Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yaronbeny7
New Contributor

Can't Connect Via IOS With Ipsec Connection to Fortigate Firewall

Hello,

I configure Ipsec Connections On  My Fortigate 80C.

Its Working Fine With "FortiClient" VIa Ipsec.

Its Not Working Via My iphone (the basic app -Just Go to seetings>General>>Vpn>Type=Ipsec)

What Can I do About it ?

 

4 REPLIES 4
aesmith1955
New Contributor

I beleive iOs 9.x requires DH group 14 to work

AndreaSoliva
Contributor III

Hi

 

based on IKEv1 and based that the embeded cisco vpn client on IOS is used following configuration for phase-1 and 2 should work (DH Group 2 as Aggressive Mode is used for embeded cisco vpn client on IOS).

 

Keep in mind that if you have more than one Aggressive Phase-1 you have to configure local-id in phase-1 otherwise the phase-1 to be used can not be correct identified:

 

########################### # IPSec Phase 1 IOS Settings (Interface Based) ########################### config vpn ipsec phase1-interface edit ipsec-ios set comments "IPSec Phase1 IOS mydomain1-sg0e0" set type dynamic set interface wan1 set ip-version 4 set local-gw 0.0.0.0 set nattraversal enable set dhgrp 2 set keylife 28800 set authmethod psk set mode aggressive set peertype any set xauthtype auto set mode-cfg enable set proposal aes256-md5 aes256-sha1 set localid ipsec-ios set localid-type auto set negotiate-timeout 30 set fragmentation enable set dpd enable set forticlient-enforcement disable set npu-offload enable set xauthexpire on-disconnect set authusrgrp gr-ipsec-ios-vpn-mydomain1.local set default-gw 0.0.0.0 set default-gw-priority 0 set assign-ip enable set mode-cfg-ip-version 4 set assign-ip-from range set add-route enable set ipv4-start-ip 198.18.4.1 set ipv4-end-ip 198.18.4.126 set ipv4-netmask 255.255.255.128 set dns-mode manual set ipv4-dns-server1 198.18.0.91 set ipv4-dns-server2 0.0.0.0 set ipv4-dns-server3 0.0.0.0 set ipv4-wins-server1 0.0.0.0 set ipv4-wins-server2 0.0.0.0 #set ipv4-exclude-range set ipv4-split-include net-mydomain1-lan-198.18.0.0-24 #set split-include-service set unity-support enable #set domain #set banner set include-local-lan disable set save-password disable set client-auto-negotiate disable set client-keep-alive disable set psksecret "only4mydomain1!" set keepalive  10 set distance 1 set priority 0 set dpd-retrycount 3 set dpd-retryinterval 5 next end ########################### # IPSec Phase 2 IOS Settings (Interface Based) ########################### config vpn ipsec phase2-interface edit ipsec-ios set comments "IPSec Phase2 IOS mydomain1-sg0e0" set dst-addr-type subnet set dst-port 0 set encapsulation tunnel-mode set keepalive enable set keylife-type seconds set pfs disable set phase1name ipsec-ios set proposal aes256-md5 aes256-sha1 set protocol  0 set replay enable set route-overlap use-new set single-source disable unset src-addr-type subnet set src-port 0 set dst-subnet 0.0.0.0 0.0.0.0 set keylifeseconds 1800 set src-subnet 0.0.0.0 0.0.0.0 next end

 

Give it a try...hope this helps!

 

have fun

 

Andrea

scerazy
New Contributor III

As per this post iOS 9.3 requires indeed DH 14

AndreaSoliva

Hi

 

to bring light in this discussion DH 14 yes or not possible DH 2 yes and not etc.

 

VPN Key Exchange Enhancements in iOS 9.3, OS X 10.11.4 and Server 5.1

iOS 9.3, OS X 10.11.4 and Server 5.1 add support for new Diffie-Hellman key exchange groups to enhance the security of VPN connections.

 

These releases add support for Diffie-Hellman (DH) Group 14 and 5 to L2TP over IPSec, and Diffie-Hellman Group 14 to Cisco IPSec. The new supported key exchange proposals are:

DH Group14141414555Encryption algorithmAES256AES256AES256AES256AES256AES256AES256Hash algorithmSHA256SHA1MD5SHA512SHA256SHA1MD5

Previous versions of iOS, OS X and Server supported DH Group 2 (only) for L2TP over IPSec. Previous versions of iOS also supported DH group 5 and 2 for Cisco IPSec, with DH group 2 for aggressive mode.

DH Group 2 is still supported but it has the lowest priority when finding a proposal match. Both L2TP over IPSec and Cisco IPsec now support DH Groups 14, 5, 2, in that order of preference. For aggressive mode, the VPN client will try first with DH Group 14; if it fails, it will try again with DH Group 2. Apple recommends using Group 14 or Group 5 since they provide stronger security than Group 2, which may be vulnerable to compromise.

 

https://support.apple.com/en-gb/HT206154

 

From this point of view I would recommend to set following in phase-1 to be sure:

 

set dhgrp 14 5 2

 

By the way the Wizard of FortiOS 5.4 sets the DH group for IOS device to DH 2 only from this point of view it will work because of the fallback possibility to DH 2!

 

hope this helps...

 

have fun

 

Andrea