FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 198528


Dialup IPSec between a Cisco VPN client (Unity client) and a FortiGate unit was not supported before FortiOS 4.0 MR1.

Beginning with FortiOS 4.0 MR1 FortiOS supports the Cisco Unity client by supporting IKE Configuration Method (draft-dukes-ike-mode-cfg-02).

The Unity client protocol is Cisco's term for IKE configuration method. The IKE configuration method was never ratified, however Cisco and various other vendors support some or all of the draft (


(1) Configuration method is only available for route based (interface mode) IPSec.
(2) If the dialer is using NAT then FortiOS 4.0 MR1 Patch 1 must be used.


FortiOS 4.0 MR1, route based (interface mode) IPSec VPN
FortiOS 4.0 MR1 Patch 1 for NAT dialers
Configuration Method - Cisco VPN client (the version used in this article is



On the FortiGate unit:

1. Configure a local user by going to User > Local and selecting Create New.


2. Create a user group to add the new user to. Go to User > Group and select Create New.


3. Create a Phase1 IPSec interface by going to VPN > IPSec and selecting Create New and complete the following settings:

Mode: Aggressive
Ipsec interface mode: Enable
Proposal: AES128, SHA1
DH Group: 2
XAUTH: Enable as Server, and select the user group created in step 2
Peer Options: can be any if this tunnel is the only dialup tunnel defined and all dialup vpn users connect to this tunnel. Otherwise use accept a specified peer ID or peer ID in dialup group. If accept peer ID in dialup group, the tunnel preshared key will be the password of the local users in the dialup group.



From CLI, edit the phase1 interface

config vpn ipsec phase1-interface
    edit "dialup1"
        set mode-cfg enable
        set ipv4-start-ip       >>>> the first ip in the range which FGT will assign to the ipsec client
        set ipv4-end-ip    >>>> the last ip in the range which FGT will assign to the ipsec client
        set ipv4-netmask     >>>> subnet mask
        set ipv4-dns-server1          >>>> optional DNS info passed to the client
        set ipv4-wins-server1         >>>>optional WINS info passed to the client
        set ipv4-split-include "10.5.x.x"        >>>>optional dst address/address group name if split tunneling is desired

After all, the dialup phase1 will look like below from CLI:

config vpn ipsec phase1-interface
    edit "dialup1"
        set type dynamic
        set interface "external"
        set dhgrp 2
        set proposal aes128-sha1
        set xauthtype pap
        set mode aggressive
        set mode-cfg enable
        set authusrgrp "ipsecgrp"
        set ipv4-start-ip
        set ipv4-end-ip
        set ipv4-netmask
        set ipv4-dns-server1
        set ipv4-wins-server1
        set ipv4-split-include "10.5.x.x"
        set psksecret ENC +rAiG3Qgp2j5a5CnyHeRj8HRwY+fTaAj52FncVwImO61sUJuFjKQp/Z98M7PAARONXRhPrhU2dcFoG0qT3Je+AZkXhpCjm3r0V5iuwpmOEfSGAqi

4. Configure the Phase2 settings

Proposal: AES128, SHA1
PFS: selected
DH Group: 2

Note: When the Configuration Method is enabled (set mode-cfg enable), DHCP-IPSEC does not apply.


From CLI the:

config vpn ipsec phase2-interface
    edit "dialupp2"
        set dhgrp 2
        set phase1name "dialup1"
        set proposal aes128-sha1

5.  Configure a firewall policy to allow traffic from ipsec interface to desired system interface and vise versa.


On Cisco VPN Client:

Name: this is the LocalID of the client, if the Peer ID option on Fortigate is not accept any peer id, the Name here need to match the accepted peer id setup on FortiGate unit.
Password: this is the pre-shared key of the tunnel.



On FortiGate unit enter the following diagnose commands
diagnose vpn ike filter dst-addr4 <client's public ip>
diag debug app ike -1
diag debug enable

Related Articles

Technical Note : Supporting Multiple Cisco VPN Communities with FortiGate