Description | This article outlines an expected behavior when the IKE version is modified from IKEv2 to IKEv1 in an IPSEC VPN configuration. |
Scope | FortiGate. |
Solution |
When switching the IKE version from IKEv2 to IKEv1, the unity-support setting will automatically get disabled:
The Cisco Unity Configuration Method (UCM) extensions are a set of proprietary extensions used in IPsec VPNs to simplify and automate VPN client configuration.
These extensions allow a VPN device such as a router or FortiGate to dynamically provide specific configuration settings to VPN clients (like the Cisco VPN Client) during the Internet Key Exchange (IKE) phase of establishing the VPN tunnel.
config vpn ipsec phase1-interface
edit "FCT"
set type dynamic
set interface "port25"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set comments "VPN: FCT (Created by VPN wizard)"
set eap enable
set eap-identity send-request
set wizard-type dialup-forticlient
set authusrgrp "local-group"
set ipv4-start-ip 2.1.1.1
set ipv4-end-ip 2.1.1.11
set dns-mode auto
set ipv4-split-include "FCT_split"
set save-password enable
set client-keep-alive enable
set psksecret ENC TI1KpJhMm7R4wcolBhZO35Gnlo/MebhJPZyrpncT2nrwEfLCkT8w/HAxzZnUg7b2zDTAHrCvr6xHbdfaq2E7sE04DdEyFxBqPT1AZ0TxCpPwjSgZcXVnCrmM4nUUHZRYKJI+ooNUqlC7dB1lmMjY3dkVA
next
end
FGT(FCT)# set ike-version 1
FGT(FCT)# show full | grep unity
set unity-support disable
[Enable/disable support for Cisco UNITY Configuration Method extensions].
Refer to the below KB article to know more about the option 'unity-support' on FortiGate.
This is working as designed and an expected behavior.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.