Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Created on ‎12-23-2009 12:56 AM

Article Id 198776

Technical Note : FortiGate-to-iPhone IPSec VPN configuration guide (Japanese and English version)

Description
The attachments to this article provide a FortiGate to iPhone IPSec VPN setup guide including the GUI configurations steps (Japanese and English versions).

The article also gives a FortiGate CLI configuration example for a FortiGate to iPhone IPSec setting.

This configuration is not compatable with v4.0 MR3, for this firmware version refer to the related article "Technical Note : iPhone and iPad Dialup User IPSec VPN sample configuration for FortiOS v4.0 MR3".

Scope
FortiOS firmware version 4.0 MR1
FortiOS firmware version 4.0 MR2
 
Article does NOT apply to: FortiOS firmware version 4.0 MR3

Solution
The following FortiGate CLI configuration provides an example for a FortiGate to iPhone IPSec setting. Refer to iPhone product documentation for the iPhone configuration.

Create Users, User Groups and Address Objects:

config user local
   edit "testuser1"
      set status enable
      set type password
      set passwd <password>
   next
end

config user group
   edit "iPhoneVPN"
      set group-type firewall
      set ldap-memberof ''
         set member " testuser1" 
      set profile ''
      set authtimeout 0
      set ftgd-wf-ovrd deny
   next
end

config firewall address

   edit "LAN"
      set associated-interface "switch"
      set comment ''
      set type ipmask
      set subnet 10.1.1.0 255.255.255.0
   next

   edit "iPhoneVPNUsers"
      set associated-interface "Any"
      set comment ''
      set type ipmask
      set subnet 172.16.101.0 255.255.255.0
   next
end

Configure IPSec Phase 1:
config vpn ipsec phase1-interface
   edit "iPhone"
      set type dynamic
      set interface "wan1"
      set ip-version 4
      set local-gw 0.0.0.0
      set localid ''
      set dpd enable
      set nattraversal enable
      set dhgrp 2
      set proposal 3des-sha1 3des-md5
      set keylife 28800
      set authmethod psk
      set peertype any
      set xauthtype auto
      set mode main
      set mode-cfg enable
      set authusrgrp "iPhoneVPN"
      set default-gw 0.0.0.0
      set default-gw-priority 0
      set dpd-retrycount 3
      set dpd-retryinterval 5
      set assign-ip enable
      set mode-cfg-ip-version 4
      set assign-ip-from range
      set add-route enable
      set ipv4-start-ip 172.16.101.1
      set ipv4-end-ip 172.16.101.254
      set ipv4-netmask 255.255.255.0
      set ipv4-dns-server1 0.0.0.0
      set ipv4-dns-server2 0.0.0.0
      set ipv4-dns-server3 0.0.0.0
      set ipv4-wins-server1 0.0.0.0
      set ipv4-wins-server2 0.0.0.0
      set ipv4-split-include "LAN"
      set unity-support enable
      set domain ''
      set banner ''
      set psksecret <psk>
      set keepalive 10
      set distance 1
      set priority 0
   next
end
Configure IPSec Phase 2:
config vpn ipsec phase2-interface
   edit "iPhone-P2"
      set dst-addr-type subnet
      set dst-port 0
      set keepalive disable
      set keylife-type seconds
      set pfs enable
      set phase1name "iPhone"
      set proposal aes256-sha1 aes256-sha256
      set protocol 0
      set replay enable
      set route-overlap use-new
      set single-source disable
      set src-addr-type subnet
      set src-port 0
      set dhgrp 2
      set dst-subnet 0.0.0.0 0.0.0.0
      set keylifeseconds 1800
      set src-subnet 0.0.0.0 0.0.0.0
   next
end
Configure Firewall Policies:

VPN => LAN
config firewall policy
   edit 1
      set srcintf "iPhone"
      set dstintf "switch"
         set srcaddr "iPhoneVPNUsers" 
         set dstaddr "LAN" 
      set action accept
      set status enable
      set logtraffic enable
      set per-ip-shaper ''
      set session-ttl 0
      set wccp disable
      set disclaimer disable
      set natip 0.0.0.0 0.0.0.0
      set match-vip disable
      set diffserv-forward disable
      set diffserv-reverse disable
      set tcp-mss-sender 0
      set tcp-mss-receiver 0
      set comments ''
      set endpoint-check disable
      set label ''
      set identity-based disable
      set schedule "always"
         set service "ANY" 
      set profile-status disable
      set traffic-shaper ''
      set nat disable
   next
end
LAN => VPN
config firewall policy
   edit 2
      set srcintf "switch"
      set dstintf "iPhone"
         set srcaddr "LAN" 
         set dstaddr "iPhoneVPNUsers" 
      set action accept
      set status enable
      set logtraffic enable
      set per-ip-shaper ''
      set session-ttl 0
      set wccp disable
      set disclaimer disable
      set natip 0.0.0.0 0.0.0.0
      set match-vip disable
      set diffserv-forward disable
      set diffserv-reverse disable
      set tcp-mss-sender 0
      set tcp-mss-receiver 0
      set comments ''
      set endpoint-check disable
      set label ''
      set identity-based disable
      set schedule "always"
         set service "ANY" 
      set profile-status disable
      set traffic-shaper ''
      set nat disable
   next
end




Related Articles

Technical Note : iPhone VPN support on the FortiGate (IPSec , PPtP , SSL)

Technical Note: iPhone and iPad Dialup User IPsec VPN sample configuration

Preview file
665 KB
Preview file
325 KB
74423
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.