Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- VPN connection using Mac
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN connection using Mac
Hi,
I'm using FortiClient 5.4.0.493 on OS X 10.9.5.
I've successfully established a VPN connection previously on Windows 7 using FortiClient 4.3.5.473.
Please see the connection configuration I've exported on Windows (I've redacted the hashes):
<connection> <name>My Connection</name> <type>manual</type> <ike_settings> <server>vpn.our-server.com</server> <authentication_method>Preshared Key</authentication_method> <auth_key>Enc presharedKeyHash</auth_key> <mode>aggressive</mode> <dhgroup>5;</dhgroup> <key_life>28800</key_life> <localid></localid> <nat_traversal>1</nat_traversal> <enable_local_lan>0</enable_local_lan> <nat_alive_freq>5</nat_alive_freq> <dpd>1</dpd> <dpd_retry_count>3</dpd_retry_count> <dpd_retry_interval>5</dpd_retry_interval> <xauth> <enabled>1</enabled> <username>Enc usernameHash</username> <password></password> <attempts_allowed>3</attempts_allowed> </xauth> <proposals> <proposal>AES128|SHA1</proposal> </proposals> </ike_settings> <ipsec_settings> <remote_networks> <network> <addr>10.7.0.0</addr> <mask>255.255.255.0</mask> </network> </remote_networks> <dhgroup>5</dhgroup> <key_life_type>seconds</key_life_type> <key_life_seconds>1800</key_life_seconds> <key_life_Kbytes>5120</key_life_Kbytes> <replay_detection>1</replay_detection> <pfs>1</pfs> <autokey_key_alive>1</autokey_key_alive> <use_vip>1</use_vip> <virtualip> <type>dhcpoveripsec</type> <ip>0.0.0.0</ip> <mask>0.0.0.0</mask> <dnsserver>0.0.0.0</dnsserver> <winserver>0.0.0.0</winserver> </virtualip> <proposals> <proposal>AES128|SHA1</proposal> </proposals> </ipsec_settings> </connection>
I've figured out that the virtualip part of the configuration is problematic:
<virtualip> <type>dhcpoveripsec</type> <ip>0.0.0.0</ip> <mask>0.0.0.0</mask> <dnsserver>0.0.0.0</dnsserver> <winserver>0.0.0.0</winserver> </virtualip>
Trying to import the above configuration on Mac with this part fails; The connection just doesn't show up in the FortiClient GUI.
Others have had this problem too.
If I remove the virtualip part of the configuration and import it on Mac, the imported connection shows up in the GUI but when I try to establish a VPN connection I get (after quite a while) the error -104.
How can I establish a VPN connection on Mac using the above connection configuration?
Thanks a lot in advance.
Labels:
- Labels:
-
5.4
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried the latest FC for MACOSX? If you pm, I will import that cfg into FC v5.2.4.377 and give you feedback.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are issues with FortiClient Mac 5.4.0 and OSX El Capitan. You need to use 5.2.6 Mac FortiClient or wait for the fix in FortiClient 5.4.1 - (to be released)
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Ken and Eric for your responses.
@Eric: Can you please give me a link to 5.2.6 Mac FortiClient? I searched in vain on the Fortinet website and via Google.
@Ken: Thanks for offering your help. Yes, I'm using the latest FortiClient 5.4.0.493. After talking to my customer who owns the network I want to connect to, I can't give you access to it. Would you be so kind as to tell me how you would have debugged the failing connection?
Thanks again for your help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
login to support.fortinet.com and click on download firmware images select forticlient and than Mac
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure would be nice if they would simply expose these settings in the Mac Client GUI under Advanced like they do in Windows. I'm using FC 5.4.0.493 (full install) on MacOS 10.11.2 with no problems connecting to IPsec FG runing 5.4. I'm going to update MacOS to 10.11.3 to see if that breaks it as I'm testing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay I updated to 10.11.3 and I'm using FC 5.4.0.493. Still seems to be working after the upgrade. No crashing, no problems. My FG is 5.4 (500D) which I'm testing (we have another in production). I have "high" crypto settings enabled on the FG. My IPsec settings are as follows:
Here are my VPN settings with key [REMOVED] of course. Be careful if you try and import there are some settings here that should be firewall unique. Better yet to compare to your settings and change individual settings as needed.
config system interface edit "FC_IPSec" set vdom "root" set type tunnel set snmp-index 23 set interface "port9" next end config firewall address edit "FC_IPSec_range" set uuid 8c8704ec-e664-51e5-6dcf-10e67dd8aa66 (Note: I think these are created per firewall so might want to comment these out.) set type iprange set comment "VPN: FC_IPSec (Created by VPN wizard)" set start-ip 10.254.1.10 set end-ip 10.254.1.253 next end config vpn ipsec phase1-interface edit "FC_IPSec" set type dynamic set interface "port9" set mode aggressive set mode-cfg enable set proposal aes256-sha256 aes128-sha1 set comments "VPN: FC_IPSec (Created by VPN wizard)" set xauthtype auto set authusrgrp "L2TP_Group" set ipv4-start-ip 10.254.1.10 set ipv4-end-ip 10.254.1.253 set ipv4-netmask 255.255.255.0 set dns-mode auto set save-password enable set psksecret ENC {REMOVED] next end config vpn ipsec phase2-interface edit "FC_IPSec" set phase1name "FC_IPSec" set comments "VPN: FC_IPSec (Created by VPN wizard)" next end config firewall policy edit 52 set name "IPsec_Inbound" set uuid 97530bdc-e669-51e5-e7db-04257772071b set srcintf "FC_IPSec" set dstintf "port11" set srcaddr "FC_IPSec_range" set dstaddr "TR-IN-LAN_Servers" (Note: This is just an address range of some LAN hosts) set action accept set schedule "always" set service "ALL" set utm-status enable set comments "VPN: FC_IPSec (Created by VPN wizard)" set av-profile "default" set dlp-sensor "DLP-Browsing File Block" set ips-sensor "protect_client" set profile-protocol-options "default" set ssl-ssh-profile "deep-inspection" set nat enable next edit 54 set name "IPsec_Browsing" set uuid cf388274-e70a-51e5-d8b7-4d06b8aaf4b2 set srcintf "FC_IPSec" set dstintf "port9" set srcaddr "FC_IPSec_range" set dstaddr "all" set action accept set schedule "always" set service "Outbound_Allowed" (Note: This is a restricted group of services that we use for outbound traffic) set utm-status enable set av-profile "default" set webfilter-profile "default" set dnsfilter-profile "default" set dlp-sensor "DLP-Browsing File Block" set ips-sensor "protect_client" set application-list "default" set profile-protocol-options "default" set ssl-ssh-profile "deep-inspection" set nat enable next end
Now here is my FortiClient from MacOS config (I removed all keys and pws. Look for [REMOVED] to replace with your own data or zero out. I originally configured settings on Windows FC and then imported into Mac Client. Even looking at this now, I don't like how I have the DH Key Groups and Proposals setup. Too many week KE and Ciphers, but it is working. I think the solution is configure your FG IPSec settings to be as strict as you need when it comes to ciphers (client should try to match any you specify, notice how I removed some of the weaker ones), but your Diffie-Hellman group needs to match in this config and on your FG to work:
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <forticlient_configuration> <forticlient_version>5.4.0.0493</forticlient_version> <version>5.4</version> <date>2016-3-10</date> <os_version>MacOSX</os_version> <partial_configuration>0</partial_configuration> <system> <log_settings> <level>4</level> <max_log_size>10000000</max_log_size> <log_events>ipsecvpn,sslvpn,webfilter,update,av,firewall</log_events> <remote_logging> <log_protocol>faz</log_protocol> <log_upload_enabled>0</log_upload_enabled> <log_upload_server></log_upload_server> <netlog_server></netlog_server> <log_upload_freq_hours>0</log_upload_freq_hours> <log_upload_freq_minutes>1</log_upload_freq_minutes> <log_upload_ssl_enabled>0</log_upload_ssl_enabled> <netlog_categories>7</netlog_categories> <log_retention_days>90</log_retention_days> </remote_logging> </log_settings> <proxy> <address></address> <port></port> <password></password> <update></update> </proxy> <update> <use_custom_server>0</use_custom_server> <server></server> <port></port> <failoverport></failoverport> <fail_over_to_fdn>1</fail_over_to_fdn> <update_action>notify_only</update_action> <scheduled_update> <enabled>1</enabled> <type>interval</type> <update_interval_in_hours>1</update_interval_in_hours> </scheduled_update> </update> <ui> <password>Enc [REMOVED]</password> <default_tab>AV</default_tab> <culture_code></culture_code> <ads>0</ads> <replacement_messages> <quarantine> <title><![CDATA[]]></title> <statement><![CDATA[]]></statement> <remediation><![CDATA[]]></remediation> </quarantine> </replacement_messages> </ui> <certificates></certificates> </system> <vpn> <options> <autoconnect_tunnel></autoconnect_tunnel> <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet> <keep_running_max_tries>0</keep_running_max_tries> <allow_personal_vpns>1</allow_personal_vpns> <disable_connect_disconnect>0</disable_connect_disconnect> </options> <ipsecvpn> <options> <enabled>1</enabled> <block_ipv6>1</block_ipv6> </options> <connections> <connection> <name>1Gbps IPSec</name> <type>manual</type> <ike_settings> <prompt_certificate>0</prompt_certificate> <description></description> <server>[REMOVED]</server> <authentication_method>Preshared Key</authentication_method> <auth_key>Enc [REMOVED]</auth_key> <mode>aggressive</mode> <dhgroup>5</dhgroup> <key_life>86400</key_life> <localid></localid> <nat_traversal>1</nat_traversal> <mode_config>1</mode_config> <enable_local_lan>0</enable_local_lan> <dpd>1</dpd> <xauth> <enabled>1</enabled> <prompt_username>0</prompt_username> <username>Enc [REMOVED]</username> <password>Enc [REMOVED]</password> </xauth> <proposals> <proposal>aes128|sha1</proposal> <proposal>aes256|sha256</proposal> <proposal>3des|sha256</proposal> <proposal>aes128|sha1</proposal> <proposal>aes256|sha1</proposal> <proposal>3des|sha1</proposal> </proposals> <fgt>0</fgt> </ike_settings> <ipsec_settings> <remote_networks></remote_networks> <dhgroup>5</dhgroup> (Note: Better if this is at least 14, I need to change) <key_life_type>seconds</key_life_type> <key_life_seconds>43200</key_life_seconds> <pfs>1</pfs> <use_vip>1</use_vip> <virtualip> <type>modeconfig</type> <ip></ip> <mask></mask> <dnsserver></dnsserver> </virtualip> <proposals></proposals> </ipsec_settings> <on_connect> <script> <os>mac</os> <script></script> </script> </on_connect> <on_disconnect> <script> <os>mac</os> <script></script> </script> </on_disconnect> <keep_running>0</keep_running> <ui> <show_passcode>0</show_passcode> <show_remember_password>1</show_remember_password> <show_alwaysup>0</show_alwaysup> <show_autoconnect>0</show_autoconnect> </ui> </connection> </connections> </ipsecvpn> <sslvpn> <options> <enabled>1</enabled> </options> <connections> </connections> </sslvpn> </vpn> <endpoint_control> <enable_enforcement></enable_enforcement> <enabled>1</enabled> <system_data>Enc [REMOVED]</system_data> <checksum></checksum> <custom_ping_server>:0</custom_ping_server> <log_last_upload_date></log_last_upload_date> <conf_recv_time>0</conf_recv_time> <fgt_logoff_on_fct_shutdown>0</fgt_logoff_on_fct_shutdown> <fortigates></fortigates> <ui> <display_antivirus>1</display_antivirus> <display_webfilter>1</display_webfilter> <display_firewall>0</display_firewall> <display_vpn>1</display_vpn> <display_vulnerability_scan>0</display_vulnerability_scan> <registration_dialog> <show_profile_details>1</show_profile_details> </registration_dialog> </ui> <silent_registration>0</silent_registration> <disable_unregister>0</disable_unregister> <alerts> <notify_server>1</notify_server> <alert_threshold>1</alert_threshold> </alerts> <onnet_addresses></onnet_addresses> <onnet_mac_addresses></onnet_mac_addresses> <notification_server> <address>:0</address> <registration_password>Enc [REMOVED]</registration_password> </notification_server> </endpoint_control> <webfilter> [SECTION REMOVED] </webfilter> <firewall> [SECTION REMOVED] </firewall> <vulnerability_scan> <enabled>0</enabled> <scan_on_fgt_registration>0</scan_on_fgt_registration> <scheduled_scans> <schedule> <repeat></repeat> <type></type> <day></day> <time></time> </schedule> </scheduled_scans> </vulnerability_scan> <antivirus> <enabled>1</enabled> <scan_on_insertion>1</scan_on_insertion> <scheduled_scans> <full> <enabled>1</enabled> <repeat>1</repeat> <days>2</days> <day_of_month></day_of_month> <time>18:30</time> <removable_media>1</removable_media> </full> </scheduled_scans> <on_demand_scanning> <on_virus_found>0</on_virus_found> <compressed_files> <scan>1</scan> <maxsize>0</maxsize> </compressed_files> <riskware> <enabled>0</enabled> </riskware> <adware> <enabled>0</enabled> </adware> <heuristic_scanning>0</heuristic_scanning> <exclusions></exclusions> </on_demand_scanning> <real_time_protection> <enabled>1</enabled> <when>0</when> <on_virus_found>0</on_virus_found> <popup_alerts>1</popup_alerts> <compressed_files> <scan>1</scan> <maxsize>2</maxsize> </compressed_files> <riskware> <enabled>0</enabled> </riskware> <adware> <enabled>0</enabled> </adware> <heuristic_scanning> <enabled>0</enabled> <action>0</action> </heuristic_scanning> <exclusions></exclusions> </real_time_protection> <quarantine> <cullage>100</cullage> </quarantine> </antivirus> <fssoma> <enabled>0</enabled> <serveraddress>:8001</serveraddress> <presharedkey>Enc [REMOVED]</presharedkey> </fssoma> </forticlient_configuration>
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I use different VPN for my Mac book and it works perfectly for me.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,621 -
FortiClient
1,741 -
5.2
801 -
FortiManager
720 -
5.4
639 -
FortiAnalyzer
552 -
FortiSwitch
470 -
FortiAP
464 -
FortiClient EMS
421 -
6.0
416 -
5.6
362 -
FortiMail
315 -
6.2
251 -
SSL-VPN
236 -
FortiAuthenticator v5.5
234 -
Fortiweb
205 -
IPsec
203 -
5.0
196 -
FortiNAC
186 -
FortiGuard
139 -
6.4
128 -
SD-WAN
113 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiAuthenticator
95 -
FortiToken
89 -
Customer Service
79 -
Firewall policy
78 -
Wireless Controller
77 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
56 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
48 -
FortiExtender
45 -
FortiSandbox
44 -
Routing
44 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
Authentication
37 -
SAML
36 -
FortiGate v5.4
35 -
NAT
35 -
FortiSwitch v6.4
34 -
Certificate
34 -
RADIUS
32 -
SSO
31 -
Interface
31 -
FortiLink
29 -
FortiConnect
28 -
VDOM
28 -
FortiWAN
27 -
Web profile
26 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Automation
14 -
Static route
14 -
System settings
14 -
IP address management - IPAM
14 -
snmp
13 -
FortiCASB
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
FortiManager v4.0
10 -
IPS signature
10 -
Security profile
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Proxy policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiGate-VM
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1688 | |
| 1087 | |
| 752 | |
| 446 | |
| 227 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.