Trying out the FortiClient for Mac software (5.2.3 seems to be the latest that is auto-downloaded by the installer). Already successfully using the Windows version.
The Mac version seems very basic, with no advanced VPN or Phase configuration. The link for the Mac documentation only takes me to the main documentation page, with no sign of the Mac FortiClient docs.
I have a backup of the Windows client config (.sconf) file, and when I try to restore that into the Mac version, it says it was restored successfully, but there is nothing there (no profile is listed in the client).
I should say I'm setting up using IPSEC VPN config only (no AV, firewall, etc.). The basic setup (remote IP, preshared key and login) do not work (sits forever trying to connect or get a -101 error).
Ideas for this Mac version? We're currently paying for VPN Tracker, and if I could get this working, it would save us money and help us use the same software for Windows PC's and Macs!
Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Most of the time, FortiClient on both Windows and Mac OS X are similar. The same configuration applies. The same Admin and Reference Guide also applies.
A few, not so commonly used IPsec VPN options are available in FortiClient for Windows, but not for Mac OS X. This may explain why your .sconf file could not be imported. If you send it to: forticlient-feedback [at] fortinet [dot] com, it may be possible to determine what in the configuration file is incompatible with FortiClient on Mac OS X. You may either provide the password, or export the configuration file as .conf (without password).
The IPsec VPN configuration on both the client and the FortiGate need to match correctly. As you indicate that the basic VPN setup does not work, most likely some extra configuration is required on the client side to match what is on the FortiGate. It seems your Windows configuration already has this.
That is the sticking point, though, is there doesn't seem to be any IPSEC options on the Mac client to configure! On Windows I have "Advanced VPN" and there I can make changes to Phase 1 and 2, etc., but I cannot find those on the Mac client. Apart from remote name and Passphrase and username, that's it.
I will email my config file to the address you listed, tomorrow. I don't think I have anything tricky on the Fortigate for the IPSEC config, but I guess you'll let me know. :)
Thank you.
If exporting the configurations without password, the file created is a plain text XML file. The structure of this file is described in the document: FortiClient XML Reference. The IPsec VPN Phase 1 and Phase 2 configurations exposed on the FortiClient GUI for Windows are all included in the <vpn> element.
FortiClient for Mac OS X also accepts this XML configuration (never mind the simpler GUI). The structure is the same. You should be able to export from Windows and import on Mac OS X. However, as you have observed, it does not work properly for your case. I think some of the <vpn> elements are not accepted by FortiClient on Mac OS X. The task in this case is to determine which one(s).
I believe there's a few builds under MACOSX 5.2.3 370, 351 and 249 iirc ( don't hold me on that last build# ). Which one are your using?
BTW, A 5.2.4 build is out, I haven't ran that one as of yet. I believe it came out approx 4 weeks ago.
As far as exporting and the vpn cfg, you should be able to export and re-import from any version. In the worst case, you can export the cfg to a backup file ( make a copy ) and then modify the xml related data and re-import.
btw I'm using .370 and just import a windows forticlient cfg & with no problems.
PCNSE
NSE
StrongSwan
I have 5.2.3 370. I don't know how to get 5.2.4 as the installer "stub" seems to download whatever it wants. One would think it's the most current, but apparently in this case, it is downloading for me an older version.
It's good to know that I should be able to take a Windows config file and restore it into a Mac version. At least I know it's *supposed* to work.
I can look at the XML file, but really don't know what I am looking for...what part might be causing the Mac OS client to completely ignore the import. Like I mentioned at first, the import/restore actually says it's successful, but then there is nothing in the client as far as a config goes. The profile dropdown is empty.
You need to look at the FC XML syntax guide, but it ( the config ) is broken down into section.
http://docs.fortinet.com/uploaded/files/2076/forticlient-xml-52.pdf
http://docs.fortinet.com/forticlient/admin-guides
e.g (vpn sections )
<vpn>
<ipsecvpn>
<sslvpn>
IMHO any bad parts of the config would be ignored and failed when loading ( very rare unless just plain out bad ) but typically the lines in any xml section that's are wrong , will be ignored imho
e.g
<sslvpn> <options> <enabled>199</enabled> <testsss>3</testsss>3>
<emnocisonbadguy!>ABC</emnocisonebadguy> </options>
The bold section are completely bogus, but will not harm the FC upon a restoral. FTNT did a good job with configuration validation and strips all bad xml tags from the client. So it's very hard to "jack up the FC from a bad configuraion" or at least I have never been successful and I've made numerous typo errors in the past and still in the present and manage to always have a working cfg ;)
FWW, you could also download and diff out the section to find obvious errors, but I never seen problems outside of just bad xml tags which is almost always caused my the operator ;). I Actually wish FTNT would made a diff comparative on all configurations to include not just Forticlient but Fortigate, FortiXXXXXXXX . I've made that request like 1000 times now but FTNT has never deployed this ( most juniper , huawei and some cisco stuff already has this function ;( )
If your configuration is failing, you can contact me and I will import your configuration and then backup and run a md5sum check on the pre/post in my 5.2.4.xxx build or 5.2.3xxx. Just send me a forum PM and I will pass you my email address. I run MACOSX 100% and most of my clients are MACOSX users also. So I have numerous means for testing and actually have a macbook air on 10.9.x and 10.10.x in a lab & just for testing the FC.
If you have a support contract, you open a case with FTNT if you fill it's a forticlient issues. I could see some issues in a re-import from a very earlier FC config but I believe even this is very rare and a far stretch since it seems like FTNT has made the FC backwards compatible to older builds and families
5.0 vr 5.2 vr 5.2.4 vrs 4.3 etc......
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.