Windows FortiClient v7.4.3 default settings:

Phase 1:

Phase 2:

FortiClient v7.4.2 and earlier default settings:

Phase 1:

Phase 2:

MacOS FortiClient has the same default settings as earlier Windows FortiClient versions.

FortiOS configuration:

If the FortiGate IPsec tunnel was created using the wizard, modify the phase1-interface and phase2-interface configuration to allow connection from a FortiClient with default settings as follows:

config vpn ipsec phase1-interface

edit <phase1-name>

set wizard-type custom

set dhgrp 20 21 5

next

end

config vpn ipsec phase2-interface

edit <phase2-name>

set dhgrp 20 21 5

next

end

If an IPsec Remote Access gateway was created using the v7.6 version of the wizard, the following additional changes are also required:

config vpn ipsec phase1-interface

edit <phase1-name>

set ike-version 1

set mode aggressive

set ems-sn-check disable

next

end

These settings above are provided as an example and can be useful when the set of endpoints connecting to an existing VPN are unmanaged and may include a variety of FortiClient versions deployed at different times.

As a best practice for new deployments, it is recommended to instead use more secure Phase 1 and Phase 2 encryption settings such as below. These changes would only be effective if made on both FortiClient and FortiOS:

IKE version 2.

AES256-SHA256.

DH group 20.

Disable EMS-SN-Verification in FortiOS IPsec phase1-interface configuration, unless all FortiClients are managed by EMS.

IKE version 2 is also required if using single-sign-on authentication with an IPsec dial-up gateway. See this KB article Technical Tip: Recommended basic configuration for SSL VPN to IPsec VPN migration with SAML authenti... for an example of migrating SSL VPN single-sign-on to IPsec VPN single-sign-on.

Related articles:

FortiOS v7.4.8 Administration Guide | FortiClient as dialup client

Troubleshooting Tip: IPsec VPN tunnels

Technical Tip: IPsec dial-up full tunnel with FortiClient