Technical Tip: Configuring a client to site (C2S) IPsec tunnel to automatically deactivate after not receiving connections for a specified time

In the CLI, open the configuration for the client to IPsec tunnel. Configure the following:

- Enable idle-timeout.

- Specify the desired timeout duration, in minutes, with the idle-timeoutinterval parameter.

For example:

FGT # config vpn ipsec phase1-interface
    edit "fclinet"
        set type dynamic
        set interface "port5"
        set mode aggressive
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd disable
        set comments "VPN: fclinet (Created by VPN wizard)"
        set xauthtype auto
        set authusrgrp "client"
        set idle-timeout enable
        set idle-timeoutinterval 20
        set ipv4-start-ip 10.100.10.1
        set ipv4-end-ip 10.100.10.5
        set dns-mode auto
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret  o0thdM783Nd fZA3cXGzHloa3qeRT2pXCjGc/Hocz4S2i9yS+G6wD5frvgievfa6l9gqFzA==
    next
end

In this example, the VPN will automatically go down 20 minutes after the last connection was made.

Note: The default value of idle-timeoutinterval is 15 minutes. Values can range from 5 to 43200 minutes (30 days).

The following debug output from FortiGate shows details about the VPN after VPN connection:

FGT # di vpn ike routes list

vd: root/0
vrf: 0
dst: 10.100.10.1/255.255.255.255
next-hop: 10.136.3.113
interface: fclinet/31
distance: 15
priority: 0
overlap: use-new
virtual: false
ha-only: false
count: 1

After 20 minutes, the tunnel (phase1) goes down:

FGT # di de disable
FGT # di de reset
FGT # di de cons time enable
FGT # di vpn ike log-filter name fclinet
FGT # di vpn ike log-filter dst-addr4 10.136.3.113
FGT # di de enable
FGT # di de app ike -1

FGT # 2022-10-19 12:08:13.089412 ike 0: in 86D71F91A7693FD74D589BA9844E7CB708100501BE26CC090000006C1EF3A2A2D3584E9719A6105E566029BAA0F23855B15D07054CC07FBEF2A67F9A5F29C80EA59E2AB8EBA4DA1497554AACE3294724194F482DABD5A0DC7B69E83532931CF58D7D55C47EB94B2F31AEA6E9
2022-10-19 12:08:15.510344 ike 0: comes 10.136.3.113:500->10.109.16.152:500,ifindex=9....
2022-10-19 12:08:15.510372 ike 0: IKEv1 exchange=Informational id=86d71f91a7693fd7/4d589ba9844e7cb7:8246e566 len=92
2022-10-19 12:08:15.510400 ike 0: in 86D71F91A7693FD74D589BA9844E7CB7081005018246E5660000005CB4086BDD93A6B5AE3135EBE6072710606E880B0E304C03DC32AD2A1FAC128D05FE7FF5ECF1A3C97201D5EDAFB228211FEFE993154170142CD73E526C9C3EBBED
2022-10-19 12:08:15.510412 ike 0: no established IKE SA for exchange-type Informational from 10.136.3.113:500->10.109.16.152 9 cookie 86d71f91a7693fd7/4d589ba9844e7cb7, drop <<<<<<<-----
2022-10-19 12:08:15.510746 ike 0: comes 10.136.3.113:500->10.109.16.152:500,ifindex=9....
2022-10-19 12:08:15.510759 ike 0: IKEv1 exchange=Informational id=86d71f91a7693fd7/4d589ba9844e7cb7:d514f7c6 len=92
2022-10-19 12:08:15.510766 ike 0: in 86D71F91A7693FD74D589BA9844E7CB708100501D514F7C60000005CCAFD387F06603E8C1F3ED5EC8D8DCE932E1CD988E06A129A59012A8D946D0FD1BF24E8253DAF760E8B7A56FF8AB73B2195174C6BE65AC86FDEED6CE4B2D86AD8
2022-10-19 12:08:15.510776 ike 0: no established IKE SA for exchange-type Informational from 10.136.3.113:500->10.109.16.152 9 cookie 86d71f91a7693fd7/4d589ba9844e7cb7, drop <<<<<<<-----
2022-10-19 12:08:15.510944 ike 0: comes 10.136.3.113:500->10.109.16.152:500,ifindex=9....

Since the FortiGate is always acting as a responder in a C2S IPsec tunnel, the client is able to connect to the VPN again. The tunnel will be down until the client connects to the VPN again.

Related article:

https://docs.fortinet.com/document/fortigate/6.4.2/administration-guide/790613/phase-1-configuration