Skip to main content
THEcRiteK
THEcRiteK
New Member
November 4, 2014
Solved

no Advanced Options in FortiClient 5.2.1.356 on Mac OSX

  • November 4, 2014
  • 6 replies
  • 33025 views

Hey Comm,

 

my problem is, that on windows i can configure the forticlient very good, but on mac i can't configure the vpn connection correctly, because i don't have the advanced settings for IPsec, Phase1 and Phase2. So the client can't connect to our firewall.

 

Is there any trick to get these settings? I have tried many other forticlient versions but in no version the advanced settings are displayed.

 

thanks!

 

 

 

 

Best answer by emnoc

Your correct but I never seen anybody that needed to modify the ipsec settings. Either way you need to do it old school and i advise to backup the cfg b4 making changes.

 

1: backup the cfg

Preference > General > Backup ( name the file )

 

2:  open the <*.conf> file in yoru favorite editor.

 

3: Search down to the ipsec or connection name

 

4:make your modifications and save as new file

 

5: Restore the new cfg

 

 

  <name>socpuppetshq</name>                     <type>manual</type>                     <ike_settings>                         <prompt_certificate>0</prompt_certificate>                         <description>MainFGT100D</description>                         <server>192.0.1.1</server>                         <authentication_method>Preshared Key</authentication_method>                         <auth_key>Enc 420d2ee65abded897a69c50f49954d0df61920558d173d22a1b0b1b058b8034b</auth_key>                         <mode>aggressive</mode>                         <dhgroup>5</dhgroup>                         <key_life>86400</key_life>                         <localid></localid>                         <nat_traversal>1</nat_traversal>                         <mode_config>1</mode_config>                         <enable_local_lan>0</enable_local_lan>                         <dpd>1</dpd>                         <xauth>                             <enabled>1</enabled>                             <prompt_username>0</prompt_username>                             <username>Enc 420d2ee65abded897a69c50f49954d0df619498b1925dd2d993abf54be</username>                             <password>Enc 420d2ee65abded897a69c50f4995397969f1c1f949055d8e51</password>                         </xauth>                         <proposals>                             <proposal>aes128|sha1</proposal>                             <proposal>aes256|sha256</proposal>                             <proposal>3des|sha256</proposal>                             <proposal>aes128|sha1</proposal>                             <proposal>aes256|sha1</proposal>                             <proposal>3des|sha1</proposal>                         </proposals>                         <fgt>0</fgt>                     </ike_settings>

I hope that helps. Just becarefull and ways make a backup copy b4 proceeding.

 

Good luck and let us know how your forticlientVersion works. I'm having problems with a few 10.10 and dropping ipsec connections.

 

 

6 replies

vanc
vanc
New Member
November 15, 2014

You posted to the wrong forum. Should move to FortiClient.

THEcRiteK
THEcRiteKAuthor
New Member
November 18, 2014

Hi vanc,

 

i have tried, when you can tell me how i can move the thread, i will move it, thanks!

emnoc
emnocAnswer
New Member
November 15, 2014

Your correct but I never seen anybody that needed to modify the ipsec settings. Either way you need to do it old school and i advise to backup the cfg b4 making changes.

 

1: backup the cfg

Preference > General > Backup ( name the file )

 

2:  open the <*.conf> file in yoru favorite editor.

 

3: Search down to the ipsec or connection name

 

4:make your modifications and save as new file

 

5: Restore the new cfg

 

 

  <name>socpuppetshq</name>                     <type>manual</type>                     <ike_settings>                         <prompt_certificate>0</prompt_certificate>                         <description>MainFGT100D</description>                         <server>192.0.1.1</server>                         <authentication_method>Preshared Key</authentication_method>                         <auth_key>Enc 420d2ee65abded897a69c50f49954d0df61920558d173d22a1b0b1b058b8034b</auth_key>                         <mode>aggressive</mode>                         <dhgroup>5</dhgroup>                         <key_life>86400</key_life>                         <localid></localid>                         <nat_traversal>1</nat_traversal>                         <mode_config>1</mode_config>                         <enable_local_lan>0</enable_local_lan>                         <dpd>1</dpd>                         <xauth>                             <enabled>1</enabled>                             <prompt_username>0</prompt_username>                             <username>Enc 420d2ee65abded897a69c50f49954d0df619498b1925dd2d993abf54be</username>                             <password>Enc 420d2ee65abded897a69c50f4995397969f1c1f949055d8e51</password>                         </xauth>                         <proposals>                             <proposal>aes128|sha1</proposal>                             <proposal>aes256|sha256</proposal>                             <proposal>3des|sha256</proposal>                             <proposal>aes128|sha1</proposal>                             <proposal>aes256|sha1</proposal>                             <proposal>3des|sha1</proposal>                         </proposals>                         <fgt>0</fgt>                     </ike_settings>

I hope that helps. Just becarefull and ways make a backup copy b4 proceeding.

 

Good luck and let us know how your forticlientVersion works. I'm having problems with a few 10.10 and dropping ipsec connections.

 

 

THEcRiteK
THEcRiteKAuthor
New Member
November 18, 2014

Hi emnoc,

 

thank's for your reply, i've tried this before, but nothing won't work.

If I edit the config file and import the file, the client delete the vpn connection or it doesn't work.

 

But i will try again and let you know if it works for me, thank's again for your reply.

 

 

emnoc
emnoc
New Member
November 18, 2014

If I edit the config file and import the file, the client delete the vpn connection or it doesn't work.  

 

 

What are you  modifying if I may ask?

 

I've changed  thing such as ; PSK and vpn gateway address, but never done anything within in the IPSEC portion of the configuration. You should be able to change anything and re-imported, but if your removing the configuration parameters, than that needs to be tested and validated. IIRC if you make mistaens in the  configuration syntax, it will not successfully import.

 

 

THEcRiteK
THEcRiteKAuthor
New Member
November 18, 2014

I edit the porposals, because with the standards the windows client can't connect too.

So i want to edit this settings, because i think this is the problem why the mac client can't connect.

 

for example:

                         <proposals>                             <proposal>3DES|MD5</proposal>                             <proposal>3DES|SHA1</proposal>                             <proposal>AES128|MD5</proposal>                             <proposal>AES128|SHA1</proposal>                         </proposals>

emnoc
emnoc
New Member
November 18, 2014

So what do you have configured in  the fortigate. That's what you should be doing is matching the proposals in the fortigate imho. I have never seen a need to  modify the  actual configuration file.

 

Ken

THEcRiteK
THEcRiteKAuthor
New Member
November 18, 2014

There is one big problem with the fortigate, the person who has configured the fortigate is'nt in our company anymore.

One in our department know a little bit the current VPN config. And this person does not want to change the config, because we have to change the settings on 100 notebooks i think if he change it.

But now i have a new config file, i will test it and let you know if it works.

 

emnoc
emnoc
New Member
November 20, 2014

Qs:

 

Do you have the  vpn configuration handy?

Have you tried with a non forticlient client ( iOS,Andorid, MACOSX, cisco vpnclient,shrew net, etc.....)

 

You shouldn't flat out change things with out proper diagnostics and review actions. The proposal in the forticlient , covers the default common proposals in the fortigate which should work regardless if it's mac windows or iphone.

 

THEcRiteK
THEcRiteKAuthor
New Member
November 20, 2014

I habe tried it with ipsecuritas, and others ...

 

i have found a option, witch is on the macs configurationfile ...

 

... <use_vip>1</use_vip>                         <virtualip>                             <type>modeconfig</type>                             <ip></ip>                             <mask></mask>                             <dnsserver></dnsserver>                         </virtualip>

 

and on windows ... <use_vip>1</use_vip>                         <virtualip>                             <type>dhcpoveripsec</type>                             <ip>0.0.0.0</ip>                             <mask>0.0.0.0</mask>                             <dnsserver>0.0.0.0</dnsserver>                             <winserver>0.0.0.0</winserver>                         </virtualip>

 

But, when i write dhcpoveripsec over the modeconfig, i can't import the file?! O.o

 

I think this could be the fail in the configuration, because we use dhcp over ipsec...

 

Is this possible? But why i can't wirte dhcpoveripsec over modeconfig?

THEcRiteK
THEcRiteKAuthor
New Member
June 23, 2015

No, I have configured it as SSL VPN, then it works fine on Mac OS.

Rgds

JMousqueton
JMousqueton
New Member
June 23, 2015

I have the same problem on MacOS I cannot set "dhcpoveripsec"   as a virtualIP type on MacOS

 

Did you manage to find a solution ?

 

Best Regards,

Terms & ConditionsAccessibility statement