Technical Note: iPhone and iPad Dialup User IPsec VPN sample configuration
Products
FortiGate v4.0 MR3
FortiGate v5.0
FortiGate v5.2
FortiGate v5.4
Description
This article provides a sample IPsec VPN configuration for use with iPhone and iPad.

The configuration is for FortiOS v4.0 MR3, v5.0, v5.2 and v5.4.  It differs from the configuration that is required for previous firmware versions.

The related article provides a configuration guide for earlier firmware versions.
Scope
This example is intended for a dial-up VPN network that requires connections from iPhone or iPad clients.
Solution
This example is intended for a dial-up VPN network that requires connections from iPhone or iPad clients.

It should be noted that the VPN is configured as route-based, otherwise known as interface-based. The configuration requires a peer ID ("apple" in this case) as well as a user group. It is best to configure this VPN using the CLI as some of the required settings are not available in the web interface.

Setup a User, User Group, and Firewall Addresses:
config user local
   edit "testuser"
      set status enable
      set type password
      set passwd <password>
end
 
config user group
   edit "AppleVPNUsers"
      set member "test"
end
 
config firewall address
   edit "internal1subnet"
      set subnet <ip here subnet here> (ie: 192.168.29.0 255.255.255.0)
   next
 
   edit "appleVPNsubnet"
      set subnet 10.3.3.0 255.255.255.0
end
Phase 1 Settings:
config vpn ipsec phase1-interface
    edit "AppleVPN"
        set type dynamic
        set interface "wan1"
        set dhgrp 2
        set peertype one
        set xauthtype auto
        set mode aggressive
        set mode-cfg enable
        set proposal aes256-md5 aes256-sha1
        set peerid "apple"
        set authusrgrp "AppleVPNUsers"
        set ipv4-start-ip 10.3.3.1
        set ipv4-end-ip 10.3.3.254
        set ipv4-netmask 255.255.255.0
        set psksecret <tunnel password here>
end

Optional DNS Phase 1 settings:
set domain <domain suffix here>
set ipv4-dns-server1 <DNS server IP here>
set ipv4-dns-server2 <DNS server IP here>
set ipv4-dns-server3 <DNS server IP here>
Phase 2 Settings:
config vpn ipsec phase2-interface
    edit "AppleVPNp2"
        set keepalive enable
        set pfs disable
        set phase1name "AppleVPN"
        set proposal aes256-md5 aes256-sha1
end 
Configure Firewall Policies:

VPN => LAN
config firewall policy
    edit <unique firewall policy ID here>
        set srcintf "AppleVPN"
        set dstintf "internal1"
        set srcaddr "appleVPNsubnet"
        set dstaddr "internal1subnet"
        set action accept
        set schedule "always"
        set service "ANY"
    next 
LAN => VPN
edit <unique firewall policy ID here>
        set srcintf "internal1"
        set dstintf "AppleVPN"
        set srcaddr "internal1subnet"
        set dstaddr "appleVPNsubnet"
        set action accept
        set schedule "always"
        set service "ANY"
end 

If you want VPN clients to access web pages while connected create another firewall policy from the VPN tunnel out the WAN interface:

config firewall policy
    edit <unique firewall policy ID here>
        set srcintf "AppleVPN"
        set dstintf "wan1"
        set srcaddr "appleVPNsubnet"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ANY"
        set nat enable
end
Static route to route traffic for tunnel clients back out the tunnel:
config router static
        edit <unique route ID>
        set device "AppleVPN"
        set dst 10.3.3.0 255.255.255.0
end
Configuration required on the iPad/iPhone Cisco VPN Client:
description: FortiGate VPN
server: IP of the FortiGate WAN interface that is configured for VPN (interface : wan1
in this case)
account: testuser (a user account on the FortiGate)
password: <configured previously>
Use certificate: off
group name: apple
secret: Pre-shared key for the tunnel, from the phase one step

Related Articles
Technical Note : FortiGate-to-iPhone IPSec VPN configuration guide (Japanese and English version)
Last Modified Date: 12-01-2016 Document ID: FD33376