SSL VPN tunnel mode is not supported for iphone/ipad, you have to use the IPSEC client that is built in to the iphone/ipad, and it demands some extra config to work, search for iphone at kb.fortinet.com

Theres what I did in order to make it work in order to allow an iPhone user to gain access to the entire internal network: In this example, my internal network is 192.168.100.0/24 1. Create a new user on your fortinet device (ex: kess) 2. Create a new firewall group on your fortinet device and call it IPSec-VPN 3. Assign the users that will be able to connect with iPhone/iPad to that new FW group 4. Create a new FW Address called NET-Internal with IP 192.168.100.0/24 5. Create a new FW Address called NET-IPSec-VPN with IP 10.0.0.0/24 6. Create a new IPSec VPN Phase 1 with auto-key as follows: Name: iPhone Remote Gateway: Dialup User Local interface: WAN1 Mode: Main (ID protection) Auth Method: Preshared Key Preshared-Key: YourSecretAndStrongKey Peer Options: Accept Any Peer ID Advanced: Enable Interface Mode: Yes IKE Version: 1 Local gateway IP: Main interface IP P1 proposal: 1-Enc: AES256 / Auth: MD5 2-Enc: AES256 / Auth: SHA1 DH Group: 2 Keylife: 28800 XAUTH: Enable as Server Server Type: Auto User Group: IPSec-VPN NAT Trasversal: Yes Keepalive Frequency: 10 Dead Peer Detection: Yes Click OK 7. Create a new IPSec VPN Phase 2 as follows: Name: iPhone-P2 Phase 1: iPhone Click on Advanced: P2 Proposal: 1-Enc: AES256 / Auth: MD5 2-Enc: AES256 / Auth: SHA1 Enable replay detection: Yes Enable perfect forward secrecy(PFS): Yes DH Group: 2 Keylife: Seconds / 1800 Auto Keep Alive: Yes Click OK 8. Open up your CLI and type: config vpn ipsec phase1-interface edit iPhone set mode-cfg enable set ipv4-start-ip 10.0.0.1 set ipv4-end-ip 10.0.0.254 set ipv4-netmask 255.255.255.0 set ipv4-split-include " NET-Internal" set ipv4-dns-server1 192.168.100.1 set ipv4-dns-server2 192.168.100.2 set ipv4-wins-server1 192.168.100.1 set ipv4-wins-server1 192.168.100.2 set domain " your-internal-domain.lan" next end exit 9. Setup a firewall policy to allow iPhone traffic through VPN tunnel Source Interface/Zone: iPhone Souce Address: NET-IPSec-VPN Destination interface/Zone: internal Destination Address: NET-Internal Schedule: always Service: ANY Action: Accept No NAT Click OK Now you have to configure iPhone/iPad device: Settings -> VPN -> New... IPSec Description: My Office VPN Server: Your public IP address or FQDN name Account: kess Password: the-strong-kess-password Use Certificate: No Group Name: <empty> Secret: YourSecretAndStrongKey After that you can connect FROM EXTERNAL with your new IPSec VPN. If you need to assign only few internal ressources, you can then nodify your firewall policy in order to permit only some services on some internal machines. Keep in mind that iPhone/iPad devices should be able to connect to your DNS and WINS servers with appropriate ports, so the policy rule should allow that. VERY IMPORTANT !!! If your internal domain name FQDN ends with " .local" your device won' t be able to resolve DNS names. This is not a Fortinet related issue, but this is how apple OS works (Mac OS X included). For that reason I always choose to use a domain ending in " .lan" . If your internal FQDN names are something like somename.mydomain.local you must use IP addresses in order to connect to internal ressources. Cya Kess.