Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fireon
New Contributor III

How to save password on IPSEC dial up connection on Forticlient

Hello all, 

 

FortiOS 7.2.4

EMS Server 7.0.7

Forticlient Enterprise on Android 7.0.7.0068

 

I have configured an IPSEC dial up connection in EMS server. This works perfectly but not "auto connect, Save password and Always UP. 

 

After the IPSEC config was rolled out over EMS it works once, after disconnect alle 3 options are gone away and i must reenter my password on every connection. The strange thing... i see that user and "password" are saved in the forticlient. 

 

The next strange thing... the options:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-activate-Save-Password-Auto-Connect...

 

are not availabel anymore to configure... so were they are???

 

Only on EMS they are available, and yes i checked all boxes :)

ems-vpn-config.png

Always on /dev/zvol
Always on /dev/zvol
1 Solution
fireon
New Contributor III

Could now FINALLY solve it. Last problem was still this option:

 

set authusrgrp "vpn"

 

this give me this strange loginscreen. I had to say "User Group Inherited from policy." After that it works normal. 

 

And of course, in summary, a large part of the solution:

To unset the unity option, and after you can set password save options: 

 

unset unity-support
set client-auto-negotiate enable
set save-password enable
set client-keep-alive enable

 

:) 

Always on /dev/zvol

View solution in original post

Always on /dev/zvol
5 REPLIES 5
Stephen_G
Moderator
Moderator

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Stephen - Fortinet Community Team
birendrakumar

Hello,

 

Can you please confirm if the below options is also enable on FGT side  too,

set auto-connect enable
set keep-alive enable
set save-password enable

Please refer below documentation
https://community.fortinet.com/t5/FortiClient/Technical-Tip-FortiClient-EMS-Auto-connect-a-VPN-Tunne...

if the above option is not available in FGT side, I would suggest reporting a ticket with the FGT team with the valid FGT serial number.

Regards

Kumar_B
fireon
New Contributor III

 

 

fw01 (zuhause-IPSEC) # set save-password enable

Yes, I already knew the article. When I want to set this in the IPSEC, the Fortigate does not recognize it.

 

command parse error before 'save-password'
Command fail. Return code -61



Now I have created a new VPN with the wizard, and activated the options in the wizard. Then there is the option. Strange.

 

Are there any dependencies to the options? Here are my vpn-configs. Here are my both configs. The first is the created testvpn, the option are set there. 

 

set type dynamic
        set interface "wan1"
        set mode aggressive
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: testvpn1 (Created by VPN wizard)"
        set xauthtype auto
        set authusrgrp "vpn"
        set ipv4-start-ip 10.1.1.1
        set ipv4-end-ip 10.1.1.5
        set dns-mode auto
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable

 

 The second one is my real config, there it is  not possible the set "save-password or "keep-alive". 

 

set type dynamic
        set interface "wan1"
        set peertype any
        set net-device enable
        set mode-cfg enable
        set ipv4-dns-server1 192.168.1.1
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set comments "zuhause-IPSEC"
        set xauthtype auto
        set assign-ip-from name
        set ipv4-split-include "secure-surf-routing"
        set ipv4-name "IPSEC_TUNNEL_ADDR1"
        set unity-support disable
        set dpd-retrycount 10
        set dpd-retryinterval 60
Always on /dev/zvol
Always on /dev/zvol
fireon
New Contributor III

And again one step further.

 

Blame was the option: unity-support disable

No idea what this does. But if I throw this option out, the other options can be set successfully.

 

Now i see on my Android, and Windows11 (yes i tested it also with Windows), option  for save password, keep alive and autoconnect. But now the next strange thing. After i conneced with the vpn successfully. I get in the webbrowser an special auth from the fortigate... WTF

 

auth_forti_win.png

 

The same on the Android... anyone an idea?

Always on /dev/zvol
Always on /dev/zvol
fireon
New Contributor III

Could now FINALLY solve it. Last problem was still this option:

 

set authusrgrp "vpn"

 

this give me this strange loginscreen. I had to say "User Group Inherited from policy." After that it works normal. 

 

And of course, in summary, a large part of the solution:

To unset the unity option, and after you can set password save options: 

 

unset unity-support
set client-auto-negotiate enable
set save-password enable
set client-keep-alive enable

 

:) 

Always on /dev/zvol
Always on /dev/zvol
Labels
Top Kudoed Authors