here from the Fortinet kb:
Techical Note : iPhone VPN support on the FortiGate (IPSec , PPtP , SSL)
Products
FortiGate
Description
This article gives a status of which VPN types are supported between a FortiGate and an iPhone.
IPSec : connection from an iPhone using Cisco IPSec VPN client (Unity client) is supported since FortiOS v4.0 MR1p1.
PPtP : connection from an iPhone to a FortiGate is supported with PPtP (*).
SSL VPN Tunnel mode : not currently supported for Safari WEB Browser.
SSL VPN Web Mode : Apple Safari 1.3 (or later) is supported.
(*) See also the related article at the of this page "The FortiGate unit cannot push DNS/WINS server information to PPTP Clients"
Solution
The following Fortigate CLI configuration provides an example for an iPhone-to-FortiGate IPSec setting. For iPhone configuration please refer to the iPhone product documentation.
Create Users, User Groups & Address Objects
config user local
edit "testuser1"
set status enable
set type password
set passwd <password>
next
end
config user group
edit "iPhoneVPN"
set group-type firewall
set ldap-memberof ''
set member " testuser1"
set profile ''
set authtimeout 0
set ftgd-wf-ovrd deny
next
end
config firewall address
edit "LAN"
set associated-interface "switch"
set comment ''
set type ipmask
set subnet 10.1.1.0 255.255.255.0
next
edit "iPhoneVPNUsers"
set associated-interface "Any"
set comment ''
set type ipmask
set subnet 172.16.101.0 255.255.255.0
next
end
Configure IPSEC Phase 1
config vpn ipsec phase1-interface
edit "iPhone"
set type dynamic
set interface "wan1"
set ip-version 4
set local-gw 0.0.0.0
set localid ''
set dpd enable
set nattraversal enable
set dhgrp 2
set proposal 3des-sha1 3des-md5
set keylife 28800
set authmethod psk
set peertype any
set xauthtype auto
set mode main
set mode-cfg enable
set authusrgrp "iPhoneVPN"
set default-gw 0.0.0.0
set default-gw-priority 0
set dpd-retrycount 3
set dpd-retryinterval 5
set assign-ip enable
set mode-cfg-ip-version 4
set assign-ip-from range
set add-route enable
set ipv4-start-ip 172.16.101.1
set ipv4-end-ip 172.16.101.254
set ipv4-netmask 255.255.255.0
set ipv4-dns-server1 0.0.0.0
set ipv4-dns-server2 0.0.0.0
set ipv4-dns-server3 0.0.0.0
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
set ipv4-split-include "LAN"
set unity-support enable
set domain ''
set banner ''
set psksecret <psk>
set keepalive 10
set distance 1
set priority 0
next
end
Configure IPSEC Phase 2
config vpn ipsec phase2-interface
edit "iPhone-P2"
set dst-addr-type subnet
set dst-port 0
set keepalive disable
set keylife-type seconds
set pfs enable
set phase1name "iPhone"
set proposal aes256-sha1 aes256-sha256
set protocol 0
set replay enable
set route-overlap use-new
set single-source disable
set src-addr-type subnet
set src-port 0
set dhgrp 2
set dst-subnet 0.0.0.0 0.0.0.0
set keylifeseconds 1800
set src-subnet 0.0.0.0 0.0.0.0
next
end
Configure Firewall Policies
VPN -> LAN
config firewall policy
edit 1
set srcintf "iPhone"
set dstintf "switch"
set srcaddr "iPhoneVPNUsers"
set dstaddr "LAN"
set action accept
set status enable
set logtraffic enable
set per-ip-shaper ''
set session-ttl 0
set wccp disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set match-vip disable
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set endpoint-check disable
set label ''
set identity-based disable
set schedule "always"
set service "ANY"
set profile-status disable
set traffic-shaper ''
set nat disable
next
end
LAN -> VPN
config firewall policy
edit 2
set srcintf "switch"
set dstintf "iPhone"
set srcaddr "LAN"
set dstaddr "iPhoneVPNUsers"
set action accept
set status enable
set logtraffic enable
set per-ip-shaper ''
set session-ttl 0
set wccp disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set match-vip disable
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set endpoint-check disable
set label ''
set identity-based disable
set schedule "always"
set service "ANY"
set profile-status disable
set traffic-shaper ''
set nat disable
next
end
Not tested (yet...) 🙂 ) I don't have FortiOS 4.0 (yet)
Source:
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&external Id=FD30893&sliceId=1&docTypeID=DTKCARTICLE_11&dialogID=2159120&stateId=0%200%202157876