Hi,
I'm using FortiClient 5.4.0.493 on OS X 10.9.5.
I've successfully established a VPN connection previously on Windows 7 using FortiClient 4.3.5.473.
Please see the connection configuration I've exported on Windows (I've redacted the hashes):
<connection> <name>My Connection</name> <type>manual</type> <ike_settings> <server>vpn.our-server.com</server> <authentication_method>Preshared Key</authentication_method> <auth_key>Enc presharedKeyHash</auth_key> <mode>aggressive</mode> <dhgroup>5;</dhgroup> <key_life>28800</key_life> <localid></localid> <nat_traversal>1</nat_traversal> <enable_local_lan>0</enable_local_lan> <nat_alive_freq>5</nat_alive_freq> <dpd>1</dpd> <dpd_retry_count>3</dpd_retry_count> <dpd_retry_interval>5</dpd_retry_interval> <xauth> <enabled>1</enabled> <username>Enc usernameHash</username> <password></password> <attempts_allowed>3</attempts_allowed> </xauth> <proposals> <proposal>AES128|SHA1</proposal> </proposals> </ike_settings> <ipsec_settings> <remote_networks> <network> <addr>10.7.0.0</addr> <mask>255.255.255.0</mask> </network> </remote_networks> <dhgroup>5</dhgroup> <key_life_type>seconds</key_life_type> <key_life_seconds>1800</key_life_seconds> <key_life_Kbytes>5120</key_life_Kbytes> <replay_detection>1</replay_detection> <pfs>1</pfs> <autokey_key_alive>1</autokey_key_alive> <use_vip>1</use_vip> <virtualip> <type>dhcpoveripsec</type> <ip>0.0.0.0</ip> <mask>0.0.0.0</mask> <dnsserver>0.0.0.0</dnsserver> <winserver>0.0.0.0</winserver> </virtualip> <proposals> <proposal>AES128|SHA1</proposal> </proposals> </ipsec_settings> </connection>
I've figured out that the virtualip part of the configuration is problematic:
<virtualip> <type>dhcpoveripsec</type> <ip>0.0.0.0</ip> <mask>0.0.0.0</mask> <dnsserver>0.0.0.0</dnsserver> <winserver>0.0.0.0</winserver> </virtualip>
Trying to import the above configuration on Mac with this part fails; The connection just doesn't show up in the FortiClient GUI.
Others have had this problem too.
If I remove the virtualip part of the configuration and import it on Mac, the imported connection shows up in the GUI but when I try to establish a VPN connection I get (after quite a while) the error -104.
How can I establish a VPN connection on Mac using the above connection configuration?
Thanks a lot in advance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Have you tried the latest FC for MACOSX? If you pm, I will import that cfg into FC v5.2.4.377 and give you feedback.
Ken
PCNSE
NSE
StrongSwan
There are issues with FortiClient Mac 5.4.0 and OSX El Capitan. You need to use 5.2.6 Mac FortiClient or wait for the fix in FortiClient 5.4.1 - (to be released)
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Thank you Ken and Eric for your responses.
@Eric: Can you please give me a link to 5.2.6 Mac FortiClient? I searched in vain on the Fortinet website and via Google.
@Ken: Thanks for offering your help. Yes, I'm using the latest FortiClient 5.4.0.493. After talking to my customer who owns the network I want to connect to, I can't give you access to it. Would you be so kind as to tell me how you would have debugged the failing connection?
Thanks again for your help.
login to support.fortinet.com and click on download firmware images select forticlient and than Mac
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Sure would be nice if they would simply expose these settings in the Mac Client GUI under Advanced like they do in Windows. I'm using FC 5.4.0.493 (full install) on MacOS 10.11.2 with no problems connecting to IPsec FG runing 5.4. I'm going to update MacOS to 10.11.3 to see if that breaks it as I'm testing.
Okay I updated to 10.11.3 and I'm using FC 5.4.0.493. Still seems to be working after the upgrade. No crashing, no problems. My FG is 5.4 (500D) which I'm testing (we have another in production). I have "high" crypto settings enabled on the FG. My IPsec settings are as follows:
Here are my VPN settings with key [REMOVED] of course. Be careful if you try and import there are some settings here that should be firewall unique. Better yet to compare to your settings and change individual settings as needed.
config system interface edit "FC_IPSec" set vdom "root" set type tunnel set snmp-index 23 set interface "port9" next end config firewall address edit "FC_IPSec_range" set uuid 8c8704ec-e664-51e5-6dcf-10e67dd8aa66 (Note: I think these are created per firewall so might want to comment these out.) set type iprange set comment "VPN: FC_IPSec (Created by VPN wizard)" set start-ip 10.254.1.10 set end-ip 10.254.1.253 next end config vpn ipsec phase1-interface edit "FC_IPSec" set type dynamic set interface "port9" set mode aggressive set mode-cfg enable set proposal aes256-sha256 aes128-sha1 set comments "VPN: FC_IPSec (Created by VPN wizard)" set xauthtype auto set authusrgrp "L2TP_Group" set ipv4-start-ip 10.254.1.10 set ipv4-end-ip 10.254.1.253 set ipv4-netmask 255.255.255.0 set dns-mode auto set save-password enable set psksecret ENC {REMOVED] next end config vpn ipsec phase2-interface edit "FC_IPSec" set phase1name "FC_IPSec" set comments "VPN: FC_IPSec (Created by VPN wizard)" next end config firewall policy edit 52 set name "IPsec_Inbound" set uuid 97530bdc-e669-51e5-e7db-04257772071b set srcintf "FC_IPSec" set dstintf "port11" set srcaddr "FC_IPSec_range" set dstaddr "TR-IN-LAN_Servers" (Note: This is just an address range of some LAN hosts) set action accept set schedule "always" set service "ALL" set utm-status enable set comments "VPN: FC_IPSec (Created by VPN wizard)" set av-profile "default" set dlp-sensor "DLP-Browsing File Block" set ips-sensor "protect_client" set profile-protocol-options "default" set ssl-ssh-profile "deep-inspection" set nat enable next edit 54 set name "IPsec_Browsing" set uuid cf388274-e70a-51e5-d8b7-4d06b8aaf4b2 set srcintf "FC_IPSec" set dstintf "port9" set srcaddr "FC_IPSec_range" set dstaddr "all" set action accept set schedule "always" set service "Outbound_Allowed" (Note: This is a restricted group of services that we use for outbound traffic) set utm-status enable set av-profile "default" set webfilter-profile "default" set dnsfilter-profile "default" set dlp-sensor "DLP-Browsing File Block" set ips-sensor "protect_client" set application-list "default" set profile-protocol-options "default" set ssl-ssh-profile "deep-inspection" set nat enable next end
Now here is my FortiClient from MacOS config (I removed all keys and pws. Look for [REMOVED] to replace with your own data or zero out. I originally configured settings on Windows FC and then imported into Mac Client. Even looking at this now, I don't like how I have the DH Key Groups and Proposals setup. Too many week KE and Ciphers, but it is working. I think the solution is configure your FG IPSec settings to be as strict as you need when it comes to ciphers (client should try to match any you specify, notice how I removed some of the weaker ones), but your Diffie-Hellman group needs to match in this config and on your FG to work:
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <forticlient_configuration> <forticlient_version>5.4.0.0493</forticlient_version> <version>5.4</version> <date>2016-3-10</date> <os_version>MacOSX</os_version> <partial_configuration>0</partial_configuration> <system> <log_settings> <level>4</level> <max_log_size>10000000</max_log_size> <log_events>ipsecvpn,sslvpn,webfilter,update,av,firewall</log_events> <remote_logging> <log_protocol>faz</log_protocol> <log_upload_enabled>0</log_upload_enabled> <log_upload_server></log_upload_server> <netlog_server></netlog_server> <log_upload_freq_hours>0</log_upload_freq_hours> <log_upload_freq_minutes>1</log_upload_freq_minutes> <log_upload_ssl_enabled>0</log_upload_ssl_enabled> <netlog_categories>7</netlog_categories> <log_retention_days>90</log_retention_days> </remote_logging> </log_settings> <proxy> <address></address> <port></port> <password></password> <update></update> </proxy> <update> <use_custom_server>0</use_custom_server> <server></server> <port></port> <failoverport></failoverport> <fail_over_to_fdn>1</fail_over_to_fdn> <update_action>notify_only</update_action> <scheduled_update> <enabled>1</enabled> <type>interval</type> <update_interval_in_hours>1</update_interval_in_hours> </scheduled_update> </update> <ui> <password>Enc [REMOVED]</password> <default_tab>AV</default_tab> <culture_code></culture_code> <ads>0</ads> <replacement_messages> <quarantine> <title><![CDATA[]]></title> <statement><![CDATA[]]></statement> <remediation><![CDATA[]]></remediation> </quarantine> </replacement_messages> </ui> <certificates></certificates> </system> <vpn> <options> <autoconnect_tunnel></autoconnect_tunnel> <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet> <keep_running_max_tries>0</keep_running_max_tries> <allow_personal_vpns>1</allow_personal_vpns> <disable_connect_disconnect>0</disable_connect_disconnect> </options> <ipsecvpn> <options> <enabled>1</enabled> <block_ipv6>1</block_ipv6> </options> <connections> <connection> <name>1Gbps IPSec</name> <type>manual</type> <ike_settings> <prompt_certificate>0</prompt_certificate> <description></description> <server>[REMOVED]</server> <authentication_method>Preshared Key</authentication_method> <auth_key>Enc [REMOVED]</auth_key> <mode>aggressive</mode> <dhgroup>5</dhgroup> <key_life>86400</key_life> <localid></localid> <nat_traversal>1</nat_traversal> <mode_config>1</mode_config> <enable_local_lan>0</enable_local_lan> <dpd>1</dpd> <xauth> <enabled>1</enabled> <prompt_username>0</prompt_username> <username>Enc [REMOVED]</username> <password>Enc [REMOVED]</password> </xauth> <proposals> <proposal>aes128|sha1</proposal> <proposal>aes256|sha256</proposal> <proposal>3des|sha256</proposal> <proposal>aes128|sha1</proposal> <proposal>aes256|sha1</proposal> <proposal>3des|sha1</proposal> </proposals> <fgt>0</fgt> </ike_settings> <ipsec_settings> <remote_networks></remote_networks> <dhgroup>5</dhgroup> (Note: Better if this is at least 14, I need to change) <key_life_type>seconds</key_life_type> <key_life_seconds>43200</key_life_seconds> <pfs>1</pfs> <use_vip>1</use_vip> <virtualip> <type>modeconfig</type> <ip></ip> <mask></mask> <dnsserver></dnsserver> </virtualip> <proposals></proposals> </ipsec_settings> <on_connect> <script> <os>mac</os> <script></script> </script> </on_connect> <on_disconnect> <script> <os>mac</os> <script></script> </script> </on_disconnect> <keep_running>0</keep_running> <ui> <show_passcode>0</show_passcode> <show_remember_password>1</show_remember_password> <show_alwaysup>0</show_alwaysup> <show_autoconnect>0</show_autoconnect> </ui> </connection> </connections> </ipsecvpn> <sslvpn> <options> <enabled>1</enabled> </options> <connections> </connections> </sslvpn> </vpn> <endpoint_control> <enable_enforcement></enable_enforcement> <enabled>1</enabled> <system_data>Enc [REMOVED]</system_data> <checksum></checksum> <custom_ping_server>:0</custom_ping_server> <log_last_upload_date></log_last_upload_date> <conf_recv_time>0</conf_recv_time> <fgt_logoff_on_fct_shutdown>0</fgt_logoff_on_fct_shutdown> <fortigates></fortigates> <ui> <display_antivirus>1</display_antivirus> <display_webfilter>1</display_webfilter> <display_firewall>0</display_firewall> <display_vpn>1</display_vpn> <display_vulnerability_scan>0</display_vulnerability_scan> <registration_dialog> <show_profile_details>1</show_profile_details> </registration_dialog> </ui> <silent_registration>0</silent_registration> <disable_unregister>0</disable_unregister> <alerts> <notify_server>1</notify_server> <alert_threshold>1</alert_threshold> </alerts> <onnet_addresses></onnet_addresses> <onnet_mac_addresses></onnet_mac_addresses> <notification_server> <address>:0</address> <registration_password>Enc [REMOVED]</registration_password> </notification_server> </endpoint_control> <webfilter> [SECTION REMOVED] </webfilter> <firewall> [SECTION REMOVED] </firewall> <vulnerability_scan> <enabled>0</enabled> <scan_on_fgt_registration>0</scan_on_fgt_registration> <scheduled_scans> <schedule> <repeat></repeat> <type></type> <day></day> <time></time> </schedule> </scheduled_scans> </vulnerability_scan> <antivirus> <enabled>1</enabled> <scan_on_insertion>1</scan_on_insertion> <scheduled_scans> <full> <enabled>1</enabled> <repeat>1</repeat> <days>2</days> <day_of_month></day_of_month> <time>18:30</time> <removable_media>1</removable_media> </full> </scheduled_scans> <on_demand_scanning> <on_virus_found>0</on_virus_found> <compressed_files> <scan>1</scan> <maxsize>0</maxsize> </compressed_files> <riskware> <enabled>0</enabled> </riskware> <adware> <enabled>0</enabled> </adware> <heuristic_scanning>0</heuristic_scanning> <exclusions></exclusions> </on_demand_scanning> <real_time_protection> <enabled>1</enabled> <when>0</when> <on_virus_found>0</on_virus_found> <popup_alerts>1</popup_alerts> <compressed_files> <scan>1</scan> <maxsize>2</maxsize> </compressed_files> <riskware> <enabled>0</enabled> </riskware> <adware> <enabled>0</enabled> </adware> <heuristic_scanning> <enabled>0</enabled> <action>0</action> </heuristic_scanning> <exclusions></exclusions> </real_time_protection> <quarantine> <cullage>100</cullage> </quarantine> </antivirus> <fssoma> <enabled>0</enabled> <serveraddress>:8001</serveraddress> <presharedkey>Enc [REMOVED]</presharedkey> </fssoma> </forticlient_configuration>
I use different VPN for my Mac book and it works perfectly for me.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.