Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
usmanjawa
New Contributor

Remote access SSL VPN with Cisco Anyconnect on Fortigate

Hi, I am a beginner who just started my journey with Fortigate.  I am using Cisco ASA which is configured with remote access SSL VPN and users connect to VPN through Cisco AnyConnect client.

 

I am implementing FortiGate in the lab environment. I want to find out if it is possible to use Cisco AnyConnect client with FortiGate in SSL VPN?

 

If you happen to know any documentation or video tutorial related to configuration please share.

10 REPLIES 10
mrfelipe

Could you show me an anyconnect.xml i can't find the option to set preshared key. 

 

test.xml:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreLinux>All</CertificateStoreLinux>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>30</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">false</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable="true">false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable="false">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<SuspendOnConnectedStandby>false</SuspendOnConnectedStandby>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<LinuxLogonEnforcement>SingleLocalLogon</LinuxLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<LinuxVPNEstablishment>LocalUsersOnly</LinuxVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>test1</HostName>
<HostAddress>vpn.company.com</HostAddress>
<UserGroup>SSL-VPN-FAC</UserGroup>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>false</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>

 

FG config:

 

config vpn ipsec phase1-interface
edit "test1"
set type dynamic
set interface "port17"
set mode aggressive
set peertype one
set net-device disable
set mode-cfg enable
set proposal aes256-sha256 aes256-md5 aes256-sha1
set dhgrp 19
set wizard-type dialup-cisco
set xauthtype auto
set authusrgrp "SSL-VPN-FAC"
set peerid "valami"
set ipv4-start-ip 10.36.132.101
set ipv4-end-ip 10.36.132.121
set ipv4-netmask 255.255.255.0
set dns-mode auto
set ipv4-split-include "test1_split"
set psksecret ENC  *
next
end

config vpn ipsec phase2-interface
edit "test1"
set phase1name "test1"
set proposal aes256-sha256 aes256-md5 aes256-sha1
set pfs disable
set keepalive enable
next
end

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors