Hello,
I configure Ipsec Connections On My Fortigate 80C.
Its Working Fine With "FortiClient" VIa Ipsec.
Its Not Working Via My iphone (the basic app -Just Go to seetings>General>>Vpn>Type=Ipsec)
What Can I do About it ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I beleive iOs 9.x requires DH group 14 to work
Hi
based on IKEv1 and based that the embeded cisco vpn client on IOS is used following configuration for phase-1 and 2 should work (DH Group 2 as Aggressive Mode is used for embeded cisco vpn client on IOS).
Keep in mind that if you have more than one Aggressive Phase-1 you have to configure local-id in phase-1 otherwise the phase-1 to be used can not be correct identified:
########################### # IPSec Phase 1 IOS Settings (Interface Based) ########################### config vpn ipsec phase1-interface edit ipsec-ios set comments "IPSec Phase1 IOS mydomain1-sg0e0" set type dynamic set interface wan1 set ip-version 4 set local-gw 0.0.0.0 set nattraversal enable set dhgrp 2 set keylife 28800 set authmethod psk set mode aggressive set peertype any set xauthtype auto set mode-cfg enable set proposal aes256-md5 aes256-sha1 set localid ipsec-ios set localid-type auto set negotiate-timeout 30 set fragmentation enable set dpd enable set forticlient-enforcement disable set npu-offload enable set xauthexpire on-disconnect set authusrgrp gr-ipsec-ios-vpn-mydomain1.local set default-gw 0.0.0.0 set default-gw-priority 0 set assign-ip enable set mode-cfg-ip-version 4 set assign-ip-from range set add-route enable set ipv4-start-ip 198.18.4.1 set ipv4-end-ip 198.18.4.126 set ipv4-netmask 255.255.255.128 set dns-mode manual set ipv4-dns-server1 198.18.0.91 set ipv4-dns-server2 0.0.0.0 set ipv4-dns-server3 0.0.0.0 set ipv4-wins-server1 0.0.0.0 set ipv4-wins-server2 0.0.0.0 #set ipv4-exclude-range set ipv4-split-include net-mydomain1-lan-198.18.0.0-24 #set split-include-service set unity-support enable #set domain #set banner set include-local-lan disable set save-password disable set client-auto-negotiate disable set client-keep-alive disable set psksecret "only4mydomain1!" set keepalive 10 set distance 1 set priority 0 set dpd-retrycount 3 set dpd-retryinterval 5 next end ########################### # IPSec Phase 2 IOS Settings (Interface Based) ########################### config vpn ipsec phase2-interface edit ipsec-ios set comments "IPSec Phase2 IOS mydomain1-sg0e0" set dst-addr-type subnet set dst-port 0 set encapsulation tunnel-mode set keepalive enable set keylife-type seconds set pfs disable set phase1name ipsec-ios set proposal aes256-md5 aes256-sha1 set protocol 0 set replay enable set route-overlap use-new set single-source disable unset src-addr-type subnet set src-port 0 set dst-subnet 0.0.0.0 0.0.0.0 set keylifeseconds 1800 set src-subnet 0.0.0.0 0.0.0.0 next end
Give it a try...hope this helps!
have fun
Andrea
As per this post iOS 9.3 requires indeed DH 14
Hi
to bring light in this discussion DH 14 yes or not possible DH 2 yes and not etc.
VPN Key Exchange Enhancements in iOS 9.3, OS X 10.11.4 and Server 5.1
iOS 9.3, OS X 10.11.4 and Server 5.1 add support for new Diffie-Hellman key exchange groups to enhance the security of VPN connections.
These releases add support for Diffie-Hellman (DH) Group 14 and 5 to L2TP over IPSec, and Diffie-Hellman Group 14 to Cisco IPSec. The new supported key exchange proposals are:
DH Group14141414555Encryption algorithmAES256AES256AES256AES256AES256AES256AES256Hash algorithmSHA256SHA1MD5SHA512SHA256SHA1MD5Previous versions of iOS, OS X and Server supported DH Group 2 (only) for L2TP over IPSec. Previous versions of iOS also supported DH group 5 and 2 for Cisco IPSec, with DH group 2 for aggressive mode.
DH Group 2 is still supported but it has the lowest priority when finding a proposal match. Both L2TP over IPSec and Cisco IPsec now support DH Groups 14, 5, 2, in that order of preference. For aggressive mode, the VPN client will try first with DH Group 14; if it fails, it will try again with DH Group 2. Apple recommends using Group 14 or Group 5 since they provide stronger security than Group 2, which may be vulnerable to compromise.
https://support.apple.com/en-gb/HT206154
From this point of view I would recommend to set following in phase-1 to be sure:
set dhgrp 14 5 2
By the way the Wizard of FortiOS 5.4 sets the DH group for IOS device to DH 2 only from this point of view it will work because of the fallback possibility to DH 2!
hope this helps...
have fun
Andrea
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.