Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
svl
New Contributor

MacOS Big Sur Fortclient VPN IPSec issues

Just installed macOS Big Sur and cannot get a connection with Fortinet firewall VPN anymore, while it did work with macOS Catalina.

 

I tried Forticlient version 6.4 which seems to connect just fine (I get an IP in expected range), but ssh/ping does not work. And also I cannot access a intranet http/https page.

 

Also tried multiple versions of 6.0.x but they all fail to connect and show "Connection was terminated unexpectedly. Error -104". After that, the keyboard (Macbook 16 inch) even fails to register any pressed buttons. For example I open app "notes" and cannot type anything (with every keystroke a sound is played but nothing is written). The only way to get out of this situation is to click "connect to VPN" in forticlient again and before it gets to the error click "disconnect". Then all works as usual (except the VPN obviously).

 

Anyone else having these issues?

 

Update Nov 25th 2020: 

Ok, so after quite a bit of testing by the people who maintain our firewall, we managed to make IPSec VPN work with native Mac OS Big Sur VPN client. I am always amazed by the lack of Fortinet response in this type of issues, as the solution seems pretty simple in the end. Eventually the configuration at fortigate firewall stayed exactly as it was, the only configuration I needed to add locally (with respect to using the FortiClient software) is to add a group name under "Authentication Settings". So to make it work we:

[ul]
  • Setup IPSec VPN in Mac OS Netwerk preferences (see also https://support.apple.com/guide/mac-help/set-up-a-vpn-connection-on-mac-mchlp2963/mac) using fields server address, account name (my personal account name), password (my personal account password) and under "Authentication settings" the shared secret (the shared password) and Group Name (had to get this from the firewall maintainer and never had to fill this in for FortiClient before).[/ul]

    Hopefully this helps others to get Fortigate IPSec VPN work with both Mac OS Big Sur and MacOS Catalina (both tested with our config).

  • 6 Solutions
    LJSilva
    New Contributor

    If you're only using Forticlient to connect to your VPN, in macOS Big Sur you no longer need it. The built-in Cisco IPsec VPN of Big Sur will now connect and correctly establish a tunnel to your Fortinet VPN and it's very stable and reliable. I never managed to to this in Catalina, but it seems Apple may have corrected or changed the Cisco IPSec code in Big Sur and it's now working like a charm. I tried it yesterday and it worked flawlessly.

    View solution in original post

    Totoshka
    New Contributor II

    Kiran wrote:

    Same issue for me as well. Able to connect to IPSec VPN, but not able to open/connect to any internal URLs/Resources. And it's working fine for users with previous version of MacOS.

    The problem is similar. It all started after the update macOs Big Sur. 

     

     

     

    View solution in original post

    Kiran
    New Contributor II

    Yeah, But unfortunately when I reached out to support, they said that currently there is no supported version for MacOS 11 yet and will be available in future versions. So thought that better to suggest some alternative to people who are suffered like me, until the fix is release.

    View solution in original post

    kcerb
    New Contributor III

    Kiran wrote:

     

    Did you configure your IPSec VPN with Phase 1 - Local ID? When I tried native CISCO IPSec VPN, it did not work for VPN which is configured without Phase 1 - Local ID. Modify your VPN configuration with Phase 1 - Local ID and give it as 'Group Name'(which will be the option below the Shared Secret) while configuring the native VPN.

    You can add Local ID in native Mac OS VPN client (type: Cisco). Just click Authentication settings and type your LocalID in the Group Name field.

    FGT60B, FGT100A, FGT100D

    View solution in original post

    mharwow
    New Contributor

    kcerb wrote:

    Kiran wrote:

     

    Did you configure your IPSec VPN with Phase 1 - Local ID? When I tried native CISCO IPSec VPN, it did not work for VPN which is configured without Phase 1 - Local ID. Modify your VPN configuration with Phase 1 - Local ID and give it as 'Group Name'(which will be the option below the Shared Secret) while configuring the native VPN.

    You can add Local ID in native Mac OS VPN client (type: Cisco). Just click Authentication settings and type your LocalID in the Group Name field.

    [attachImg]https://forum.fortinet.com/download.axd?file=0;191690&where=message&f=Setup-VPN-on-Mac-Linux-and-Windows.png[/attachImg]

    This solved the problem for me. I made an account just to say thanks. Once I filled out the Group Name I was connected. Hopefully my company supports the newer version of Fortinet in the future, but I'm happy to use the built-in VPN for now. 

    View solution in original post

    Bobbyla

    Just to confirm the VPN only installer is now updated on the website - Mac now connects using IPSEC on BigSur

     

    WOOHOO

     

    Thanks for updating it. (Labelled as 6.4 but when installing pulls the latest release 6.4.2.1.1305)

     

    Rob

     

    [image][/image]

    View solution in original post

    58 REPLIES 58
    vinch100

    Hi, for us SSL-VPN (forticlient 6.4.3) connects easily on a FortiGate 81F running 6.4.6, however the performance on Mac OSX Big Sure decreases over time and sometimes even stop working without actually disconnecting the user.

     

    We decided to give a try to the Native Cisco Client and spent a long time understanding that we cannot use a named object in a split-tunneling rule (whereas it is automatically entered by the wizard) : either disable split-tunneling or use a subnet.

    Otherwise the diag debug app ike -1 will show that the client acrtually completes the connection, but without further notice it will disconnect after 2-3 seconds (on the client side it never says "connected").

     

    The connection is a million times faster now, and we will see if the performance is better in the next few days.

     

    Regarding the MFA aspect, I found here https://blog.boll.ch/fortigate-ipsec-vpn-with-native-macos-client/ that we should concatenate the token directly after the password however I don't see how it could work without a FortiAuthenticator (but I don't need it for my current use case).

     

    Regards

     

    Vincent

    Kiran
    New Contributor II

    jconegundes wrote:

    Hi Guys!

     

    The same thing happing here. Using Mac OS Big Sur (version 11.0.1 20B29), in MacBook Air (Retina, 13-inch, 2018) SSL VPN IPSEC don't work anymore. I'm using FortiClient version 6.4.1.1267. Trying native Apple Ipsec implementation (Cisco IPSEC) and, unfortunately, don't work too. SSL VPN still works. Does anyone know when we will have a new FortiClient version? 100% compatible with Mac OS Big Sur? Does anyone have any tips that worked to make IPSEC work? 

    Did you configure your IPSec VPN with Phase 1 - Local ID? When I tried native CISCO IPSec VPN, it did not work for VPN which is configured without Phase 1 - Local ID. Modify your VPN configuration with Phase 1 - Local ID and give it as 'Group Name'(which will be the option below the Shared Secret) while configuring the native VPN.

    kcerb
    New Contributor III

    Kiran wrote:

     

    Did you configure your IPSec VPN with Phase 1 - Local ID? When I tried native CISCO IPSec VPN, it did not work for VPN which is configured without Phase 1 - Local ID. Modify your VPN configuration with Phase 1 - Local ID and give it as 'Group Name'(which will be the option below the Shared Secret) while configuring the native VPN.

    You can add Local ID in native Mac OS VPN client (type: Cisco). Just click Authentication settings and type your LocalID in the Group Name field.

    FGT60B, FGT100A, FGT100D

    Alexander_Mueller

    HI,

     

    we have the same problem, the FortiClient connect, but no Traffic through the VPN.

    We are using only the FortiClient, because we are not supporting the connection without FortiClient.

    Totoshka

    Alexander Mueller wrote:

    HI,

     

    we have the same problem, the FortiClient connect, but no Traffic through the VPN.

    We are using only the FortiClient, because we are not supporting the connection without FortiClient.

    I suppose most of them have no other alternative, including the use of standard settings. 
    Therefore, we raised this topic.
    matthewc

    Hi,

     

    Same case, After the bigsur os update I was unable to receive traffic in forticlient even I was able to login. In case a fix has been made please share. I was not able work because of this. Its frustrating

    boneyard
    Valued Contributor

    please everyone with this issue open a support ticket with Fortinet or let your FortiGate admin do this. also contact your Fortinet sales contact about this.

     

    this is a nice place to see other solutions, but a load of support tickets, internal contact will cause more attention and help.

    kcerb
    New Contributor III

    boneyard wrote:

    a load of support tickets, internal contact will cause more attention and help.

    great words!

    FGT60B, FGT100A, FGT100D

    mharwow
    New Contributor

    kcerb wrote:

    Kiran wrote:

     

    Did you configure your IPSec VPN with Phase 1 - Local ID? When I tried native CISCO IPSec VPN, it did not work for VPN which is configured without Phase 1 - Local ID. Modify your VPN configuration with Phase 1 - Local ID and give it as 'Group Name'(which will be the option below the Shared Secret) while configuring the native VPN.

    You can add Local ID in native Mac OS VPN client (type: Cisco). Just click Authentication settings and type your LocalID in the Group Name field.

    [attachImg]https://forum.fortinet.com/download.axd?file=0;191690&where=message&f=Setup-VPN-on-Mac-Linux-and-Windows.png[/attachImg]

    This solved the problem for me. I made an account just to say thanks. Once I filled out the Group Name I was connected. Hopefully my company supports the newer version of Fortinet in the future, but I'm happy to use the built-in VPN for now. 

    romanrss
    New Contributor

    Hi All,

     

    I went through the same issue and here is how to setup the whole thing to make it works with MacOS 11 natively:

     

    1- You need to create a new VPN Tunnel iOS native

    >> You will not be able to connect if you only have the Client VPN on the fortinet end

    >> If you don't have access to the fortinet router, ask your administrator

    2- Go through the setup, and uncheck the Split Tunnel option

    3- Setup a new Cisco IPsec VPN with your info into your network settings on your Mac

     

    Voila.

     

    Wish that helps