• IKEv2 IPsec VPNIKEv2 IPsec VPN is the preferred way of configuration on FortiGate devices.
• L2TP/IPsec VPN
• Username and password [PEAP-MSCHAPv2]This guide explains the 'username and password' option.
• Certificate [EAP-TLS]
- Imported root CA certificate on FortiGate
- Imported certificate on FortiGate and signed by CA
- Imported root CA certificate on Windows Phone
config user local
edit local\\user1
set type password
set passwd pass1
next
end
config user group
edit GRP-ipsec
set member local\\user1
next
end
config vpn ipsec phase1-interface
edit "ipsec-clients"
set type dynamic
set interface "port1"
set ike-version 2
set authmethod signature
set mode-cfg enable
set ipv4-dns-server1 8.8.8.8
set ipv4-dns-server2 8.8.4.4
set proposal aes256-sha1 aes256-sha256 aes128-sha1 aes128-sha256
set dhgrp 15 14 2
set eap enable
set eap-identity send-request
set authusrgrp "GRP-ipsec"
set certificate "FG-certificate"
set ipv4-start-ip 172.16.10.10
set ipv4-end-ip 172.16.10.100
set ipv4-netmask 255.255.255.0
next
end
config vpn ipsec phase2-interface
edit "ipsec-clients-p2"
set phase1name "ipsec-clients"
set proposal aes256-sha1 aes256-sha256 aes128-sha1 aes128-sha256
set dhgrp 15 14 2
set keylifeseconds 1800
next
end
config firewall address
edit LAN
set associated-interface "port2"
set subnet 10.10.0.0 255.255.252.0
next
edit LAN-IPsec-Clients
set associated-interface "ipsec-clients"
set subnet 172.16.10.0 255.255.255.0
next
end
config firewall policy
edit 0
set srcintf "ipsec-clients"
set dstintf "port2"
set srcaddr "LAN-IPsec-Clients"
set dstaddr "LAN"
set action accept
set schedule "always"
set service "ALL"
next
end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.