Description
This article describes how to configure Apple IOS native VPN using IKEv2 connection for IPSEC-VPN to a FortiGate.
Note that Apple's documentation for IKEv2 across their product lineup (iOS, iPadOS, macOS, tvOS, visionOS) can be found at the following link: https://developer.apple.com/documentation/devicemanagement/vpn/ikev2/ikesecurityassociationparameter...
Additionally, note that it is not possible to directly-configure the IKEv2 encryption/integrity/PRF ciphers for VPNs on iPhones/iPads (unless it is being done via MDM profile), so this guide will build around expected default settings. Experimentally, it's been observed that iOS/iPadOS devices will send the following cipher proposals when connecting to the FortiGate via IKEv2 (tested with iPadOS 15.5), though it is possible that other cipher combinations may be sent depending on the client OS version (see this discussion on Apple's forums: https://forums.developer.apple.com/forums/thread/659209:(
- AES-CBC-256/SHA-256/MODP2048 (DH14).
- AES-CBC-256/SHA-256/ECP256 (DH19).
- AES-CBC-256/SHA-256/MODP1536 (DH5).
- AES-CBC-128/SHA-1/MODP1024 (DH2).
- 3DES/SHA-1/MODP1024 (DH2).
This article will use the top-most proposal (AES-256 for encryption, SHA-256 for integrity and PRF, and DH14 for key-exchange) since it is a generally well-supported and secure option across multiple generations of Apple clients, and since it is not necessary to match all possible proposals (i.e. as long as one match exists, the IPsec tunnel can connect).
Scope
FortiGate v5.4 and later (v6.x, v7.x); Apple native IKEv2/IPsec clients (including iOS/iPadOS, macOS, etc.)
Solution
Here is the recommended settings on the FortiGate side:
config vpn ipsec phase1-interface
edit "APPLE"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set mode-cfg enable
set proposal aes256-sha256
set localid "myfortinet" ---{ This has to be included in “remote ID” on the APPLE VPN setting for IKEV2 on iPhone or MAC
set negotiate-timeout 300
set comments "VPN: APPLE (Created by VPN wizard)"
set dhgrp 14 5 2
set eap enable ---{ Must be enabled
set eap-identity send-request ---{ Must be enabled
set authusrgrp "APPLEGRP" ---{ This is the VPN user group on iPhone or MAC
set nattraversal disable
set ipv4-start-ip 100.100.100.1
set ipv4-end-ip 100.100.100.254
set ipv4-netmask 255.255.255.0
set dns-mode auto
set psksecret ENC 2Eb1R/eekbaG1DdttzIEXXTh/z9h0f9SNuSri5z3ObCIf4KiBKcQhnbf4N3B8tNxGUU64Pq3DwLlMHVe4ZZQkcT4NnVMaquHKFme
c4d4o8HqcPdJpIjZHAzB6RqIVA1l88gV7lWLY7ihVIVecPEoc/jF3SahI652/Bc72i1dExKCrID5yv5Z5Dz/wGAv7WFDz1c7bQ==
set dpd-retrycount 5
set dpd-retryinterval 5
next
end
config vpn ipsec phase2-interface
edit "APPLE"
set phase1name "APPLE"
set proposal aes256-sha256
set keepalive enable
set comments "VPN: APPLE (Created by VPN wizard)"
next
end
config user local
edit "fortinet"
set type password
set passwd-time 2017-08-13 18:45:18
set passwd ENC ABjdUzvK5T7U4jSS1xdB63OPNMsC5w08Yzdx5dRYO+zq7YPsYbv1BFaO/kq/CH6N30i20KbCLLHrfWIn57ziOqUbEBuVGV7hp9SsNNq
Al61Y3y0XTn8YOYpE0EP5tkaScVTRuBTouP1NgtH900fQRF8myuIIZkkaKtcxiaS2DRbIe6cbRjg0cIPGE3fbzBYPEiPifw==
next
end
config user group
edit "APPLEGRP"
set member "fortinet"
end
Apple IOS native VPN Config (Snap-shots):
IKEv2 mode
IKEv2 selected
Configuration interface Iphone
