Hi,
i created an ipsec remote access for iOS nativ with the wizard.
When i remove the check from "Split Tunnel" the ipsec tunnel doesn't work.
It only works with "Split Tunnel".
What i want is a full ipsec tunnel for iOS.
The diag debug shows the following:
FortiGate # 2024-07-24 16:27:56.440226 ike V=root:0: comes 80.187.85.0:500->91.55.218.67:500,ifindex=30,vrf=0,len=848....
2024-07-24 16:27:56.440387 ike V=root:0: IKEv1 exchange=Identity Protection id=94092f039c872a4a/0000000000000000 len=848 vrf=0
2024-07-24 16:27:56.440469 ike 0: in 94092F039C872A4A00000000000000000110020000000000000003500D0002200000000100000001000002140101000F03000024010100008
00B0001800C0E1080010007800E01008003FDE9800200048004000E0300002402010000800B0001800C0E1080010007800E01008003FDE9800200028004000E0300002403010000800B000
1800C0E1080010007800E01008003FDE9800200018004000E0300002404010000800B0001800C0E1080010007800E01008003FDE9800200068004000E0300002405010000800B0001800C0
E1080010007800E01008003FDE980020004800400050300002406010000800B0001800C0E1080010007800E01008003FDE980020002800400050300002407010000800B0001800C0E10800
10007800E01008003FDE980020001800400050300002408010000800B0001800C0E1080010007800E01008003FDE980020002800400020300002409010000800B0001800C0E10800100078
00E01008003FDE98002000180040002030000240A010000800B0001800C0E1080010007800E00808003FDE98002000280040002030000240B010000800B0001800C0E1080010007800E008
08003FDE98002000180040002030000200C010000800B0001800C0E10800100058003FDE98002000280040002030000200D010000800B0001800C0E10800100058003FDE98002000180040
002030000200E010000800B0001800C0E10800100018003FDE98002000280040002000000200F010000800B0001800C0E10800100018003FDE980020001800400020D0000144A131C81070
358455C5728F20E95452F0D0000144DF37928E9FC4FD1B3262170D515C6620D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144
D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D5
60D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC01000D000
0184048B7D56EBCE88525E7DE7F00D6C2D38000000000000014AFCAD71368A1F1C96B8696FC77570100
2024-07-24 16:27:56.440637 ike V=root:0:94092f039c872a4a/0000000000000000:794: responder: main mode get 1st message...
2024-07-24 16:27:56.440728 ike V=root:0:94092f039c872a4a/0000000000000000:794: VID RFC 3947 4A131C81070358455C5728F20E95452F
2024-07-24 16:27:56.440802 ike V=root:0:94092f039c872a4a/0000000000000000:794: VID unknown (16): 4DF37928E9FC4FD1B3262170D515C662
2024-07-24 16:27:56.440875 ike V=root:0:94092f039c872a4a/0000000000000000:794: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
2024-07-24 16:27:56.440948 ike V=root:0:94092f039c872a4a/0000000000000000:794: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
2024-07-24 16:27:56.441018 ike V=root:0:94092f039c872a4a/0000000000000000:794: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
2024-07-24 16:27:56.441086 ike V=root:0:94092f039c872a4a/0000000000000000:794: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
2024-07-24 16:27:56.441157 ike V=root:0:94092f039c872a4a/0000000000000000:794: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
2024-07-24 16:27:56.441223 ike V=root:0:94092f039c872a4a/0000000000000000:794: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
2024-07-24 16:27:56.441292 ike V=root:0:94092f039c872a4a/0000000000000000:794: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
2024-07-24 16:27:56.441361 ike V=root:0:94092f039c872a4a/0000000000000000:794: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
2024-07-24 16:27:56.441429 ike V=root:0:94092f039c872a4a/0000000000000000:794: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
2024-07-24 16:27:56.441498 ike V=root:0:94092f039c872a4a/0000000000000000:794: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
2024-07-24 16:27:56.441570 ike V=root:0:94092f039c872a4a/0000000000000000:794: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
2024-07-24 16:27:56.441638 ike V=root:0:94092f039c872a4a/0000000000000000:794: VID DPD AFCAD71368A1F1C96B8696FC77570100
2024-07-24 16:27:56.441831 ike V=root:0:94092f039c872a4a/0000000000000000:794: negotiation result
2024-07-24 16:27:56.441911 ike V=root:0:94092f039c872a4a/0000000000000000:794: proposal id = 1:
2024-07-24 16:27:56.441969 ike V=root:0:94092f039c872a4a/0000000000000000:794: protocol id = ISAKMP:
2024-07-24 16:27:56.442024 ike V=root:0:94092f039c872a4a/0000000000000000:794: trans_id = KEY_IKE.
2024-07-24 16:27:56.442079 ike V=root:0:94092f039c872a4a/0000000000000000:794: encapsulation = IKE/none
2024-07-24 16:27:56.442135 ike V=root:0:94092f039c872a4a/0000000000000000:794: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
2024-07-24 16:27:56.442193 ike V=root:0:94092f039c872a4a/0000000000000000:794: type=OAKLEY_HASH_ALG, val=SHA2_256.
2024-07-24 16:27:56.442250 ike V=root:0:94092f039c872a4a/0000000000000000:794: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
2024-07-24 16:27:56.442305 ike V=root:0:94092f039c872a4a/0000000000000000:794: type=OAKLEY_GROUP, val=MODP2048.
2024-07-24 16:27:56.442362 ike V=root:0:94092f039c872a4a/0000000000000000:794: ISAKMP SA lifetime=86400
2024-07-24 16:27:56.442446 ike V=root:0:94092f039c872a4a/0000000000000000:794: SA proposal chosen, matched gateway IOS_Native
2024-07-24 16:27:56.442554 ike V=root:0:IOS_Native:IOS_Native: created connection: 0x6a762a8 30 91.55.218.67->80.187.85.0:500.
2024-07-24 16:27:56.442637 ike V=root:0:IOS_Native:794: DPD negotiated
2024-07-24 16:27:56.442697 ike V=root:0:IOS_Native:794: XAUTHv6 negotiated
2024-07-24 16:27:56.442752 ike V=root:0:IOS_Native:794: peer supports UNITY
2024-07-24 16:27:56.442810 ike V=root:0:IOS_Native:794: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-04
2024-07-24 16:27:56.442865 ike V=root:0:IOS_Native:794: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-05
2024-07-24 16:27:56.442919 ike V=root:0:IOS_Native:794: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-06
2024-07-24 16:27:56.442970 ike V=root:0:IOS_Native:794: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-07
2024-07-24 16:27:56.443021 ike V=root:0:IOS_Native:794: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-08
2024-07-24 16:27:56.443072 ike V=root:0:IOS_Native:794: selected NAT-T version: RFC 3947
2024-07-24 16:27:56.443205 ike V=root:0:IOS_Native:794: cookie 94092f039c872a4a/fe3b3c38705cc6f7
2024-07-24 16:27:56.443285 ike 0:IOS_Native:794: out 94092F039C872A4AFE3B3C38705CC6F70110020000000000000000DC0D00003800000001000000010000002C010100010
000002401010000800B0001800C0E1080010007800E01008003FDE9800200048004000E0D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC7757010
00D00000C09002689DFD6B7120D00001412F5F28C457168A9702D9FE274CC02040D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D300000
0184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
2024-07-24 16:27:56.443470 ike V=root:0:IOS_Native:794: sent IKE msg (ident_r1send): 91.55.218.67:500->80.187.85.0:500, len=220, vrf=0, id=94092f039c8
72a4a/fe3b3c38705cc6f7
2024-07-24 16:27:56.498609 ike V=root:0: comes 80.187.85.0:500->91.55.218.67:500,ifindex=30,vrf=0,len=380....
2024-07-24 16:27:56.498723 ike V=root:0: IKEv1 exchange=Identity Protection id=94092f039c872a4a/fe3b3c38705cc6f7 len=380 vrf=0
2024-07-24 16:27:56.498785 ike 0: in 94092F039C872A4AFE3B3C38705CC6F704100200000000000000017C0A00010477B72791322037819C21BF7BD24F8FEBDB040F17300A62D0F
8B0D17470A364093E555D1A72E69893B0A7EA51B056A5D4530C182461C751665E86E05B7EA56A19418B3DDB3F3587312AE2F553E4B7AD56DED56D92DE31C2A0433C052A1F8C25E6215532B
53EE278A294CB3A01EF35E4FB8142C2D351F2BC315F9F33B0D7B0CC700FD46D692191F8AE6EFD040D29DB9FF86FDF874566158C041A850155662E7FCA28AC1D03195E370A1891FA2BAFAEA
586694E515E49B69B965B139D8610938C86B5ACCE9F72D910919546AFA1AAD272DE3FCA7FE992FEA61A844863DC9B338E6CCCF51EF26CBEC88B6184C67A360DFB6072241A8A1F1D850FE69
FA549A6E8783914000014B8F4BF1C3A1CB5E544C782D3EA2D7CD31400002434463D0D3CB13F42614A0382C0B5533B29080B9D842A978F5591F09DEA93884D0000002470EF88EDA83B8176F
6E7E03F9170BB872EC2D3D75EB98A80F9D9BFB814E73C62
2024-07-24 16:27:56.498888 ike V=root:0:IOS_Native:794: responder:main mode get 2nd message...
2024-07-24 16:27:56.498948 ike V=root:0:IOS_Native:794: received NAT-D payload type 20
2024-07-24 16:27:56.499022 ike V=root:0:IOS_Native:794: received NAT-D payload type 20
2024-07-24 16:27:56.499085 ike V=root:0:IOS_Native:794: NAT detected: ME PEER
2024-07-24 16:27:56.499166 ike V=root:0:IOS_Native:794: generate DH public value request queued
2024-07-24 16:27:56.499322 ike V=root:0:IOS_Native:794: compute DH shared secret request queued
2024-07-24 16:27:56.502307 ike 0:IOS_Native:794: out 94092F039C872A4AFE3B3C38705CC6F704100200000000000000017C0A000104A10100F802A68EA4080C4B137176C3E69
FBF3EDA53F11DE1DA242D3BDF73BD6AA9B27CCB5354FE8F104DF9901469261509AD520E24A02294BB1B062B8EB1DE3EC30517C17D1EDEC45A787DBF573072D46B06EF57ED8024195FAC968
D3BA67A37EC290C0DF26811D9E2F41F56DF039C902004E6DE9B51899B8DA4388D4C00EA8374E4280CE68D885A43BFEA478F822D0B071316FAFE725F5C4C6CEBD7BF2FAE1E1AF3ED5018A77
6972476BA2D49A4D3058AED5C742A969544487FE6288170B08F442A8E26A03847635F4FC047CFD03FBC38F7AE2D176C918106EE16D9E9D53548F100BD55BC079D4355E7A069CF1C9B4C103
40EF35C444F5E43D19C9D49CBE515140000143DD87C2536BF83D5E273FF46248A608D14000024B277D94FEF6B899BD699E07DAD58B359B17DC1B25B225AF069B55BDE9107C8F6000000249
B83DEA5B0F2EE9E4BBFC81A511674C947F8AF550A898B4B5E7E13B462F2015D
2024-07-24 16:27:56.502549 ike V=root:0:IOS_Native:794: sent IKE msg (ident_r2send): 91.55.218.67:500->80.187.85.0:500, len=380, vrf=0, id=94092f039c8
72a4a/fe3b3c38705cc6f7
2024-07-24 16:27:56.502789 ike 0:IOS_Native:794: ISAKMP SA 94092f039c872a4a/fe3b3c38705cc6f7 key 32:471F59FE90720E6D20CE067FFCCF8DDCB18FD645AFDC9C7688
F9FE6214EF0967
2024-07-24 16:27:56.560080 ike V=root:0: comes 80.187.85.0:27261->91.55.218.67:4500,ifindex=30,vrf=0,len=112....
2024-07-24 16:27:56.560197 ike V=root:0: IKEv1 exchange=Identity Protection id=94092f039c872a4a/fe3b3c38705cc6f7 len=108 vrf=0
2024-07-24 16:27:56.560257 ike 0: in 94092F039C872A4AFE3B3C38705CC6F705100201000000000000006CD1B238AD8B7FE18D0BB030AD4ACA8B3BB8338F0FB6F2F78CD3384006F
66C97F4664B6DF67C5BEF311BD8EBD35DC46002FB08BE82FD5C5ED2EBD8F05E812078105FA13072D0BBAADC1AB19A8070FBD449
2024-07-24 16:27:56.560323 ike V=root:0:IOS_Native:794: responder: main mode get 3rd message...
2024-07-24 16:27:56.560449 ike 0:IOS_Native:794: dec 94092F039C872A4AFE3B3C38705CC6F705100201000000000000006C0800000C011101F4000000000B0000246EFBAA108
15755CE678C2B26450CCA2D68C291413FBF042A6F6F77D6295D39AA0000001C000000010110600294092F039C872A4AFE3B3C38705CC6F700000004
2024-07-24 16:27:56.560529 ike V=root:0:IOS_Native:794: received p1 notify type INITIAL-CONTACT
2024-07-24 16:27:56.560591 ike V=root:0:IOS_Native:794: peer identifier IPV4_ADDR 0.0.0.0
2024-07-24 16:27:56.560726 ike V=root:0:IOS_Native:794: PSK authentication succeeded
2024-07-24 16:27:56.560783 ike V=root:0:IOS_Native:794: authentication OK
2024-07-24 16:27:56.561132 ike 0:IOS_Native:794: enc 94092F039C872A4AFE3B3C38705CC6F705100201000000000000004C0800000C010000005B37DA43000000246110B9448
B40E5ADB1A90B6E813813BA660DB031D30C2A5128D861E6F771DF86
2024-07-24 16:27:56.561235 ike V=root:0:IOS_Native:794: remote port change 500 -> 27261
2024-07-24 16:27:56.561298 ike 0:IOS_Native:794: out 94092F039C872A4AFE3B3C38705CC6F705100201000000000000005C0CD4190FA771E350F82286EE759AB86B85A4AE5EC
3479CF0D3CB1B8797645EB722319657204858D694ED370FF01A6E6EB7364B9D29C259A8DDB62D0F244501ED
2024-07-24 16:27:56.561456 ike V=root:0:IOS_Native:794: sent IKE msg (ident_r3send): 91.55.218.67:4500->80.187.85.0:27261, len=92, vrf=0, id=94092f039
c872a4a/fe3b3c38705cc6f7
2024-07-24 16:27:56.561600 ike V=root:0:IOS_Native: mode-cfg allocate 10.0.0.1/0.0.0.0
2024-07-24 16:27:56.561660 ike V=root:0:IOS_Native: IPv6 pool is not configured
2024-07-24 16:27:56.561716 ike V=root:0:IOS_Native: adding new dynamic tunnel for 80.187.85.0:27261
2024-07-24 16:27:56.561930 ike V=root:0:IOS_Native_0: tunnel created tun_id 10.0.0.74/::10.0.0.100 remote_location 0.0.0.0
2024-07-24 16:27:56.562170 ike V=root:0:IOS_Native_0: added new dynamic tunnel for 80.187.85.0:27261
2024-07-24 16:27:56.562244 ike V=root:0:IOS_Native_0:794: established IKE SA 94092f039c872a4a/fe3b3c38705cc6f7
2024-07-24 16:27:56.562336 ike V=root:0:IOS_Native_0:794: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
2024-07-24 16:27:56.562485 ike V=root:0:IOS_Native_0:794: processing INITIAL-CONTACT
2024-07-24 16:27:56.562541 ike V=root:0:IOS_Native_0: flushing
2024-07-24 16:27:56.562639 ike V=root:0:IOS_Native_0: flushed
2024-07-24 16:27:56.562696 ike V=root:0:IOS_Native_0:794: processed INITIAL-CONTACT
2024-07-24 16:27:56.562748 ike V=root:0:IOS_Native_0:794: initiating XAUTH.
2024-07-24 16:27:56.562829 ike V=root:0:IOS_Native_0:794: sending XAUTH request
2024-07-24 16:27:56.563009 ike 0:IOS_Native_0:794: enc 94092F039C872A4AFE3B3C38705CC6F708100601DC459884000000540E00002423A55EF7BD4BC033C4AC8CE60BC8ADD
056D45C0135F8EAE17779689D91E9E7D5000000140100CFF2C088000040890000408A0000
2024-07-24 16:27:56.563111 ike 0:IOS_Native_0:794: out 94092F039C872A4AFE3B3C38705CC6F708100601DC4598840000005CD0B54BA02898AB1C75F4F5AE8B5F010C6D8AEA7
E4D1A50580527CC5469CAC98C4FDDD4BA6691BD3F9547152C548B7552721A34EED332B74641E051289C79987B
2024-07-24 16:27:56.563261 ike V=root:0:IOS_Native_0:794: sent IKE msg (cfg_send): 91.55.218.67:4500->80.187.85.0:27261, len=92, vrf=0, id=94092f039c8
72a4a/fe3b3c38705cc6f7:dc459884
2024-07-24 16:27:56.563405 ike V=root:0:IOS_Native_0:794: peer has not completed XAUTH exchange
2024-07-24 16:27:56.598279 ike V=root:0: comes 80.187.85.0:27261->91.55.218.67:4500,ifindex=30,vrf=0,len=112....
2024-07-24 16:27:56.598402 ike V=root:0: IKEv1 exchange=Mode config id=94092f039c872a4a/fe3b3c38705cc6f7:dc459884 len=108 vrf=0
2024-07-24 16:27:56.598462 ike 0: in 94092F039C872A4AFE3B3C38705CC6F708100601DC4598840000006C75D67031C6B1F74A09082DBADE90AE935FD76FEABE1862713A2E41A12
8356D25225415DAE61236648175DAB7C0FEE9E28C23529ACF7267D09EA8DE72951CA5CFB3BFC59F153DD91E1157ABF89C62BE19
2024-07-24 16:27:56.598593 ike 0:IOS_Native_0:794: dec 94092F039C872A4AFE3B3C38705CC6F708100601DC4598840000006C0E0000249521AD6C41B780BF4A617D03D8E082F
7AA1087695EB207E6AA32D03E83770ED50000001E0200CF004089000653746566616E408A0008496367545438382E000000000000000000000000000E
2024-07-24 16:27:56.598744 ike V=root:0:IOS_Native_0:794: received XAUTH_USER_NAME 'Stefan' length 6
2024-07-24 16:27:56.598807 ike V=root:0:IOS_Native_0:794: received XAUTH_USER_PASSWORD length 8
2024-07-24 16:27:56.598866 ike V=root:0:IOS_Native_0: XAUTH user "Stefan"
2024-07-24 16:27:56.598919 ike V=root:0:IOS_Native: auth group IOS_Native
2024-07-24 16:27:56.600308 ike V=root:0:IOS_Native_0: XAUTH 700105293918 pending
2024-07-24 16:27:56.600516 ike V=root:0:IOS_Native_0:794: XAUTH 700105293918 result FNBAM_SUCCESS
2024-07-24 16:27:56.600590 ike V=root:0:IOS_Native_0: XAUTH succeeded for user "Stefan" group "IOS_Native" 2FA=no
2024-07-24 16:27:56.600958 ike 0:IOS_Native_0:794: enc 94092F039C872A4AFE3B3C38705CC6F70810060161ADB4800000004C0E0000245150C329F720BC39E88C945D5233B2B
D10ECA3149492612681C8C663CF4F80A20000000C0300CF00C08F0001
2024-07-24 16:27:56.601094 ike 0:IOS_Native_0:794: out 94092F039C872A4AFE3B3C38705CC6F70810060161ADB4800000005C39D7E1AF12CC8DE0D3B99BB1F3CA4ECD3C31306
25E5576B767589F548544C22208C7C3C40DA5AE5AEB0638F66D25024BB68D4FD2C5E21ED343B5121B4E4F90EB
2024-07-24 16:27:56.601332 ike V=root:0:IOS_Native_0:794: sent IKE msg (cfg_send): 91.55.218.67:4500->80.187.85.0:27261, len=92, vrf=0, id=94092f039c8
72a4a/fe3b3c38705cc6f7:61adb480
2024-07-24 16:27:56.636101 ike V=root:0: comes 80.187.85.0:27261->91.55.218.67:4500,ifindex=30,vrf=0,len=96....
2024-07-24 16:27:56.636214 ike V=root:0: IKEv1 exchange=Mode config id=94092f039c872a4a/fe3b3c38705cc6f7:61adb480 len=92 vrf=0
2024-07-24 16:27:56.636283 ike 0: in 94092F039C872A4AFE3B3C38705CC6F70810060161ADB4800000005C87EE1BAD2A2BD53C9A9F2435C169AB9F76CF7C480B7656CEFCDE9E01E
CAB4680255A875FA50BB94B11229DF5270D80DE171DD0C4C3AE398B92BFB71FA0F49C7E
2024-07-24 16:27:56.636411 ike 0:IOS_Native_0:794: dec 94092F039C872A4AFE3B3C38705CC6F70810060161ADB4800000005C0E0000245FB88384E046DA8DD3766EE524EFF27
4188C0C27C2C85CC6C67B49CC735DFF3C0000000C0400CF00C08F000000000000000000000000000000000010
2024-07-24 16:27:56.637034 ike V=root:0: comes 80.187.85.0:27261->91.55.218.67:4500,ifindex=30,vrf=0,len=144....
2024-07-24 16:27:56.637143 ike V=root:0: IKEv1 exchange=Mode config id=94092f039c872a4a/fe3b3c38705cc6f7:9e7f7fcb len=140 vrf=0
2024-07-24 16:27:56.637203 ike 0: in 94092F039C872A4AFE3B3C38705CC6F7081006019E7F7FCB0000008C9B4764A04713B68B0E5AD8964A27F4E9F14FE5B99809AD57938461C08
7BEED0EBD88C26B069111675F34143FC01204A4F92A3F0DBE48721DABDF84B4874F11C99B9DBC149EA514A9B72406D83E106B4B6BC4C157CBD7CDF03EA4D6E24387E0072E125009C0D5084
17E1EDC3FE0481A2B
2024-07-24 16:27:56.637364 ike 0:IOS_Native_0:794: dec 94092F039C872A4AFE3B3C38705CC6F7081006019E7F7FCB0000008C0E0000244481EACBBF9B6DCAD1F5236D16915F1
C91154F1CBB2D9470398FA8FBA62ACAAA00000048010035E300010000000200000003000000040000000500000007000070000000700200007003000070040000700600007007000070010
0007008000070090000700B000000000004
2024-07-24 16:27:56.637494 ike V=root:0:IOS_Native_0:794: mode-cfg type 1 request 0:''
2024-07-24 16:27:56.637572 ike V=root:0:IOS_Native_0:794: mode-cfg using allocated IPv4 10.0.0.1
2024-07-24 16:27:56.637632 ike V=root:0:IOS_Native_0:794: mode-cfg type 2 request 0:''
2024-07-24 16:27:56.637690 ike V=root:0:IOS_Native_0:794: mode-cfg type 3 request 0:''
2024-07-24 16:27:56.637747 ike V=root:0:IOS_Native_0:794: mode-cfg type 4 request 0:''
2024-07-24 16:27:56.637803 ike V=root:0:IOS_Native_0:794: mode-cfg WINS ignored, no WINS servers configured
2024-07-24 16:27:56.637855 ike V=root:0:IOS_Native_0:794: mode-cfg type 5 request 0:''
2024-07-24 16:27:56.637908 ike V=root:0:IOS_Native_0:794: mode-cfg type 7 request 0:''
2024-07-24 16:27:56.637959 ike V=root:0:IOS_Native_0:794: mode-cfg type 28672 request 0:''
2024-07-24 16:27:56.638011 ike V=root:0:IOS_Native_0:794: mode-cfg UNITY type 28672 requested
2024-07-24 16:27:56.638064 ike V=root:0:IOS_Native_0:794: mode-cfg no banner configured, ignoring
2024-07-24 16:27:56.638115 ike V=root:0:IOS_Native_0:794: mode-cfg type 28674 request 0:''
2024-07-24 16:27:56.638192 ike V=root:0:IOS_Native_0:794: mode-cfg UNITY type 28674 requested
2024-07-24 16:27:56.638246 ike V=root:0:IOS_Native_0:794: mode-cfg no domain configured, ignoring
2024-07-24 16:27:56.638298 ike V=root:0:IOS_Native_0:794: mode-cfg type 28675 request 0:''
2024-07-24 16:27:56.638351 ike V=root:0:IOS_Native_0:794: mode-cfg UNITY type 28675 requested
2024-07-24 16:27:56.638401 ike V=root:0:IOS_Native_0:794: mode-cfg UNITY type 28675 not supported, ignoring
2024-07-24 16:27:56.638454 ike V=root:0:IOS_Native_0:794: mode-cfg type 28676 request 0:''
2024-07-24 16:27:56.638505 ike V=root:0:IOS_Native_0:794: mode-cfg UNITY type 28676 requested
2024-07-24 16:27:56.638557 ike V=root:0:IOS_Native_0:794: mode-cfg type 28678 request 0:''
2024-07-24 16:27:56.638609 ike V=root:0:IOS_Native_0:794: mode-cfg UNITY type 28678 requested
2024-07-24 16:27:56.638661 ike V=root:0:IOS_Native_0:794: mode-cfg type 28679 request 0:''
2024-07-24 16:27:56.638715 ike V=root:0:IOS_Native_0:794: mode-cfg UNITY type 28679 requested
2024-07-24 16:27:56.638769 ike V=root:0:IOS_Native_0:794: mode-cfg type 28673 request 0:''
2024-07-24 16:27:56.638822 ike V=root:0:IOS_Native_0:794: mode-cfg UNITY type 28673 requested
2024-07-24 16:27:56.638876 ike V=root:0:IOS_Native_0:794: mode-cfg type 28680 request 0:''
2024-07-24 16:27:56.638930 ike V=root:0:IOS_Native_0:794: mode-cfg UNITY type 28680 requested
2024-07-24 16:27:56.638981 ike V=root:0:IOS_Native_0:794: mode-cfg UNITY type 28680 not supported, ignoring
2024-07-24 16:27:56.639036 ike V=root:0:IOS_Native_0:794: mode-cfg type 28681 request 0:''
2024-07-24 16:27:56.639088 ike V=root:0:IOS_Native_0:794: mode-cfg UNITY type 28681 requested
2024-07-24 16:27:56.639140 ike V=root:0:IOS_Native_0:794: mode-cfg no backup-gateway configured, ignoring
2024-07-24 16:27:56.639195 ike V=root:0:IOS_Native_0:794: mode-cfg type 28683 request 0:''
2024-07-24 16:27:56.639248 ike V=root:0:IOS_Native_0:794: mode-cfg attribute type 28683 not supported, ignoring
2024-07-24 16:27:56.639308 ike V=root:0:IOS_Native_0:794: mode-cfg assigned (1) IPv4 address 10.0.0.1
2024-07-24 16:27:56.639370 ike V=root:0:IOS_Native_0:794: mode-cfg assigned (2) IPv4 netmask 255.255.255.255
2024-07-24 16:27:56.639429 ike V=root:0:IOS_Native_0:794: mode-cfg send (3) IPv4 DNS(1) 217.237.151.51
2024-07-24 16:27:56.639485 ike V=root:0:IOS_Native_0:794: mode-cfg send (3) IPv4 DNS(2) 217.237.149.205
2024-07-24 16:27:56.639541 ike V=root:0:IOS_Native_0:794: PFS is disabled
2024-07-24 16:27:56.639600 ike V=root:0:IOS_Native_0:794: mode-cfg send (28676) IPv4 subnet 0.0.0.0/0.0.0.0 port 0 proto 0
2024-07-24 16:27:56.639661 ike V=root:0:IOS_Native_0:794: mode-cfg send APPLICATION_VERSION 'FortiGate-60E v7.4.4,build2662,240514 (GA.F)'
2024-07-24 16:27:56.639721 ike V=root:0:IOS_Native_0:794: mode-cfg INTERNAL_ADDRESS_EXPIRY ignored, address does not expire
2024-07-24 16:27:56.639783 ike V=root:0:IOS_Native_0:794: client save-password is disabled
2024-07-24 16:27:56.640007 ike 0:IOS_Native_0:794: enc 94092F039C872A4AFE3B3C38705CC6F7081006019E7F7FCB000000AA0E00002445EE2AF2C84BA19F2AB3CE4D0EAED87
98979AF831D4A2C9C240BCF2ABFE99C2E0000006A020035E3000100040A00000100020004FFFFFFFF00030004D9ED973300030004D9ED95CD7004000E00000000000000000000000000000
007002C466F727469476174652D3630452076372E342E342C6275696C64323636322C323430353134202847412E4629
2024-07-24 16:27:56.640156 ike 0:IOS_Native_0:794: out 94092F039C872A4AFE3B3C38705CC6F7081006019E7F7FCB000000ACA0BA1BDA843B33711C396A31041C413FFE3C85D
3AED07AE7B3D50CB718BE5DBC19B371840002C979BEF759A3693A9EC24F5A3D99A4121AFA2990FA89034AD86BF244566F663AAF4C901F17434E75455573A32E1FC18E1D7C2CB1D7A9EB2ED
C1B5688FC07A2943B9A9199F10A4CB9D0F349FE7A68B6D0A613F6AEAF966AFEF9DAB20654DE8DDFEF76F1675A0FC279C7C2
2024-07-24 16:27:56.640340 ike V=root:0:IOS_Native_0:794: sent IKE msg (cfg_send): 91.55.218.67:4500->80.187.85.0:27261, len=172, vrf=0, id=94092f039c
872a4a/fe3b3c38705cc6f7:9e7f7fcb
2024-07-24 16:27:58.032011 ike :shrank heap by 331776 bytes
2024-07-24 16:28:06.592060 ike V=root:0:IOS_Native_0: NAT keep-alive 30 91.55.218.67->80.187.85.0:27261.
2024-07-24 16:28:06.592214 ike 0:IOS_Native_0:794: out FF
2024-07-24 16:28:06.592424 ike V=root:0:IOS_Native_0:794: sent IKE msg (keepalive): 91.55.218.67:4500->80.187.85.0:27261, len=1, vrf=0, id=ff000000000
00000/11000000b877ad56:10000000
2024-07-24 16:28:13.334901 ike V=root:0: comes 80.187.85.0:27261->91.55.218.67:4500,ifindex=30,vrf=0,len=112....
2024-07-24 16:28:13.335028 ike V=root:0: IKEv1 exchange=Informational id=94092f039c872a4a/fe3b3c38705cc6f7:354a336f len=108 vrf=0
2024-07-24 16:28:13.335103 ike 0: in 94092F039C872A4AFE3B3C38705CC6F708100501354A336F0000006CB4A686E9C86CED3FF698DF44C85C5C3AB9187564248F51F4512D6808D
863F3818E72A1D753F8832C4E3D945AB8689FCEE94A6E7F203B47A399614D38C3EE33D4F397EAF295DF6BED6ACC8244B3910FF7
2024-07-24 16:28:13.335281 ike 0:IOS_Native_0:794: dec 94092F039C872A4AFE3B3C38705CC6F708100501354A336F0000006C0C0000241ADAD835A863698E1119D8FD30EA0D0
7B347D46101C1AF18A081154AF5558BB20000001C000000010110000194092F039C872A4AFE3B3C38705CC6F700000000000000000000000000000010
2024-07-24 16:28:13.335441 ike V=root:0:IOS_Native_0:794: recv ISAKMP SA delete 94092f039c872a4a/fe3b3c38705cc6f7
2024-07-24 16:28:13.335514 ike V=root:0:IOS_Native_0: going to be deleted
2024-07-24 16:28:13.336222 ike V=root:0:IOS_Native_0: del peer static route 10.0.0.1/i32
2024-07-24 16:28:13.336329 ike V=root:0:IOS_Native_0: mode-cfg release 10.0.0.1/255.255.255.255
2024-07-24 16:28:13.336406 ike V=root:0:IOS_Native_0: delete dynamic
di de dis
FortiGate #
This is the config of the tunnel:
config vpn ipsec phase1-interface
edit "IOS_Native"
set type dynamic
set interface "VLAN_7_Telekom"
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha256 aes256-md5 aes256-sha1
set comments "VPN: IOS_Native (Created by VPN wizard)"
set dhgrp 14 5 2
set wizard-type dialup-ios
set xauthtype auto
set authusrgrp "IOS_Native"
set ipv4-start-ip 10.0.0.1
set ipv4-end-ip 10.0.0.10
set dns-mode auto
set psksecret ENC IWztpQyXoUyfqw4VaUpPQ/dCQN8gBCMfdT2sMlGMMQVZLiqeY5mefKp8GvL59d5UU8dPsaIVL2VOIA+BeBfci8/urfzXLMjzBiVtr3LpMBCO9suaP/shmHUxC2E+BD589RB7QIWMfzeQ57eCAirLMjoME22ORj4pNhhyG/O/DUn8XS4s8RC/MG9w5x56i2sydI90uFlmMjY3dkVA
next
end
config vpn ipsec phase2-interface
edit "IOS_Native"
set phase1name "IOS_Native"
set proposal aes256-sha256 aes256-md5 aes256-sha1
set pfs disable
set keepalive enable
set comments "VPN: IOS_Native (Created by VPN wizard)"
next
end
For my test I used a Fortigate 60e (7.4.4) and a iPhone 12 Pro Max (17.5.1)
Maybe one of you can help me.
Best Regards
Stefan
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Please refer to the following document
Hello Stephan,
Can you try to follow this article for iOS IPSec DialUp tunnel:
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/333840/ipsec-vpn-for-ios-9
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/311726/ios-device-as-dialup-client
The configuration should be the same for all the versions.
Thanks for the links. All links are showing configurations for split tunnel and not for full tunnel with iOS.
Is there no way to configure a ipsec full tunnel with an iPhone?
There is an option to enable the split tunnel on Fortigate and you can turn that off:
It is called "Enable IPv4 Split tunnel"
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/333840/ipsec-vpn-for-ios-9
Did you try that?
Sorry, did you read what i wrote in my first post?
“When i remove the check from "Split Tunnel" the ipsec tunnel doesn't work.
It only works with "Split Tunnel".
What i want is a full ipsec tunnel for iOS.“
@stefan-ohg
Are you trying to connect to a VPN when connected to wifi or mobile internet? try other option to see whether it makes a difference or not.
Debug suggests the tunnel went down because iPhone deleted the SA.
2024-07-24 16:28:13.335441 ike V=root:0:IOS_Native_0:794: recv ISAKMP SA delete 94092f039c872a4a/fe3b3c38705cc6f7
2024-07-24 16:28:13.335514 ike V=root:0:IOS_Native_0: going to be deleted
2024-07-24 16:28:13.336222 ike V=root:0:IOS_Native_0: del peer static route 10.0.0.1/i32
2024-07-24 16:28:13.336329 ike V=root:0:IOS_Native_0: mode-cfg release 10.0.0.1/255.255.255.255
2024-07-24 16:28:13.336406 ike V=root:0:IOS_Native_0: delete dynamic
Regards,
Rahul Kaushik
Created on 07-24-2024 09:27 AM Edited on 07-24-2024 09:45 AM
I tried it with mobile internet.
If my iPhone is connected to wifi behind my fortigate the vpn tunnel goes up.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.