Created on
09-07-2023
09:19 PM
Edited on
11-05-2024
10:16 PM
By
Anthony_E
Description |
This article provides a sample IPsec VPN configuration for use with the built-in/native VPN client on iPhone and iPad.
Note that in later FortiOS versions, an IPsec Wizard utility was added that allows admins to deploy a VPN based on a pre-made template (i.e. using settings matching vendor documentation). See the following FortiGate Admin Guide section for more information: https://docs.fortinet.com/document/fortigate/latest/administration-guide/311726/ios-device-as-dialup... |
Scope |
FortiGate IPsec; iPhone/iPad clients using the built-in/native IPsec client. This example is intended for a dial-up VPN network that requires connections from iPhone or iPad clients. |
Solution |
It should be noted that the VPN is configured as route-based, otherwise known as interface-based. The configuration requires a peer ID ('apple' in this case) as well as a user group. It is best to configure this VPN using the CLI as some of the required settings are not available in the web interface.
Additionally, the following configuration is built around Apple's native (aka Cisco) IPsec settings. Refer to the following documentation from Apple for the supported VPN settings (i.e. IKEv1 Aggressive mode, Phase1 and Phase 2 settings, etc.): https://support.apple.com/en-ca/guide/deployment/depdf31db478/web
Setup a User, User Group, and Firewall Addresses: config user local
edit "testuser" set status enable set type password set passwd <password> end config user group edit "AppleVPNUsers" set member "test" end config firewall address edit "internal1subnet" set subnet <ip here subnet here> (ie: 192.168.29.0 255.255.255.0) next edit "appleVPNsubnet" set subnet 10.3.3.0 255.255.255.0 end Phase 1 Settings:
config vpn ipsec phase1-interface
edit "AppleVPN" set type dynamic set interface "wan1" set dhgrp 2 set peertype one set xauthtype auto set mode aggressive set mode-cfg enable set proposal aes256-md5 aes256-sha1 set peerid "apple" set authusrgrp "AppleVPNUsers" set ipv4-start-ip 10.3.3.1 set ipv4-end-ip 10.3.3.254 set ipv4-netmask 255.255.255.0 set psksecret <tunnel password here> end Optional DNS Phase 1 settings:
set domain <domain suffix here> set ipv4-dns-server1 <DNS server IP here> set ipv4-dns-server2 <DNS server IP here> set ipv4-dns-server3 <DNS server IP here> Applying a domain here allows the VPN client to append a DNS suffix whenever it tries to resolve for a hostname, rather than the fully-qualified domain name (i.e. set domain 'domain.local' == DNS lookups for 'hostname' will automatically become hostname.domain.local).
Phase 2 Settings:
config vpn ipsec phase2-interface
edit "AppleVPNp2" set keepalive enable set pfs disable set phase1name "AppleVPN" set proposal aes256-md5 aes256-sha1 end Configure Firewall Policies:
VPN -> LAN: config firewall policy
edit <unique firewall policy ID here> set srcintf "AppleVPN" set dstintf "internal1" set srcaddr "appleVPNsubnet" set dstaddr "internal1subnet" set action accept set schedule "always" set service "ANY" next LAN -> VPN:
edit <unique firewall policy ID here>
set srcintf "internal1" set dstintf "AppleVPN" set srcaddr "internal1subnet" set dstaddr "appleVPNsubnet" set action accept set schedule "always" set service "ANY" end If VPN clients will be accessing the Internet while connected (i.e. if this is a full-tunnel VPN) then create another firewall policy from the VPN tunnel out of via the WAN interface (note that Source NAT is enabled in this policy): config firewall policy
edit <unique firewall policy ID here> set srcintf "AppleVPN" set dstintf "wan1" set srcaddr "appleVPNsubnet" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable end Static route to route traffic for tunnel clients back out of the tunnel:
config router static
edit <unique route ID> set device "AppleVPN" set dst 10.3.3.0 255.255.255.0 end Configuration required on the iPad/iPhone Cisco VPN Client:
description: FortiGate VPN.
server: IP of the FortiGate WAN interface that is configured for VPN (interface: wan1 in this case). account: testuser (a user account on the FortiGate) password: <configured previously> Use certificate: off. group name: apple. secret: Pre-shared key for the tunnel, from the phase one step. Related articles:
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.