Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Matt_B
Staff & Editor
Staff & Editor

Created on ‎06-04-2025 09:41 AM Edited on ‎12-18-2025 02:59 PM By Community Manager

Article Id 394940

Technical Tip: FortiGate settings compatible with default FortiClient IPsec settings

Description This article describes the FortiClient default IPsec settings and the required FortiOS changes if an IPsec dial-up gateway must support the FortiClient defaults.
Scope

FortiClient v7.4.3 and earlier.
Solution

Windows FortiClient v7.4.3 default settings:

 

Phase 1:

 

fct_win_7.4.3.1790_phase1.PNG

 

Phase 2:

 

fct_win_7.4.3.1790_phase2.PNG

 

FortiClient v7.4.2 and earlier default settings:

 

Phase 1:

 

fct_win_7.2.7.1116_phase1.PNG

 

Phase 2:

 

fct_win_7.2.7.1116_phase2.PNG

 

MacOS FortiClient has the same default settings as earlier Windows FortiClient versions.

 

FortiOS configuration:

If the FortiGate IPsec tunnel was created using the wizard, modify the phase1-interface and phase2-interface configuration to allow connection from a FortiClient with default settings as follows:

 

config vpn ipsec phase1-interface

edit <phase1-name>

set wizard-type custom

set dhgrp 20 21 5

next

end

 

config vpn ipsec phase2-interface

edit <phase2-name>

set dhgrp 20 21 5

next

end

 

If an IPsec Remote Access gateway was created using the v7.6 version of the wizard, the following additional changes are also required:

 

config vpn ipsec phase1-interface

edit <phase1-name>

set ike-version 1

set mode aggressive

set ems-sn-check disable

next

end

 

These settings above are provided as an example and can be useful when the set of endpoints connecting to an existing VPN are unmanaged and may include a variety of FortiClient versions deployed at different times.

 

As a best practice for new deployments, it is recommended to instead use more secure Phase 1 and Phase 2 encryption settings such as below. The VPN would only be functional if the changes are made on both FortiClient and FortiOS:

  • IKE version 2.
  • AES256-SHA256 or better.
  • DH group 20 or 21.
  • Disable EMS-SN-Verification in FortiOS IPsec phase1-interface configuration, unless all FortiClients are managed by EMS.

 

IKE version 2 is also required if using single-sign-on authentication with an IPsec dial-up gateway. See this KB article Technical Tip: Recommended basic configuration for SSL VPN to IPsec VPN migration with SAML authenti... for an example of migrating SSL VPN single-sign-on to IPsec VPN single-sign-on.

 

Beginning in FortiClient Windows v7.4.4, IKE version 2 is required:

 

FortiClient Windows v7.4.4 and above does not support IKEv1. When these versions are in use, FortiOS must have a dial-up VPN configured using IKE version 2, which is not compatible with the default settings of older FortiClient versions.


Since IKEv1 and IKEv2 gateway proposals are not compared with each other, it is possible to configure an IKEv1 dial-up gateway to accommodate older FortiClient versions using the default configuration, as well as a parallel IKEv2 dial-up gateway for newer FortiClient versions, without causing a conflict or gateway mismatch.

 

Phase 1:

 

v745_phase1.png

 

Phase 2:

 

v745_phase2.png

 

Related articles:

FortiOS v7.4.8 Administration Guide | FortiClient as dialup client

Troubleshooting Tip: IPsec VPN tunnels

Technical Tip: IPsec dial-up full tunnel with FortiClient
1273
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.