3des-sha1 3des-md5 set keylife 28800 set authmethod psk set peertype any set xauthtype auto set mode main set mode-cfg enable set authusrgrp "iPhoneVPN" set default-gw 0.0.0.0 set default-gw-priority 0 set dpd-retrycount 3 set dpd-retryinterval 5 set assign-ip enable set mode-cfg-ip-version 4 set assign-ip-from range set add-route enable set ipv4-start-ip 172.16.101.1 set ipv4-end-ip 172.16.101.254 set ipv4-netmask 255.255.255.0 set ipv4-dns-server1 0.0.0.0 set ipv4-dns-server2 0.0.0.0 set ipv4-dns-server3 0.0.0.0 set ipv4-wins-server1 0.0.0.0 set ipv4-wins-server2 0.0.0.0 set ipv4-split-include "LAN" set unity-support enable set domain '' set banner '' set psksecret <psk> set keepalive 10 set distance 1 set priority 0 next end
Configure IPSec Phase 2:
config vpn ipsec phase2-interface edit "iPhone-P2" set dst-addr-type subnet set dst-port 0 set keepalive disable set keylife-type seconds set pfs enable set phase1name "iPhone" set proposal aes256-sha1 aes256-sha256 set protocol 0 set replay enable set route-overlap use-new set single-source disable set src-addr-type subnet set src-port 0 set dhgrp 2 set dst-subnet 0.0.0.0 0.0.0.0 set keylifeseconds 1800 set src-subnet 0.0.0.0 0.0.0.0 next end
Configure Firewall Policies:
VPN => LAN
config firewall policy edit 1 set srcintf "iPhone" set dstintf "switch" set srcaddr "iPhoneVPNUsers" set dstaddr "LAN" set action accept set status enable set logtraffic enable set per-ip-shaper '' set session-ttl 0 set wccp disable set disclaimer disable set natip 0.0.0.0 0.0.0.0 set match-vip disable set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments '' set endpoint-check disable set label '' set identity-based disable set schedule "always" set service "ANY" set profile-status disable set traffic-shaper '' set nat disable next end
LAN => VPN
config firewall policy edit 2 set srcintf "switch" set dstintf "iPhone" set srcaddr "LAN" set dstaddr "iPhoneVPNUsers" set action accept set status enable set logtraffic enable set per-ip-shaper '' set session-ttl 0 set wccp disable set disclaimer disable set natip 0.0.0.0 0.0.0.0 set match-vip disable set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments '' set endpoint-check disable set label '' set identity-based disable set schedule "always" set service "ANY" set profile-status disable set traffic-shaper '' set nat disable next end