Search This Blog

Wednesday, September 12, 2012

Fortigate IPSec VPN client for iPhone with two different groups


In the following post I will describe how to configure Fortigate IPSec VPN for iPhone clients with 2 different authentication groups.

For this post I used Fortigate FGT60B with FortiOS v4.0, build0521, 120313 (MR3 Patch 6).
1.       Create user account:


CLI config:

config user local
   edit "test1"
      set status enable
      set type password
      set passwd <password>
end

 
2.       Create group:

 
 

 CLI config:

config user group
   edit "TEST-GRP-1"
      set member "test1"
end

 
3.       Create firewall address objects for VPN clients network:



In my example the VPN clients will be part of network 10.10.11.0/24

CLI config:

config firewall address
   edit TEST1-NETWORK
      set subnet <ip here subnet here> (ie: 10.10.11.0 255.255.255.0)
   next
 

 
4.       Create firewall address object for internal network (if you don’t already have one):



Here I use network 192.168.10.0/24 as my internal network

CLI config:

config firewall address
   edit LAN
      set subnet <ip here subnet here> (ie: 192.168.10.0 255.255.255.0)
   next
 

 
5.       Now we will configure IPSec phase-1 and phase-2, both will have to be configured from the CLI because some options are missing in the web GUI.

 
config vpn ipsec phase1-interface
    edit "TEST1-PH1"
        set type dynamic
        set interface "wan1"
        set dhgrp 2
        set peertype one
        set xauthtype auto
        set mode aggressive
        set mode-cfg enable
        set proposal aes256-md5 aes256-sha1
        set peerid "test1"
        set authusrgrp "TEST-GRP-1"
        set ipv4-start-ip 10.10.11.1
        set ipv4-end-ip 10.10.11.254
        set ipv4-netmask 255.255.255.0
        set psksecret <tunnel password here>
end 

 6.       Phase-2 configuration:

config vpn ipsec phase2-interface
    edit " TEST1-PH2"
        set keepalive enable
        set pfs disable
        set phase1name " TEST1-PH1"
        set proposal aes256-md5 aes256-sha1
end 

 7.       Configure firewall policy rule which allow access from VPN client network to internal network

 

 CLI config:

config firewall policy
    edit <unique firewall policy ID here>
        set srcintf "TEST1-PH1"
        set dstintf "internal"
        set srcaddr "TEST1-NETWORK"
        set dstaddr "LAN"
        set action accept
        set schedule "always"
        set service "ANY"
    next 

 

8.       Configure firewall policy rule which allow access from internal network to VPN client network



CLI config:

config firewall policy
    edit <unique firewall policy ID here>
        set srcintf "internal"
        set dstintf "TEST1-PH1"
        set srcaddr "LAN"
        set dstaddr "TEST1-NETWORK"
        set action accept
        set schedule "always"
        set service "ANY"
    next 

9.       Configure static route with VPN clients network as destination and IPSec phase-1 as next-hop

 
 CLI config:

config router static
        edit <unique route ID>
        set device "TEST1-PH1"
        set dst 10.10.11.0 255.255.255.0
end

 
10.   Configure iPhone VPN client, go to Settings -> General -> Network -> VPN and click on Add VPN Configuration…

11.   Choose IPSec and fill the required information below:

Description
Short quick description of the VPN
Server
WAN IP address of the FGT unit
Account
User name
Password
Password of the user
Group name
Peer id value which was configured on step 5
Secret
PSK value which was configured on step 5

 



12.   Now slide the VPN button and connect to your network using IPSec

 



 13.   Repeat steps 1 to 12 to configure another account with different group, note that the peer ID value is responsible for differentiate each group.

42 comments:

  1. Thanks a lot for great post.Nice VPN client for Iphone.
    Cool configuration.It works fine.
    http://10webhostingservice.com/

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Yeah this is a perfect article. I learn a lot from here....nice work.
    Ipad VPN

    ReplyDelete
  5. The post is written in very a good manner and it contains many useful information for me. China VPN

    ReplyDelete
  6. Nice article but fore more information checkout this article
    Best China VPNs .

    ReplyDelete
  7. Thanks for taking the time to discuss that, I feel strongly about this and so really like getting to know more on this kind of field. Do you mind updating your blog post with additional insight? It should be really useful for all of us. Cheap VPN

    ReplyDelete
  8. A portable fish finder has other benefits too. They are light-weight and simple to use. Plus they let you use a fish finder in eventualities where you will not be able to employ a fixed one. https://allertaprivacy.it

    ReplyDelete
  9. You have done a great job on this article. It’s very readable and highly intelligent. You have even managed to make it understandable and easy to read. You have some real writing talent. Thank you.  privacidadenlared

    ReplyDelete
  10. I recently noticed your website back i are generally looking through which on a daily basis. You’ve got a loads of information at this site so i actually like your look to the web a tad too. Maintain the best show results! https://privatnostonline.com

    ReplyDelete
  11. Thanks so much with this fantastic new web site. very fired up to show it to anyone. It makes me so satisfied your vast understanding and wisdom have a new channel for trying into the world. internetprivatsphare.ch

    ReplyDelete
  12. Thanks for sharing this information. I really like your blog post very much. You have really shared a informative and interesting blog post with people.. visit website

    ReplyDelete
  13. This is very smart, really an intelligent idea. This is my first time in your blog and I really love it. Thanks for this awesome post. beste vpn

    ReplyDelete
  14. This comment has been removed by the author.

    ReplyDelete
  15. Thanks for taking the time to discuss that, I feel strongly about this and so really like getting to know more on this kind of field. Do you mind updating your blog post with additional insight? It should be really useful for all of us. https://allertaprivacy.it

    ReplyDelete
  16. Thank you again for all the knowledge you distribute,Good post. I was very interested in the article, it's quite inspiring I should admit. I like visiting you site since I always come across interesting articles like this one.Great Job, I greatly appreciate that.Do Keep sharing! Regards, Klik hier

    ReplyDelete
  17. Field Knights Bridge, a US based IT organization conducts video based meeting of its imminent representatives and just short recorded workers are met face to face. Indeed, even Cisco was to dispatch the equivalent. https://gizlilikveguvenlik.com

    ReplyDelete
  18. When utilizing the VPN you will encounter a decline in speed. This is brought about by the encryption and the traffic directing. So on the off chance that you are in France and you are utilizing a VPN server, your traffic will get encoded, sent from France to the VPN server in USA and from the VPN USA server diverted to it's unique planned goal. https://vpn.surf/what-is-my-ip-address/

    ReplyDelete
  19. Should you feel find it difficult to, you undoubtedly is not able to; If you don't intend, to have failing. Things are subject to intellect, reduction of hundreds exercises are hopeless prior to starting. bezoek website

    ReplyDelete
  20. Your blog provided us with valuable information to work with. Each & every tips of your post are awesome. Thanks a lot for sharing. Keep blogging meer informatie

    ReplyDelete
  21. Great post! I am actually getting ready to across this information, is very helpful my friend. Also great blog here with all of the valuable information you have. Keep up the good work you are doing here. internetet securite website

    ReplyDelete
  22. I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. In fact your creative writing abilities has inspired me to start my own BlogEngine blog now. Really the blogging is spreading its wings rapidly. Your write up is a fine example of it. privacyonline

    ReplyDelete
  23. The Massachusetts Privacy Regulations Survey assembles far reaching data that recognizes what should be done to agree to the Massachusetts Privacy Regulations. Mejores VPN

    ReplyDelete
  24. It is imperative that we read blog post very carefully. I am already done it and find that this post is really amazing. nord vpn free trial

    ReplyDelete
  25. This is exactly what I was looking for. Thanks for sharing this great article! That is very interesting Smile I love reading and I am always searching for informative information like this! best samsung phone

    ReplyDelete
  26. Thanks for your post. I’ve been thinking about writing a very comparable post over the last couple of weeks, I’ll probably keep it short and sweet and link to this instead if thats cool. Thanks. 188bet

    ReplyDelete
  27. This is a great inspiring article.I am pretty much pleased with your good work.You put really very helpful information. Keep it up. Keep blogging. Looking to reading your next post. ipad mockup

    ReplyDelete
  28. Very useful post. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. Really its great article. Keep it up. cheap vpn

    ReplyDelete
  29. A very excellent blog post. I am thankful for your blog post. I have found a lot of approaches after visiting your post. 1337x

    ReplyDelete
  30. Great things you’ve always shared with us. Just keep writing this kind of posts.The time which was wasted in traveling for tuition now it can be used for studies.Thanks WordPress Plugins

    ReplyDelete
  31. Cool article it's really. Friend on mine has long been awaiting just for this content. apple watch mockup

    ReplyDelete
  32. Hello I am so delighted I located your site, I really located you by mistake, while I was looking on yahoo for something else, Anyways I am here now and could just like to say cheers for a tremendous post and a all round entertaining website. Please do keep up the great work. apple watch vector

    ReplyDelete
  33. I am glad to be one of many visitors on this outstanding web site (:, thanks for posting . mobile app development companies

    ReplyDelete
  34. I am so grateful for this post and thanks such a lot for sharing it with us. top front end developers

    ReplyDelete
  35. I {don’t|do not} even know how I ended up here, but I thought this post was {good|great}. I {don’t|do not} know who you are but {definitely|certainly} {you are|you’re} going to a famous blogger if you {are not|aren’t} already Cheers!… Heya i’m for the first time here. I found this board and I find It really useful & it helped me out much. I hope to give something back and aid others like you helped me…. best logo designers

    ReplyDelete
  36. To your organization online business owner, releasing an important company is the bread so butter inside of their opportunity, and choosing a wonderful child care company often means the particular between a victorious operation this is. how to start a daycare branding agency sf

    ReplyDelete
  37. The weblog appears very appealing. It attracted a number of humans toward its patter of writing similarly to useful records added through this blog may be very useful for maximum of its readers. Cheapest vpn services UK

    ReplyDelete
  38. Informative Site… Hello guys here are some links that contains information that you may find useful yourselves. It’s Worth Checking out…. iphone psd

    ReplyDelete
  39. Do you mind if I quote a couple of your posts as long as I provide credit and sources back to your website? My blog is in the very same niche as yours and my visitors would genuinely benefit from a lot of the information you provide here. Please let me know if this okay with you. Thank you! iphone device template

    ReplyDelete
  40. You truly did more than visitors' desires. Thank you for imparting these important, healthy, educational not to mention fun tips about this niche tipandroid.com

    ReplyDelete
  41. I was surfing the Internet for information and came across your blog. I am impressed by the information you have on this blog. It shows how well you understand this subject. หวยออนไลน์

    ReplyDelete