Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
bmeta
Staff
Staff

Created on ‎06-03-2020 02:34 AM Edited on ‎11-04-2024 09:42 PM By Community Manager

Article Id 196140

Technical Tip: How to configure IPsec VPN Tunnel using IKE v2

Description

 

This article describes how to configure IPsec VPN Tunnel using IKE v2.

 

Scope

 

FortiClient.

Solution

 

The FortiGate IPSEC tunnels can be configured using IKE v2.

 
Summary of the FortiGate GUI configuration:
 
 
Which results in a CLI output as the following example:
 
show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
    edit "FCT_IKE_v2"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set local-gw 192.168.252.132
        set peertype any
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 3des-sha1
        set dpd on-idle
        set dhgrp 5
        set eap enable
        set eap-identity send-request
        set authusrgrp "training"
        set assign-ip-from name
        set ipv4-netmask 255.255.255.0
        set dns-mode auto
        set ipv4-split-include "FCT_IKE_v2_split"
        set ipv4-name "FCT_IKE_v2_range"
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret ENC
        set dpd-retryinterval 60
    next
end
 
FortiClient configuration.
 
 
 
Debugging on the FortiGate.
 
diagnose debug console timestamp  enable
diagnose debug application ike -1
Debug messages will be on for 30 minutes.
diagnose debug enable
...
2020-06-01 10:54:56.781236 ike 0: comes 192.168.252.140:500->192.168.252.132:500,ifindex=3....
2020-06-01 10:54:56.784383 ike 0: IKEv2 exchange=SA_INIT id=8a5fcff621752576/0000000000000000 len=436
...
2020-06-01 10:54:56.966247 ike 0:8a5fcff621752576/0000000000000000:3: SA proposal chosen, matched gateway FCT_IKE_v2
2020-06-01 10:54:56.970778 ike 0:FCT_IKE_v2: created connection: 0xc1ac370 3 192.168.252.132->192.168.252.140:500.
...
2020-06-01 10:54:57.098345 ike 0:FCT_IKE_v2:3: responder received AUTH msg
2020-06-01 10:54:57.100344 ike 0:FCT_IKE_v2:3: processing notify type INITIAL_CONTACT
2020-06-01 10:54:57.103118 ike 0:FCT_IKE_v2:3: peer identifier IPV4_ADDR 192.168.252.140
2020-06-01 10:54:57.109820 ike 0:FCT_IKE_v2:3: re-validate gw ID
2020-06-01 10:54:57.113740 ike 0:FCT_IKE_v2:3: gw validation OK
...
2020-06-01 10:54:57.115832 ike 0:FCT_IKE_v2:3: responder preparing EAP identity request
2020-06-01 10:54:57.118622 ike 0:FCT_IKE_v2:3: enc
2020-06-01 10:54:57.128907 ike 0:FCT_IKE_v2:3: out
2020-06-01 10:54:57.138184 ike 0:FCT_IKE_v2:3: sent IKE msg (AUTH_RESPONSE): 192.168.252.132:500->192.168.252.140:500, len=128,
...
2020-06-01 10:54:57.168080 ike 0:FCT_IKE_v2:3: responder received EAP msg
2020-06-01 10:54:57.170300 ike 0:FCT_IKE_v2:3: send EAP message to FNBAM
2020-06-01 10:54:57.172977 ike 0:FCT_IKE_v2:3: initiating EAP authentication
2020-06-01 10:54:57.175182 ike 0:FCT_IKE_v2: EAP user "engineer"
2020-06-01 10:54:57.176733 ike 0:FCT_IKE_v2: auth group training
2020-06-01 10:54:57.179241 ike 0:FCT_IKE_v2: EAP 1224753671 pending
2020-06-01 10:54:57.180344 ike 0:FCT_IKE_v2:3 EAP 1224753671 result 2
2020-06-01 10:54:57.181322 ike 0:FCT_IKE_v2: EAP challenged for user "engineer"
2020-06-01 10:54:57.182419 ike 0:FCT_IKE_v2:3: responder preparing EAP pass through message
...
2020-06-01 10:54:57.595037 ike 0:FCT_IKE_v2:3:FCT_IKE_v2:39: lifetime=43200
2020-06-01 10:54:57.598559 ike 0:FCT_IKE_v2:3: responder preparing AUTH msg
2020-06-01 10:54:57.601466 ike 0:FCT_IKE_v2: adding new dynamic tunnel for 192.168.252.140:500
2020-06-01 10:54:57.605352 ike 0:FCT_IKE_v2_0: added new dynamic tunnel for 192.168.252.140:500
2020-06-01 10:54:57.612130 ike 0:FCT_IKE_v2_0:3: established IKE SA
...
2020-06-01 10:54:57.774281 ike 0:FCT_IKE_v2: carrier up
 
The last message, carrier up, indicates that the tunnel is up and running.
 
Related articles:

Technical Tip: IKEv2 Dialup IPsec tunnel with Radius and FortiToken MFA.

Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity

Technical Tip: How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard)

Troubleshooting Tip: IPsec VPNs tunnels

Technical Tip: Setting multiple DNS server for IPSec dial-up VPN

Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels

Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication

Technical Tip : How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.

Technical Tip: IPSec dial-up full tunnel with FortiClient

Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations

Technical Note: Dynamic routing (BGP) over IPsec tunnel

Technical Tip: OSPF with IPSec VPN for network redundancy

Technical Tip: Dynamic dial-up VPN with OSPF

Technical Tip: Fortinet Auto Discovery VPN (ADVPN)

Technical Tip: 'set net-device' new route-based IPsec logic

Technical Tip: Simple OCVPN deployment

Technical Tip: SD-WAN integration with OCVPN

Technical Tip: Configure IPsec VPN with SD-WAN

Technical Tip: SD-WAN with DDNS type IPsec

Technical Tip: SD-WAN primary and backup ipsec tunnel Scenario

Troubleshooting Tip: IPsec VPN Phase 1 Process - Aggressive Mode

Technical Note : Configuring more than one Main-Mode Pre-Shared Key (PSK) *dialup* IPSec phase1 on a...

Technical Tip: Hard timeout for Dialup IPSEC VPN Tunnel

46284
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.