Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
xdjio
New Contributor

IPSec for iPhone

Hi folks, I hope you can help me out. I have a Fortigate Fortinet 80C that I am using as my edge device for my home network. The fortinet gets a DHCP lease from my ISP on wan1 and I have an Apple Time Capsule hanging out on lan1. The Time Capsule hands out DHCP leases to computers and other devices. Internally, the Fortinet is the gateway to the internet. What I want to do is allow my iPhone to form an IPSec VPN tunnel to the fortigate, while I am out of my home. So let' s say I am in a starbucks somewhere, for example. BUT - I don' t want to use this tunnel to get to my machines inside my private networks. Rather, i want to " bounce" traffic off the fortunate. So, the packets are crypted between my phone and the fortigate, and then they emerge onto the internet from the fortigate. Makes sense? I don' t feel like using some SSL juju to do this, I really just want to use my phone' s built in VPN facility to do it. Any help at all is super welcome. I' m running FortiOS 5.0.1. Here' s my config: ----- #config-version=FGT80C-5.00-FW-build147-121221:opmode=0:vdom=0:user=admin #conf_file_ver=14591312840299032740 #buildno=0147 #global_vdom=1 config system global set admin-concurrent enable set admin-https-pki-required disable set admin-lockout-duration 60 set admin-lockout-threshold 3 set admin-maintainer enable set admin-port 80 set admin-scp disable set admin-server-cert " Fortinet_Factory" set admin-sport 443 set admin-ssh-grace-time 120 set admin-ssh-port 22 set admin-ssh-v1 disable set admin-telnet-port 23 set admintimeout 5 set allow-traffic-redirect enable set anti-replay strict set auth-cert " self-sign" set auth-http-port 1000 set auth-https-port 1003 set auth-keepalive disable set auth-policy-exact-match enable set av-failopen pass set av-failopen-session disable set batch-cmdb enable set cert-chain-max 8 set cfg-save automatic set check-protocol-header loose set check-reset-range disable set clt-cert-req disable set csr-ca-attribute enable set daily-restart disable set detection-summary enable set dst enable set endpoint-control-fds-access enable set endpoint-control-portal-port 8009 set explicit-proxy-auth-timeout 300 set fds-statistics enable set fgd-alert-subscription advisory latest-threat set forticlient-reg-port 8010 set gui-ap-profile enable set gui-central-nat-table enable set gui-certificates enable set gui-client-reputation enable set gui-dlp enable set gui-dns-database enable set gui-dynamic-profile-display enable set gui-dynamic-routing enable set gui-explicit-proxy disable set gui-icap enable set gui-implicit-id-based-policy enable set gui-implicit-policy enable set gui-ipsec-manual-key enable set gui-ipv6 enable set gui-lines-per-page 50 set gui-load-balance disable set gui-local-in-policy enable set gui-multicast-policy enable set gui-multiple-utm-profiles enable set gui-object-tags enable set gui-policy-interface-pairs-view enable set gui-replacement-message-groups enable set gui-sslvpn-personal-bookmarks enable set gui-utm-monitors enable set gui-voip-profile enable set gui-wireless-opensecurity enable set hostname " Ono-Sendai-7" set http-obfuscate modified set internal-switch-mode switch set ip-src-port-range 1024-25000 set ipsec-hmac-offload enable set ipv6-accept-dad 1 set language english set ldapconntimeout 500 set management-vdom " root" set optimize-ssl disable set phase1-rekey enable set policy-auth-concurrent 1 set post-login-banner disable set pre-login-banner disable set radius-port 1812 set refresh 0 set registration-notification enable set remoteauthtimeout 5 set reset-sessionless-tcp disable set revision-backup-on-logout enable set send-pmtu-icmp enable set service-expire-notification enable set sslvpn-cipher-hardware-acceleration enable set sslvpn-kxp-hardware-acceleration enable set strict-dirty-session-check disable set strong-crypto disable set tcp-halfclose-timer 120 set tcp-halfopen-timer 120 set tcp-option enable set tcp-timewait-timer 120 set timezone 04 set tos-based-priority medium set two-factor-email-expiry 60 set two-factor-ftm-expiry 60 set two-factor-sms-expiry 60 set udp-idle-timer 180 set use-usb-wan disable set user-server-cert " self-sign" set utm-incident-traffic-log enable set vdom-admin disable set vip-arp-range restricted set wifi-ca-certificate " PositiveSSL_CA" set wifi-certificate " Fortinet_Wifi" set wimax-4g-usb disable set wireless-controller enable set wireless-controller-port 5246 set fds-statistics-period 60 end config system accprofile edit " prof_admin" set admingrp read-write set authgrp read-write set endpoint-control-grp read-write set fwgrp read-write set loggrp read-write set mntgrp read-write set netgrp read-write set routegrp read-write set sysgrp read-write set updategrp read-write set utmgrp read-write set vpngrp read-write set wifi read-write next end config wireless-controller vap edit " mesh.root" set vdom " root" set mesh-backhaul enable set ssid " fortinet.mesh.root" set encrypt TKIP set passphrase ENC gMEYUo0TDN8TLUGrPphE5O5UllczQVDoacIA7RE5Ud4G0/LLLPnKAywCStrl1BThGgenNvlw/ygdvPa+qGsixyF43gZQ8fmH1mFcWxVPhxpnvbKT next end config system interface edit " wan1" set vdom " root" set mode dhcp set allowaccess auto-ipsec set type physical set defaultgw enable next edit " wan2" set vdom " root" set allowaccess ping fgfm set type physical next edit " modem" set vdom " root" set mode pppoe set allowaccess fgfm set type physical set defaultgw enable next edit " ssl.root" set vdom " root" set type tunnel set alias " sslvpn tunnel interface" next edit " mesh.root" set vdom " root" set allowaccess fgfm set type vap-switch next edit " internal" set vdom " root" set ip 10.0.1.254 255.0.0.0 set allowaccess ping https ssh http fgfm set type physical next edit " dmz" set vdom " root" set allowaccess ping fgfm set type physical next edit " iPhone" set vdom " root" set type tunnel set interface " wan1" next end config system admin edit " admin" set accprofile " super_admin" set vdom " root" config dashboard-tabs edit 1 set name " Status" next edit 2 set columns 1 set name " Top Sources" next edit 3 set columns 1 set name " Top Destinations" next edit 4 set columns 1 set name " Top Applications" next end config dashboard edit 1 set tab-id 1 set column 1 next edit 2 set widget-type licinfo set tab-id 1 set column 1 next edit 3 set widget-type sysres set tab-id 1 set column 2 set time-period 0 set chart-color 0 next edit 4 set widget-type jsconsole set tab-id 1 set column 2 next edit 5 set widget-type alert set tab-id 1 set column 2 set top-n 10 next edit 21 set widget-type sessions set tab-id 2 set column 1 set top-n 25 set sort-by msg-counts next edit 31 set widget-type sessions set tab-id 3 set column 1 set refresh-interval 10 set top-n 25 set report-by destination next edit 41 set widget-type sessions set tab-id 4 set column 1 set top-n 25 set sort-by msg-counts set report-by application next end next end config system ha set group-id 0 set group-name " FGT-HA" set password ENC icKMPVCR6MGyD4o9YTl3HpF/6Ca9Vl64W1pyh/2B096MHKpHnYnffR9GlJVkMjI3aC/v6XS9HhRngJYJgIRVcV9J+JMFDtGKcC/IgpkcfQgjoidz set hbdev " dmz" 50 " wan1" 50 set route-ttl 10 set route-wait 0 set route-hold 10 set sync-config enable set encryption disable set authentication disable set hb-interval 2 set hb-lost-threshold 6 set helo-holddown 20 set arps 5 set arps-interval 8 set session-pickup disable set update-all-session-timer disable set session-sync-daemon-number 1 set link-failed-signal disable set uninterruptable-upgrade enable set ha-eth-type " 8890" set hc-eth-type " 8891" set l2ep-eth-type " 8893" set ha-uptime-diff-margin 300 set standalone-config-sync disable set override disable set priority 128 set pingserver-failover-threshold 0 set pingserver-flip-timeout 60 end config system dns set primary 216.19.176.6 set secondary 216.19.176.7 set domain ' ' set ip6-primary :: set ip6-secondary :: set dns-cache-limit 5000 set dns-cache-ttl 1800 set cache-notfound-responses disable set source-ip 0.0.0.0 end config system replacemsg-image edit " logo_fnet" set image-base64 ' ' set image-type gif next edit " logo_fguard_wf" set image-base64 ' ' set image-type gif next edit " logo_fw_auth" set image-base64 ' ' set image-type png next edit " logo_v2_fnet" set image-base64 ' ' set image-type png next edit " logo_v2_fguard_wf" set image-base64 ' ' set image-type png next end config system replacemsg mail " email-block" set message-modified false end config system replacemsg mail " email-dlp-subject" set message-modified false end config system replacemsg mail " email-dlp-ban" set message-modified false end config system replacemsg mail " email-filesize" set message-modified false end config system replacemsg mail " partial" set message-modified false end config system replacemsg mail " smtp-block" set message-modified false end config system replacemsg mail " smtp-filesize" set message-modified false end config system replacemsg http " bannedword" set buffer " <HTML><BODY>The page you requested has been blocked because it contains a banned word. URL = %%PROTOCOL%%%%URL%%</BODY></HTML>" end config system replacemsg http " url-block" set buffer " <HTML><BODY>The URL you requested has been blocked. URL = %%URL%%</BODY></HTML>" end config system replacemsg http " urlfilter-err" set buffer " <html><head><title>Web Page Blocked</title></head><body bgcolor=\" FFFFFF\" ><h1>Web Page Blocked</h1><br>%%URLFILTER_ERROR%%</body></html>" end config system replacemsg http " infcache-block" set buffer " <HTML><BODY><H2>High security alert!!!</h2><p>The URL you requested was previously found to be infected.</p><p>URL = %%PROTOCOL%%%%URL%%</p></BODY></HTML>" end config system replacemsg http " http-block" set buffer " <HTML> <BODY> <h2>High security alert!!!</h2> <p>You are not permitted to download the file \" %%FILE%%\" .</p> <p>URL = %%PROTOCOL%%%%URL%%</p> </BODY> </HTML>" end config system replacemsg http " http-filesize" set buffer " <HTML><BODY> <h2>Attention!!!</h2><p>The file \" %%FILE%%\" has been blocked. The file is larger than the configured file size limit.</p> <p>URL = %%PROTOCOL%%%%URL%%</p> </BODY></HTML>" end config system replacemsg http " http-dlp-ban" set buffer " <HTML><BODY> <h2>Attention!!!</h2><p>Your user authentication or IP address has been banned due to a detected data leak. You need an admin to re-enable your computer</p><p>URL = %%PROTOCOL%%%%URL%%</p> </BODY></HTML>" end config system replacemsg http " http-archive-block" set message-modified false end config system replacemsg http " http-contenttypeblock" set buffer " <HTML><BODY> <h2>Attention!!!</h2><p>Content-type not permitted.</BODY></HTML>" end config system replacemsg http " https-invalid-cert-block" set message-modified false end config system replacemsg http " http-client-block" set buffer " <HTML> <BODY> <h2>High security alert!!!</h2> <p>You are not permitted to upload the file \" %%FILE%%\" .</p> <p>URL = %%PROTOCOL%%%%URL%%</p> </BODY> </HTML>" end config system replacemsg http " http-client-filesize" set buffer " <HTML><BODY> <h2>Attention!!!</h2><p>Your request has been blocked. The request is larger than the configured file size limit.</p> <p>URL = %%PROTOCOL%%%%URL%%</p> </BODY></HTML>" end config system replacemsg http " http-client-bannedword" set buffer " <HTML><BODY>The page you uploaded has been blocked because it contains a banned word. URL = %%PROTOCOL%%%%URL%%</BODY></HTML>" end config system replacemsg http " http-post-block" set buffer " <HTML><BODY>HTTP POST action is not allowed for policy reasons.</BODY></HTML>" end config system replacemsg http " http-client-archive-block" set message-modified false end config system replacemsg http " switching-protocols-block" set message-modified false end config system replacemsg webproxy " deny" set message-modified false end config system replacemsg webproxy " user-limit" set message-modified false end config system replacemsg webproxy " auth-challenge" set message-modified false end config system replacemsg webproxy " auth-login-fail" set message-modified false end config system replacemsg webproxy " auth-authorization-fail" set message-modified false end config system replacemsg webproxy " http-err" set message-modified false end config system replacemsg ftp " ftp-dl-blocked" set message-modified false end config system replacemsg ftp " ftp-dl-filesize" set message-modified false end config system replacemsg ftp " ftp-dl-dlp-ban" set message-modified false end config system replacemsg ftp " ftp-explicit-banner" set message-modified false end config system replacemsg ftp " ftp-dl-archive-block" set message-modified false end config system replacemsg nntp " nntp-dl-blocked" set message-modified false end config system replacemsg nntp " nntp-dl-filesize" set message-modified false end config system replacemsg nntp " nntp-dlp-subject" set message-modified false end config system replacemsg nntp " nntp-dlp-ban" set message-modified false end config system replacemsg fortiguard-wf " ftgd-block" set message-modified false end config system replacemsg fortiguard-wf " http-err" set message-modified false end config system replacemsg fortiguard-wf " ftgd-ovrd" set message-modified false end config system replacemsg fortiguard-wf " ftgd-quota" set message-modified false end config system replacemsg fortiguard-wf " ftgd-warning" set message-modified false end config system replacemsg spam " ipblocklist" set message-modified false end config system replacemsg spam " smtp-spam-dnsbl" set message-modified false end config system replacemsg spam " smtp-spam-feip" set message-modified false end config system replacemsg spam " smtp-spam-helo" set message-modified false end config system replacemsg spam " smtp-spam-emailblack" set message-modified false end config system replacemsg spam " smtp-spam-mimeheader" set message-modified false end config system replacemsg spam " reversedns" set message-modified false end config system replacemsg spam " smtp-spam-bannedword" set message-modified false end config system replacemsg spam " smtp-spam-ase" set message-modified false end config system replacemsg spam " submit" set message-modified false end config system replacemsg im " im-file-xfer-block" set message-modified false end config system replacemsg im " im-file-xfer-name" set message-modified false end config system replacemsg im " im-file-xfer-infected" set message-modified false end config system replacemsg im " im-file-xfer-size" set message-modified false end config system replacemsg im " im-dlp" set message-modified false end config system replacemsg im " im-dlp-ban" set message-modified false end config system replacemsg im " im-voice-chat-block" set message-modified false end config system replacemsg im " im-video-chat-block" set message-modified false end config system replacemsg im " im-photo-share-block" set message-modified false end config system replacemsg im " im-long-chat-block" set message-modified false end config system replacemsg alertmail " alertmail-virus" set message-modified false end config system replacemsg alertmail " alertmail-block" set message-modified false end config system replacemsg alertmail " alertmail-nids-event" set message-modified false end config system replacemsg alertmail " alertmail-crit-event" set message-modified false end config system replacemsg alertmail " alertmail-disk-full" set message-modified false end config system replacemsg admin " pre_admin-disclaimer-text" set message-modified false end config system replacemsg admin " post_admin-disclaimer-text" set message-modified false end config system replacemsg auth " auth-disclaimer-page-1" set message-modified false end config system replacemsg auth " auth-disclaimer-page-2" set message-modified false end config system replacemsg auth " auth-disclaimer-page-3" set message-modified false end config system replacemsg auth " auth-reject-page" set message-modified false end config system replacemsg auth " auth-login-page" set message-modified false end config system replacemsg auth " auth-login-failed-page" set message-modified false end config system replacemsg auth " auth-token-login-page" set message-modified false end config system replacemsg auth " auth-token-login-failed-page" set message-modified false end config system replacemsg auth " auth-success-msg" set message-modified false end config system replacemsg auth " auth-challenge-page" set message-modified false end config system replacemsg auth " auth-keepalive-page" set message-modified false end config system replacemsg auth " auth-portal-page" set message-modified false end config system replacemsg auth " auth-password-page" set message-modified false end config system replacemsg auth " auth-fortitoken-page" set message-modified false end config system replacemsg auth " auth-next-fortitoken-page" set message-modified false end config system replacemsg auth " auth-email-token-page" set message-modified false end config system replacemsg auth " auth-sms-token-page" set message-modified false end config system replacemsg auth " auth-email-harvesting-page" set message-modified false end config system replacemsg auth " auth-email-failed-page" set message-modified false end config system replacemsg auth " auth-cert-passwd-page" set message-modified false end config system replacemsg auth " auth-guest-print-page" set message-modified false end config system replacemsg auth " auth-guest-email-page" set message-modified false end config system replacemsg captive-portal-dflt " cpa-disclaimer-page-1" set message-modified false end config system replacemsg captive-portal-dflt " cpa-disclaimer-page-2" set message-modified false end config system replacemsg captive-portal-dflt " cpa-disclaimer-page-3" set message-modified false end config system replacemsg captive-portal-dflt " cpa-reject-page" set message-modified false end config system replacemsg captive-portal-dflt " cpa-login-page" set message-modified false end config system replacemsg captive-portal-dflt " cpa-login-failed-page" set message-modified false end config system replacemsg sslvpn " sslvpn-login" set buffer " <html><head><title>login</title><meta http-equiv=\" Pragma\" content=\" no-cache\" ><meta http-equiv=\" cache-control\" content=\" no-cache\" ><meta http-equiv=\" cache-control\" content=\" must-revalidate\" ><link href=\" /sslvpn/css/login.css\" rel=\" stylesheet\" type=\" text/css\" ><script type=\" text/javascript\" >if (top && top.location != window.location) top.location = top.location;if (window.opener && window.opener.top) { window.opener.top.location = window.opener.top.location; self.close(); }</script></head><body class=\" main\" ><center><table width=\" 100%\" height=\" 100%\" align=\" center\" class=\" container\" valign=\" middle\" cellpadding=\" 0\" cellspacing=\" 0\" ><tr valign=middle><td><form action=\" %%SSL_ACT%%\" method=\" %%SSL_METHOD%%\" name=\" f\" ><table class=\" list\" cellpadding=10 cellspacing=0 align=center width=400 height=180><tr class=\" dark\" ><td colspan=2><b>Please Login</b></td></tr>%%SSL_LOGIN%%<tr><td></td><td id=login><input type=button name=login_button id=login_button value=\" Login\" onClick=\" try_login()\" border=0></td> </tr></table>%%SSL_HIDDEN%%</td></tr></table></form></center></body><script>document.forms[0].username.focus();</script></html>" end config system replacemsg sslvpn " sslvpn-limit" set message-modified false end config system replacemsg ec " endpt-download-portal" set message-modified false end config system replacemsg device-detection-portal " device-detection-failure" set message-modified false end config system replacemsg nac-quar " nac-quar-virus" set message-modified false end config system replacemsg nac-quar " nac-quar-dos" set message-modified false end config system replacemsg nac-quar " nac-quar-ips" set message-modified false end config system replacemsg nac-quar " nac-quar-dlp" set message-modified false end config system replacemsg traffic-quota " per-ip-shaper-block" set message-modified false end config system replacemsg utm " virus-html" set message-modified false end config system replacemsg utm " virus-text" set message-modified false end config system replacemsg utm " dlp-html" set message-modified false end config system replacemsg utm " dlp-text" set message-modified false end config vpn certificate ca end config vpn certificate local end config user device-category edit " ipad" next edit " iphone" next edit " gaming-console" next edit " blackberry-phone" next edit " blackberry-playbook" next edit " linux-pc" next edit " mac" next edit " windows-pc" next edit " android-phone" next edit " android-tablet" next edit " media-streaming" next edit " windows-phone" next edit " windows-tablet" next edit " fortinet-device" next edit " ip-phone" next edit " router-nat-device" next edit " other-network-device" next edit " collected-emails" next edit " all" next end config antivirus service " http" set scan-bzip2 disable set uncompnestlimit 12 set uncompsizelimit 10 end config antivirus service " https" set scan-bzip2 disable set uncompnestlimit 12 set uncompsizelimit 10 end config antivirus service " ftp" set scan-bzip2 disable set uncompnestlimit 12 set uncompsizelimit 10 end config antivirus service " ftps" set scan-bzip2 disable set uncompnestlimit 12 set uncompsizelimit 10 end config antivirus service " pop3" set scan-bzip2 disable set uncompnestlimit 12 set uncompsizelimit 10 end config antivirus service " pop3s" set scan-bzip2 disable set uncompnestlimit 12 set uncompsizelimit 10 end config antivirus service " imap" set scan-bzip2 disable set uncompnestlimit 12 set uncompsizelimit 10 end config antivirus service " imaps" set scan-bzip2 disable set uncompnestlimit 12 set uncompsizelimit 10 end config antivirus service " smtp" set scan-bzip2 disable set uncompnestlimit 12 set uncompsizelimit 10 end config antivirus service " smtps" set scan-bzip2 disable set uncompnestlimit 12 set uncompsizelimit 10 end config antivirus service " nntp" set scan-bzip2 disable set uncompnestlimit 12 set uncompsizelimit 10 end config antivirus service " im" set scan-bzip2 disable set uncompnestlimit 12 set uncompsizelimit 10 end config system session-sync end config system fortiguard set port 53 set service-account-id ' ' set load-balance-servers 1 set analysis-service enable set antispam-force-off disable set antispam-cache enable set antispam-cache-ttl 1800 set antispam-cache-mpercent 2 set antispam-timeout 7 set avquery-force-off disable set avquery-cache enable set avquery-cache-ttl 1800 set avquery-cache-mpercent 2 set avquery-timeout 7 set webfilter-force-off disable set webfilter-cache enable set webfilter-cache-ttl 3600 set webfilter-timeout 15 set antispam-score-threshold 80 set webfilter-sdns-server-port 53 set ddns-server-ip 0.0.0.0 set ddns-server-port 443 end config ips global set algorithm engine-pick set anomaly-mode continuous set database regular set engine-count 0 set fail-open enable set hardware-accel-mode engine-pick set ignore-session-bytes 204800 set session-limit-mode heuristic set socket-size 4 set traffic-submit disable end config ips dbinfo set version 1 end config gui console unset preferences end config system session-helper edit 1 set name pptp set port 1723 set protocol 6 next edit 2 set name h323 set port 1720 set protocol 6 next edit 3 set name ras set port 1719 set protocol 17 next edit 4 set name tns set port 1521 set protocol 6 next edit 5 set name tftp set port 69 set protocol 17 next edit 6 set name rtsp set port 554 set protocol 6 next edit 7 set name rtsp set port 7070 set protocol 6 next edit 8 set name rtsp set port 8554 set protocol 6 next edit 9 set name ftp set port 21 set protocol 6 next edit 10 set name mms set port 1863 set protocol 6 next edit 11 set name pmap set port 111 set protocol 6 next edit 12 set name pmap set port 111 set protocol 17 next edit 13 set name sip set port 5060 set protocol 17 next edit 14 set name dns-udp set port 53 set protocol 17 next edit 15 set name rsh set port 514 set protocol 6 next edit 16 set name rsh set port 512 set protocol 6 next edit 17 set name dcerpc set port 135 set protocol 6 next edit 18 set name dcerpc set port 135 set protocol 17 next edit 19 set name mgcp set port 2427 set protocol 17 next edit 20 set name mgcp set port 2727 set protocol 17 next end config system auto-install set auto-install-config enable set auto-install-image enable set default-config-file " fgt_system.conf" set default-image-file " image.out" end config system ntp config ntpserver edit 1 set server " pool.ntp.org" next end set ntpsync enable set source-ip 0.0.0.0 set syncinterval 60 set type custom end config firewall address edit " all" next edit " SSLVPN_TUNNEL_ADDR1" set type iprange set end-ip 10.0.0.10 set start-ip 10.0.0.1 next edit " iPhoneVPNUsers" set subnet 172.16.1.0 255.255.255.0 next end config firewall multicast-address edit " all" set end-ip 239.255.255.255 set start-ip 224.0.0.0 next edit " all_hosts" set end-ip 224.0.0.1 set start-ip 224.0.0.1 next edit " all_routers" set end-ip 224.0.0.2 set start-ip 224.0.0.2 next edit " Bonjour" set end-ip 224.0.0.251 set start-ip 224.0.0.251 next edit " EIGRP" set end-ip 224.0.0.10 set start-ip 224.0.0.10 next edit " OSPF" set end-ip 224.0.0.6 set start-ip 224.0.0.5 next end config firewall address6 edit " all" next edit " SSLVPN_TUNNEL_IPv6_ADDR1" set ip6 fdff:ffff::1/120 next end config firewall service category edit " General" set comment " general services" next edit " Web Access" set comment " web access" next edit " File Access" set comment " file access" next edit " Email" set comment " email services" next edit " Network Services" set comment " network services" next edit " Authentication" set comment " authentication service" next edit " Remote Access" set comment " remote access" next edit " Tunneling" set comment " tunneling service" next edit " VoIP, Messaging & Other Applications" set comment " VoIP, messaging, and other applications" next edit " Web Proxy" set comment " Explicit web proxy" next end config firewall service custom edit " ALL" set category " General" set protocol IP next edit " ALL_TCP" set category " General" set tcp-portrange 1-65535 next edit " ALL_UDP" set category " General" set udp-portrange 1-65535 next edit " ALL_ICMP" set category " General" set protocol ICMP next edit " ALL_ICMP6" set category " General" set protocol ICMP6 next edit " GRE" set category " Tunneling" set protocol IP set protocol-number 47 next edit " AH" set category " Tunneling" set protocol IP set protocol-number 51 next edit " ESP" set category " Tunneling" set protocol IP set protocol-number 50 next edit " AOL" set visibility disable set tcp-portrange 5190-5194 next edit " BGP" set category " Network Services" set tcp-portrange 179 next edit " DHCP" set category " Network Services" set udp-portrange 67-68 next edit " DNS" set category " Network Services" set tcp-portrange 53 set udp-portrange 53 next edit " FINGER" set visibility disable set tcp-portrange 79 next edit " FTP" set category " File Access" set tcp-portrange 21 next edit " FTP_GET" set category " File Access" set tcp-portrange 21 next edit " FTP_PUT" set category " File Access" set tcp-portrange 21 next edit " GOPHER" set visibility disable set tcp-portrange 70 next edit " H323" set category " VoIP, Messaging & Other Applications" set tcp-portrange 1720 1503 set udp-portrange 1719 next edit " HTTP" set category " Web Access" set tcp-portrange 80 next edit " HTTPS" set category " Web Access" set tcp-portrange 443 next edit " IKE" set category " Tunneling" set udp-portrange 500 4500 next edit " IMAP" set category " Email" set tcp-portrange 143 next edit " IMAPS" set category " Email" set tcp-portrange 993 next edit " Internet-Locator-Service" set visibility disable set tcp-portrange 389 next edit " IRC" set category " VoIP, Messaging & Other Applications" set tcp-portrange 6660-6669 next edit " L2TP" set category " Tunneling" set tcp-portrange 1701 set udp-portrange 1701 next edit " LDAP" set category " Authentication" set tcp-portrange 389 next edit " NetMeeting" set visibility disable set tcp-portrange 1720 next edit " NFS" set category " File Access" set tcp-portrange 111 2049 set udp-portrange 111 2049 next edit " NNTP" set visibility disable set tcp-portrange 119 next edit " NTP" set category " Network Services" set tcp-portrange 123 set udp-portrange 123 next edit " OSPF" set category " Network Services" set protocol IP set protocol-number 89 next edit " PC-Anywhere" set category " Remote Access" set tcp-portrange 5631 set udp-portrange 5632 next edit " PING" set category " Network Services" set protocol ICMP set icmptype 8 unset icmpcode next edit " TIMESTAMP" set protocol ICMP set visibility disable set icmptype 13 unset icmpcode next edit " INFO_REQUEST" set protocol ICMP set visibility disable set icmptype 15 unset icmpcode next edit " INFO_ADDRESS" set protocol ICMP set visibility disable set icmptype 17 unset icmpcode next edit " ONC-RPC" set category " Remote Access" set tcp-portrange 111 set udp-portrange 111 next edit " DCE-RPC" set category " Remote Access" set tcp-portrange 135 set udp-portrange 135 next edit " POP3" set category " Email" set tcp-portrange 110 next edit " POP3S" set category " Email" set tcp-portrange 995 next edit " PPTP" set category " Tunneling" set tcp-portrange 1723 next edit " QUAKE" set visibility disable set udp-portrange 26000 27000 27910 27960 next edit " RAUDIO" set visibility disable set udp-portrange 7070 next edit " REXEC" set visibility disable set tcp-portrange 512 next edit " RIP" set category " Network Services" set udp-portrange 520 next edit " RLOGIN" set visibility disable set tcp-portrange 513:512-1023 next edit " RSH" set visibility disable set tcp-portrange 514:512-1023 next edit " SCCP" set category " VoIP, Messaging & Other Applications" set tcp-portrange 2000 next edit " SIP" set category " VoIP, Messaging & Other Applications" set udp-portrange 5060 next edit " SIP-MSNmessenger" set category " VoIP, Messaging & Other Applications" set tcp-portrange 1863 next edit " SAMBA" set category " File Access" set tcp-portrange 139 next edit " SMTP" set category " Email" set tcp-portrange 25 next edit " SMTPS" set category " Email" set tcp-portrange 465 next edit " SNMP" set category " Network Services" set tcp-portrange 161-162 set udp-portrange 161-162 next edit " SSH" set category " Remote Access" set tcp-portrange 22 next edit " SYSLOG" set category " Network Services" set udp-portrange 514 next edit " TALK" set visibility disable set udp-portrange 517-518 next edit " TELNET" set category " Remote Access" set tcp-portrange 23 next edit " TFTP" set category " File Access" set udp-portrange 69 next edit " MGCP" set visibility disable set udp-portrange 2427 2727 next edit " UUCP" set visibility disable set tcp-portrange 540 next edit " VDOLIVE" set visibility disable set tcp-portrange 7000-7010 next edit " WAIS" set visibility disable set tcp-portrange 210 next edit " WINFRAME" set visibility disable set tcp-portrange 1494 2598 next edit " X-WINDOWS" set category " Remote Access" set tcp-portrange 6000-6063 next edit " PING6" set protocol ICMP6 set visibility disable set icmptype 128 unset icmpcode next edit " MS-SQL" set category " VoIP, Messaging & Other Applications" set tcp-portrange 1433 1434 next edit " MYSQL" set category " VoIP, Messaging & Other Applications" set tcp-portrange 3306 next edit " RDP" set category " Remote Access" set tcp-portrange 3389 next edit " VNC" set category " Remote Access" set tcp-portrange 5900 next edit " DHCP6" set category " Network Services" set udp-portrange 546 547 next edit " SQUID" set category " Tunneling" set tcp-portrange 3128 next edit " SOCKS" set category " Tunneling" set tcp-portrange 1080 set udp-portrange 1080 next edit " WINS" set category " Remote Access" set tcp-portrange 1512 set udp-portrange 1512 next edit " RADIUS" set category " Authentication" set udp-portrange 1812 1813 next edit " RADIUS-OLD" set visibility disable set udp-portrange 1645 1646 next edit " CVSPSERVER" set visibility disable set tcp-portrange 2401 set udp-portrange 2401 next edit " AFS3" set category " File Access" set tcp-portrange 7000-7009 set udp-portrange 7000-7009 next edit " TRACEROUTE" set category " Network Services" set udp-portrange 33434-33535 next edit " RTSP" set category " VoIP, Messaging & Other Applications" set tcp-portrange 554 7070 8554 set udp-portrange 554 next edit " MMS" set visibility disable set tcp-portrange 1755 set udp-portrange 1024-5000 next edit " KERBEROS" set category " Authentication" set tcp-portrange 88 set udp-portrange 88 next edit " LDAP_UDP" set category " Authentication" set udp-portrange 389 next edit " SMB" set category " File Access" set tcp-portrange 445 next edit " webproxy" set explicit-proxy enable set category " Web Proxy" set protocol ALL set tcp-portrange 0-65535:0-65535 next edit " ALL_CUSTOM" set category " General" set protocol IP next edit " ALL_TCP_CUSTOM" set category " General" set tcp-portrange 1-65535 next edit " ALL_UDP_CUSTOM" set category " General" set udp-portrange 1-65535 next edit " ALL_ICMP_CUSTOM" set category " General" set protocol ICMP next edit " ALL_ICMP6_CUSTOM" set category " General" set protocol ICMP6 next edit " Transmission Torrent port" set comment " for bittorrent reverse map" set visibility disable set tcp-portrange 58765:0-65535 next end config firewall service group edit " Email Access" set member " DNS" " IMAP" " IMAPS" " POP3" " POP3S" " SMTP" " SMTPS" next edit " Web Access" set member " DNS" " HTTP" " HTTPS" next edit " Windows AD" set member " DCE-RPC" " DNS" " KERBEROS" " LDAP" " LDAP_UDP" " SAMBA" " SMB" next edit " Exchange Server" set member " DCE-RPC" " DNS" " HTTPS" next end config webfilter ftgd-local-cat edit " custom1" set id 140 next edit " custom2" set id 141 next end config ips sensor edit " default" set comment " prevent critical attacks" config entries edit 1 set severity medium high critical next end next edit " all_default" set comment " all predefined signatures with default setting" config entries edit 1 next end next edit " all_default_pass" set comment " all predefined signatures with PASS action" config entries edit 1 set action pass next edit 2 set action pass next end next edit " protect_http_server" set comment " protect against HTTP server-side vulnerabilities" config entries edit 1 set location server set protocol HTTP next edit 5 set location server set protocol HTTP next end next edit " protect_email_server" set comment " protect against EMail server-side vulnerabilities" config entries edit 1 set location server set protocol SMTP POP3 IMAP next edit 4 set location server next end next edit " protect_client" set comment " protect against client-side vulnerabilities" config entries edit 1 set location client next edit 3 set location client next end next end config firewall shaper traffic-shaper edit " high-priority" set maximum-bandwidth 1048576 set per-policy enable next edit " medium-priority" set maximum-bandwidth 1048576 set per-policy enable set priority medium next edit " low-priority" set maximum-bandwidth 1048576 set per-policy enable set priority low next edit " guarantee-100kbps" set guaranteed-bandwidth 100 set maximum-bandwidth 1048576 set per-policy enable next edit " shared-1M-pipe" set maximum-bandwidth 1024 next end config application list edit " default" set comment " monitor all applications" config entries edit 1 set action pass next end next edit " block-p2p" config entries edit 1 set category 2 next end next edit " monitor-p2p-and-media" config entries edit 1 set action pass set category 2 next edit 2 set action pass set category 5 next end next edit " monitor-all" config entries edit 1 set action pass next end next end config dlp filepattern edit 1 config entries edit " *.bat" next edit " *.com" next edit " *.dll" next edit " *.doc" next edit " *.exe" next edit " *.gz" next edit " *.hta" next edit " *.ppt" next edit " *.rar" next edit " *.scr" next edit " *.tar" next edit " *.tgz" next edit " *.vb?" next edit " *.wps" next edit " *.xl?" next edit " *.zip" next edit " *.pif" next edit " *.cpl" next end set name " builtin-patterns" next edit 2 config entries edit " bat" set filter-type type set file-type bat next edit " exe" set filter-type type set file-type exe next edit " elf" set filter-type type set file-type elf next edit " hta" set filter-type type set file-type hta next end set name " all_executables" next end config dlp sensor edit " default" set comment " summary archive email and web traffic" set extended-utm-log enable set dlp-log disable set summary-proto smtp pop3 imap http next edit " Content_Summary" set extended-utm-log enable set dlp-log disable next edit " Content_Archive" set extended-utm-log enable set dlp-log disable next edit " Large-File" set extended-utm-log enable set dlp-log disable next edit " Credit-Card" set extended-utm-log enable set dlp-log disable next edit " SSN-Sensor" set extended-utm-log enable set dlp-log disable next end config webfilter content end config webfilter urlfilter end config spamfilter bword end config spamfilter bwl end config spamfilter mheader end config spamfilter dnsbl end config spamfilter iptrust end config client-reputation profile end config icap profile edit " default" next end config vpn ssl web host-check-software edit " FortiClient-AV" set guid " C86EC76D-5A4C-40E7-BD94-59358E544D81" next edit " FortiClient-FW" set guid " 528CB157-D384-4593-AAAA-E42DFF111CED" set type fw next edit " FortiClient-AV-Vista-Win7" set guid " 385618A6-2256-708E-3FB9-7E98B93F91F9" next edit " FortiClient-FW-Vista-Win7" set guid " 006D9983-6839-71D6-14E6-D7AD47ECD682" set type fw next edit " AVG-Internet-Security-AV" set guid " 17DDD097-36FF-435F-9E1B-52D74245D6BF" next edit " AVG-Internet-Security-AV-Vista-Win7" set guid " 0C939084-9E57-CBDB-EA61-0B0C7F62AF82" next edit " CA-Anti-Virus" set guid " 17CFD1EA-56CF-40B5-A06B-BD3A27397C93" next edit " CA-Internet-Security-AV" set guid " 6B98D35F-BB76-41C0-876B-A50645ED099A" next edit " CA-Internet-Security-AV-Vista-Win7" set guid " 3EED0195-0A4B-4EF3-CC4F-4F401BDC245F" next edit " F-Secure-Internet-Security-AV" set guid " E7512ED5-4245-4B4D-AF3A-382D3F313F15" next edit " F-Secure-Internet-Security-AV-Vista-Win7" set guid " 15414183-282E-D62C-CA37-EF24860A2F17" next edit " Kaspersky-AV" set guid " 2C4D4BC6-0793-4956-A9F9-E252435469C0" next edit " Kaspersky-AV-Vista-Win7" set guid " AE1D740B-8F0F-D137-211D-873D44B3F4AE" next edit " McAfee-Internet-Security-Suite-AV" set guid " 84B5EE75-6421-4CDE-A33A-DD43BA9FAD83" next edit " McAfee-Internet-Security-Suite-AV-Vista-Win7" set guid " 86355677-4064-3EA7-ABB3-1B136EB04637" next edit " McAfee-Virus-Scan-Enterprise" set guid " 918A2B0B-2C60-4016-A4AB-E868DEABF7F0" next edit " Norton-360-2.0-AV" set guid " A5F1BC7C-EA33-4247-961C-0217208396C4" next edit " Norton-360-3.0-AV" set guid " E10A9785-9598-4754-B552-92431C1C35F8" next edit " Norton-Internet-Security-AV" set guid " E10A9785-9598-4754-B552-92431C1C35F8" next edit " Norton-Internet-Security-AV-Vista-Win7" set guid " 88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855" next edit " Symantec-Endpoint-Protection-AV" set guid " FB06448E-52B8-493A-90F3-E43226D3305C" next edit " Symantec-Endpoint-Protection-AV-Vista-Win7" set guid " 88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855" next edit " Panda-Antivirus+Firewall-2008-AV" set guid " EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A" next edit " Panda-Internet-Security-AV" set guid " 4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0" next edit " Sophos-Anti-Virus" set guid " 3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD" next edit " Sophos-Enpoint-Secuirty-and-Control-AV-Vista-Win7" set guid " 479CCF92-4960-B3E0-7373-BF453B467D2C" next edit " Trend-Micro-AV" set guid " 7D2296BC-32CC-4519-917E-52E652474AF5" next edit " Trend-Micro-AV-Vista-Win7" set guid " 48929DFC-7A52-A34F-8351-C4DBEDBD9C50" next edit " ZoneAlarm-AV" set guid " 5D467B10-818C-4CAB-9FF7-6893B5B8F3CF" next edit " ZoneAlarm-AV-Vista-Win7" set guid " D61596DF-D219-341C-49B3-AD30538CBC5B" next edit " AVG-Internet-Security-FW" set guid " 8DECF618-9569-4340-B34A-D78D28969B66" set type fw next edit " AVG-Internet-Security-FW-Vista-Win7" set guid " 34A811A1-D438-CA83-C13E-A23981B1E8F9" set type fw next edit " CA-Internet-Security-FW" set guid " 38102F93-1B6E-4922-90E1-A35D8DC6DAA3" set type fw next edit " CA-Internet-Security-FW-Vista-Win7" set guid " 06D680B0-4024-4FAB-E710-E675E50F6324" set type fw next edit " CA-Personal-Firewall" set guid " 14CB4B80-8E52-45EA-905E-67C1267B4160" set type fw next edit " F-Secure-Internet-Security-FW" set guid " D4747503-0346-49EB-9262-997542F79BF4" set type fw next edit " F-Secure-Internet-Security-FW-Vista-Win7" set guid " 2D7AC0A6-6241-D774-E168-461178D9686C" set type fw next edit " Kaspersky-FW" set guid " 2C4D4BC6-0793-4956-A9F9-E252435469C0" set type fw next edit " Kaspersky-FW-Vista-Win7" set guid " 9626F52E-C560-D06F-0A42-2E08BA60B3D5" set type fw next edit " McAfee-Internet-Security-Suite-FW" set guid " 94894B63-8C7F-4050-BDA4-813CA00DA3E8" set type fw next edit " McAfee-Internet-Security-Suite-FW-Vista-Win7" set guid " BE0ED752-0A0B-3FFF-80EC-B2269063014C" set type fw next edit " Norton-360-2.0-FW" set guid " 371C0A40-5A0C-4AD2-A6E5-69C02037FBF3" set type fw next edit " Norton-360-3.0-FW" set guid " 7C21A4C9-F61F-4AC4-B722-A6E19C16F220" set type fw next edit " Norton-Internet-Security-FW" set guid " 7C21A4C9-F61F-4AC4-B722-A6E19C16F220" set type fw next edit " Norton-Internet-Security-FW-Vista-Win7" set guid " B0F2DB13-C654-2E74-30D4-99C9310F0F2E" set type fw next edit " Symantec-Endpoint-Protection-FW" set guid " BE898FE3-CD0B-4014-85A9-03DB9923DDB6" set type fw next edit " Symantec-Endpoint-Protection-FW-Vista-Win7" set guid " B0F2DB13-C654-2E74-30D4-99C9310F0F2E" set type fw next edit " Panda-Antivirus+Firewall-2008-FW" set guid " 7B090DC0-8905-4BAF-8040-FD98A41C8FB8" set type fw next edit " Panda-Internet-Security-2006~2007-FW" set guid " 4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0" set type fw next edit " Panda-Internet-Security-2008~2009-FW" set guid " 7B090DC0-8905-4BAF-8040-FD98A41C8FB8" set type fw next edit " Sophos-Enpoint-Secuirty-and-Control-FW" set guid " 0786E95E-326A-4524-9691-41EF88FB52EA" set type fw next edit " Sophos-Enpoint-Secuirty-and-Control-FW-Vista-Win7" set guid " 7FA74EB7-030F-B2B8-582C-1670C5953A57" set type fw next edit " Trend-Micro-FW" set guid " 3E790E9E-6A5D-4303-A7F9-185EC20F3EB6" set type fw next edit " Trend-Micro-FW-Vista-Win7" set guid " 70A91CD9-303D-A217-A80E-6DEE136EDB2B" set type fw next edit " ZoneAlarm-FW" set guid " 829BDA32-94B3-44F4-8446-F8FCFF809F8B" set type fw next edit " ZoneAlarm-FW-Vista-Win7" set guid " EE2E17FA-9876-3544-62EC-0405AD5FFB20" set type fw next end config vpn ssl web portal edit " full-access" set allow-access web ftp smb telnet ssh vnc rdp set page-layout double-column config widget edit 4 set name " Session Information" set type info next edit 2 set name " Bookmarks" set allow-apps web ftp smb telnet ssh vnc rdp next edit 3 set name " Connection Tool" set type tool set column two set allow-apps web ftp smb telnet ssh vnc rdp next edit 1 set name " Tunnel Mode" set type tunnel set column two set ip-pools " SSLVPN_TUNNEL_ADDR1" set ipv6-pools " SSLVPN_TUNNEL_IPv6_ADDR1" next end next edit " web-access" set allow-access web ftp smb telnet ssh vnc rdp config widget edit 4 set name " Session Information" set type info next edit 1 set name " Bookmarks" set allow-apps web ftp smb telnet ssh vnc rdp next end next edit " tunnel-access" config widget edit 4 set name " Session Information" set type info next edit 1 set name " Tunnel Mode" set type tunnel set ip-pools " SSLVPN_TUNNEL_ADDR1" set ipv6-pools " SSLVPN_TUNNEL_IPv6_ADDR1" next end next end config user fortitoken edit " FTKMOB313C6F9754" set license " FTMTRIAL00009036" next edit " FTKMOB31AF7272B8" set license " FTMTRIAL00009036" next end config user local edit " guest" set type password set passwd ENC JcQOdE83DJ79kXIS/RqnfQT4NQa6w8SbdIob+YoHvpO2MsC46rp5nGhSgy0SHRTSVvvo7nlpMjaa2WmJ7h4VwPzwmtm7z2z9KelVk3afIZdGUaOY next edit " jgardner" set passwd-time 2013-04-09 20:59:43 set type password set passwd ENC qJEvYImqZ8N3M0Bak7XvkcmESWBJLTrzLZ7p0g0qBZTntmrx8xlimWyTxBOKWm/WR8ijZ19tSkc4ttqXcl5qwZDR6UfVMtojFTWRIADbp6cB5xka next end config user group edit " FSSO_Guest_Users" set group-type fsso-service next edit " Guest-group" set member " guest" next edit " iPhoneVPN" set member " jgardner" next end config voip profile edit " default" set comment " default VoIP profile" next edit " strict" config sip set malformed-request-line discard set malformed-header-via discard set malformed-header-from discard set malformed-header-to discard set malformed-header-call-id discard set malformed-header-cseq discard set malformed-header-rack discard set malformed-header-rseq discard set malformed-header-contact discard set malformed-header-record-route discard set malformed-header-route discard set malformed-header-expires discard set malformed-header-content-type discard set malformed-header-content-length discard set malformed-header-max-forwards discard set malformed-header-allow discard set malformed-header-p-asserted-identity discard set malformed-header-sdp-v discard set malformed-header-sdp-o discard set malformed-header-sdp-s discard set malformed-header-sdp-i discard set malformed-header-sdp-c discard set malformed-header-sdp-b discard set malformed-header-sdp-z discard set malformed-header-sdp-k discard set malformed-header-sdp-a discard set malformed-header-sdp-t discard set malformed-header-sdp-r discard set malformed-header-sdp-m discard end next end config webfilter profile edit " default" set comment " default web filtering" set post-action comfort config ftgd-wf unset options config filters edit 1 set action warning set category 2 next edit 2 set action warning set category 7 next edit 3 set action warning set category 8 next edit 4 set action warning set category 9 next edit 5 set action warning set category 11 next edit 6 set action warning set category 12 next edit 7 set action warning set category 13 next edit 8 set action warning set category 14 next edit 9 set action warning set category 15 next edit 10 set action warning set category 16 next edit 11 set action warning next edit 12 set action warning set category 57 next edit 13 set action warning set category 63 next edit 14 set action warning set category 64 next edit 15 set action warning set category 65 next edit 16 set action warning set category 66 next edit 17 set action warning set category 67 next edit 18 set action block set category 26 next edit 57 set action warning next edit 63 set action warning next edit 64 set action warning next edit 65 set action warning next edit 66 set action warning next edit 67 set action warning next edit 26 set action block next end end set extended-utm-log enable set log-all-url disable set web-content-log disable set web-filter-activex disable set web-filter-command-block-log disable set web-filter-cookie-log disable set web-filter-applet-log disable set web-filter-jscript-log disable set web-filter-js-log disable set web-filter-vbs-log disable set web-filter-unknown-log disable set web-filter-referer-log disable set web-filter-cookie-removal-log disable set web-url-log disable set web-invalid-domain-log disable set web-ftgd-err-log disable set web-ftgd-quota-usage disable next end config webfilter override end config webfilter override-user end config webfilter ftgd-warning end config webfilter ftgd-local-rating end config webfilter search-engine edit " google" set hostname " .*\\.google\\..*" set url " ^\\/((custom|search|images|videosearch|webhp)\\?)" set query " q=" set safesearch url set safesearch-str " &safe=active" next edit " yahoo" set hostname " .*\\.yahoo\\..*" set url " ^\\/search(\\/video|\\/images){0,1}(\\?|;)" set query " p=" set safesearch url set safesearch-str " &vm=r" next edit " bing" set hostname " www\\.bing\\.com" set url " ^(\\/images|\\/videos)?\\/search\\?" set query " q=" set safesearch url set safesearch-str " &adlt=strict" next edit " yandex" set hostname " yandex\\..*" set url " ^\\/yandsearch?\\?" set query " text=" set safesearch url set safesearch-str " &fyandex=1" next edit " youtube" set hostname " .*\\.youtube\\..*" set safesearch header next edit " baidu" set hostname " .*\\.baidu\\.com" set url " ^\\/s?\\?" set query " wd=" set charset gb2312 next edit " baidu2" set hostname " .*\\.baidu\\.com" set url " ^\\/(ns|q|m|i|v)\\?" set query " word=" set charset gb2312 next edit " baidu3" set hostname " tieba\\.baidu\\.com" set url " ^\\/f\\?" set query " kw=" set charset gb2312 next end config vpn ipsec phase1-interface edit " iPhone" set type dynamic set interface " wan1" set dhgrp 2 set xauthtype auto set mode-cfg enable set proposal 3des-sha1 aes128-sha1 set authusrgrp " iPhoneVPN" set ipv4-start-ip 172.16.1.1 set ipv4-end-ip 172.16.1.254 set ipv4-netmask 255.255.255.0 set ipv4-split-include " all" set psksecret ENC U0n7VVpYD5njhn2u5FqCysCnglVkZvozUuq3cdRrrFhSrT9ka0lJfNUoW3Cl1U/Cu+8RiCtZBaTAiQaxImXfFhxLhb3PI5KiNnNndEaM5ZCDLiJB next end config vpn ipsec phase2-interface edit " iPhone_P2" set phase1name " iPhone" set proposal 3des-sha1 aes128-sha1 set dhgrp 2 next end config system dns-server edit " internal" next end config antivirus profile edit " default" set comment " scan and delete virus" set inspection-mode flow-based config http set options scan end config ftp set options scan end config imap set options scan end config pop3 set options scan end config smtp set options scan end config nntp set options scan end config im set options scan end set extended-utm-log enable set av-virus-log disable set av-block-log disable next end config spamfilter profile edit " default" set comment " malware and phishing URL filtering" set extended-utm-log enable set spam-log disable next end config firewall schedule recurring edit " always" set day sunday monday tuesday wednesday thursday friday saturday next end config firewall vip edit " Transmission" set comment " Bittorrent Peer Port" set extip 69.172.151.162 set extintf " wan1" set portforward enable set mappedip 10.0.1.6 set extport 49152-65535 set mappedport 49152-65535 next end config firewall vipgrp edit " Transmission Group" set interface " wan1" set member " Transmission" next end config firewall profile-protocol-options edit " default" set comment " all default services" config http set ports 80 set options no-content-summary unset post-lang end config ftp set ports 21 set options no-content-summary splice end config imap set ports 143 set options fragmail no-content-summary end config mapi set ports 135 set options fragmail no-content-summary end config pop3 set ports 110 set options fragmail no-content-summary end config smtp set ports 25 set options fragmail no-content-summary splice end config nntp set ports 119 set options no-content-summary splice end config dns set ports 53 end next end config firewall deep-inspection-options edit " default" set comment " all default services" config https set ports 443 set status disable end config ftps set ports 990 end config imaps set ports 993 set status disable end config pop3s set ports 995 set status disable end config smtps set ports 465 set status disable end next end config firewall identity-based-route end config firewall policy edit 3 set srcintf " iPhone" set dstintf " wan1" set srcaddr " iPhoneVPNUsers" set dstaddr " all" set action accept set schedule " always" set service " ALL" next edit 1 set srcintf " internal" set dstintf " wan1" set srcaddr " all" set dstaddr " all" set action accept set schedule " always" set service " ALL" set nat enable next edit 4 set srcintf " wan1" set dstintf " internal" set srcaddr " all" set dstaddr " Transmission Group" set action accept set schedule " always" set service " ALL" next end config firewall local-in-policy end config firewall policy6 end config firewall local-in-policy6 end config firewall ttl-policy end config firewall policy64 end config firewall interface-policy end config firewall interface-policy6 end config firewall sniff-interface-policy end config firewall sniff-interface-policy6 end config firewall DoS-policy end config firewall sniffer end config endpoint-control profile edit " default" config forticlient-winmac-settings set forticlient-av enable set forticlient-wf enable set forticlient-wf-profile " default" end config forticlient-android-settings set forticlient-wf enable set forticlient-wf-profile " default" end config forticlient-ios-settings set forticlient-wf enable set forticlient-wf-profile " default" end next end config endpoint-control settings set endpoint-profile " default" end config wireless-controller wids-profile edit " default" set comment " default wids profile" set wireless-bridge enable set deauth-broadcast enable set null-ssid-probe-resp enable set long-duration-attack enable set invalid-mac-oui enable set weak-wep-iv enable set auth-frame-flood enable set assoc-frame-flood enable set spoofed-deauth enable set asleap-attack enable set eapol-start-flood enable set eapol-logoff-flood enable set eapol-succ-flood enable set eapol-fail-flood enable set eapol-pre-succ-flood enable set eapol-pre-fail-flood enable next end config wireless-controller wtp-profile edit " FAP112B-default" config platform set type 112B end set ap-country US config radio-1 set band 802.11n end config radio-2 set mode disabled end next edit " FAP220B-default" set ap-country US config radio-1 set band 802.11n-5G end config radio-2 set band 802.11n end next edit " FAP210B-default" config platform set type 210B end set ap-country US config radio-1 set band 802.11n end config radio-2 set mode disabled end next edit " FAP222B-default" config platform set type 222B end set ap-country US config radio-1 set band 802.11n end config radio-2 set band 802.11n-5G end next edit " FAP320B-default" config platform set type 320B end set ap-country US config radio-1 set band 802.11n-5G end config radio-2 set band 802.11n end next edit " FAP11C-default" config platform set type 11C end set ap-country US config radio-1 set band 802.11n end config radio-2 set mode disabled end next edit " 11n-only" config platform set type 60C end set ap-country US config radio-1 set band 802.11n end config radio-2 set mode disabled end next end config log setting set local-in-deny disable end config router rip config redistribute " connected" end config redistribute " static" end config redistribute " ospf" end config redistribute " bgp" end config redistribute " isis" end end config router ripng config redistribute " connected" end config redistribute " static" end config redistribute " ospf" end config redistribute " bgp" end config redistribute " isis" end end config router ospf config redistribute " connected" end config redistribute " static" end config redistribute " rip" end config redistribute " bgp" end config redistribute " isis" end end config router ospf6 config redistribute " connected" end config redistribute " static" end config redistribute " rip" end config redistribute " bgp" end config redistribute " isis" end end config router bgp config redistribute " connected" end config redistribute " rip" end config redistribute " ospf" end config redistribute " static" end config redistribute " isis" end config redistribute6 " connected" end config redistribute6 " rip" end config redistribute6 " ospf" end config redistribute6 " static" end config redistribute6 " isis" end end config router isis config redistribute " connected" end config redistribute " rip" end config redistribute " ospf" end config redistribute " bgp" end config redistribute " static" end end config router multicast end
8 REPLIES 8
ede_pfau
Esteemed Contributor III

1. You have to enable NAT on the outgoing policy from tunnel to WAN. 2. On the iphone, is the default route set to the tunnel? In other words, the " remote subnet behind the tunnel" should be 0.0.0.0/0. 3. You might need the phaseX parameter " split-tunneling" . Please look it up in the CLI guide.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
xdjio
New Contributor

Hmm! 1) I' m not sure how to do that - enable NAT on the outgoing policy, but will noodle around. 2) On the iPhone I have this configured as an L2TP tunnel, and setting the default route for the tunnel does not seem to be something that can be done on the phone. Should it be done in the fortinet' s tunnel defintiion instead? 3) I' ll have a look. Thanks! SOrry if I am slow at this, it' s been a long time since I have done of this stuff myself.
xdjio
New Contributor

actually, i cannot even seem to form a connection from the phone to the fortunate with this config. the phone just throws up a useless error " server did not respond" essentially" but I know the phone can ping it and port 500 is open to the world...
ede_pfau
Esteemed Contributor III

L2TP will bring you nowhere. Use the (built-in) Cisco Unity IPsec VPN client on the iPhone. Have you had a look into the Cookbook, or searched this forum for the many threads that treated this subject in the past?

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
xdjio
New Contributor

The cookbook was helpful to a point, but not enough to get me where I' m going. I' ll comb through some threads here too of course, but so far it seems much harder than expected. What other info can I give that would be most helpful? I just tried making a connection from the iphone using its cisco ipsec vpn (the builtin one) and it said " Negotiation with the VPN server failed" Looking at the fortinet' s even logs, I see some phase_1 errors, so will check my preshared keys first.
xdjio
New Contributor

hmmm..... and the preshared keys are correct. they match on the phone and the fortinet.
xdjio
New Contributor

here' s the effor on the fortinet' s log: Cookies 682ae9ca829938c7/83e83459374eac79 Virtual Domain root Result ERROR locip 69.172.151.162 xauthuser N/A Group N/A xauthgroup N/A remport 47091 locport 4500 Initiator remote Role responder Message progress IPsec phase 1 roll 0 Status failure Timestamp Sun Jun 30 13:01:52 2013 User N/A outintf wan1 Stage 3 Level error remip 24.114.37.122 logid 37128 Sub Type vpn Mode main Action negotiate Date/Time 13:01:52 (Sun Jun 30 13:01:52 2013) Direction inbound VPN Tunnel iPhone
Tim_Cooper

From SSH or Console: ' diagnose debug application ike -1' ' diagnose debug enable' Then try and connect. This debug will give clues and errors as to what isn' t working.
Labels
Top Kudoed Authors