FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to configure IPsec dialup using iOS and Certificate authentication method. The article it does not describe how to create and import certificates to FortiGate/iOS.
Valid certificates needs to be imported that will be used for phase1 IPsec authentication.
All Certificates (also the CA) have to be created with 2048 bit length and SHA1 as signing (MD5 is not working).
The iOS requires that the subjectAltName of the VPN Server's (FortiGate) certificate matches either the hostname (it will check through DNS) or the IP address of the server to which you're trying to connect. That means that IP address of FortiGate interfaces that is used for connecting (e.g. 184.108.40.206) has to be part of FortiGate Local Certificate Subject Name.
The various steps of the configuration by using the CLI are given as an example below.
config user local edit "test_user" set type password set passwd test!test next end
Configure User Group:
config user group edit "xauth_gr" set member "test_user” next end
Configure user peer:
config user peer edit "user_ios_test" set ca "CA_Cert_1" next end
Configure phase1 IPsec:
config vpn ipsec phase1-interface edit "iPhone" set type dynamic set interface "wan1" set keylife 28800 set authmethod signature set peertype peer set mode-cfg enable set proposal aes256-md5 aes256-sha1 set dhgrp 2 set wizard-type dialup-ios set xauthtype pap set authusrgrp "xauth_gr" set certificate "C_10.108.17.99" set peer "user_ios_test" set ipv4-start-ip 10.10.10.10 set ipv4-end-ip 10.10.10.20 set ipv4-netmask 255.255.255.0 set dns-mode auto set distance 1 next end
Configure phase2 IPsec:
config vpn ipsec phase2-interface edit "iPhone" set phase1name "iPhone" set proposal aes256-md5 aes256-sha1 set pfs disable set keepalive enable set keylifeseconds 1800 next end
Configure address objects:
config firewall address edit "LAN_10.40.0.0/22" set subnet 10.40.0.0 255.255.252.0 next edit "IPsec_dialup_users_range" set type iprange set start-ip 10.10.10.10 set end-ip 10.10.10.20 next end
Configure needed firewall policies:
config firewall policy edit 1 set uuid 5b7cb9ae-d2d4-51e4-a9f6-cd98c7d7238b set srcintf "iPhone" set dstintf "internal1" set srcaddr "IPsec_dialup_users_range" set dstaddr "LAN_10.40.0.0/22" set action accept set schedule "always" set service "ALL" next end