VPN and Fortigate firewall
Has anyone managed to configure iPhone 3G / 2.0 to work with a FortiGate 200A firewall?
MacBook Pro 15" 2.16GHz Intel Core 2 Duo, Mac OS X (10.5)
Were you able to get this to work? I am having the same issue.
Apple Event: May 7th at 7 am PT
9 replies
has anyone figured this out? I have a fortinet fortigate 300A
Hi has anyone resolved this issue? I have a Fortigate 50A.
hi all!
is there a solution to perform IPSec VPN from iPhone 3.0 to a FortiGate??
(I use FG60B .. but the config is the same on all FortiGate)
thanks
is there a solution to perform IPSec VPN from iPhone 3.0 to a FortiGate??
(I use FG60B .. but the config is the same on all FortiGate)
thanks
I'm looking for the same thing. I opened a support incident with Fortinet, they were less than useful. I don't think they know what an iPhone is.
Any help would be great!
Any help would be great!
OK guys so I was messing with this today and I got it to work 🙂 I just recently setup IPSec and SSL-VPN on my FortiGate.So I got it to work by enabling PPtP authentication..... it has to be done on the CLI in my case PPtP dose not show up on the WEB GUI
config vpn pptp
set sip <starting_ip>
set eip <ending_ip>
set status enable
set usrgrp <user groupname>
end
after this I installed WinAdmin and was able to RDP into my computer using my 3Gs iPhone 🙂
config vpn pptp
set sip <starting_ip>
set eip <ending_ip>
set status enable
set usrgrp <user groupname>
end
after this I installed WinAdmin and was able to RDP into my computer using my 3Gs iPhone 🙂
here from the Fortinet kb:
Techical Note : iPhone VPN support on the FortiGate (IPSec , PPtP , SSL)
Products
FortiGate
Description
This article gives a status of which VPN types are supported between a FortiGate and an iPhone.
IPSec : connection from an iPhone using Cisco IPSec VPN client (Unity client) is supported since FortiOS v4.0 MR1p1.
PPtP : connection from an iPhone to a FortiGate is supported with PPtP (*).
SSL VPN Tunnel mode : not currently supported for Safari WEB Browser.
SSL VPN Web Mode : Apple Safari 1.3 (or later) is supported.
(*) See also the related article at the of this page "The FortiGate unit cannot push DNS/WINS server information to PPTP Clients"
Solution
The following Fortigate CLI configuration provides an example for an iPhone-to-FortiGate IPSec setting. For iPhone configuration please refer to the iPhone product documentation.
Create Users, User Groups & Address Objects
config user local
edit "testuser1"
set status enable
set type password
set passwd <password>
next
end
config user group
edit "iPhoneVPN"
set group-type firewall
set ldap-memberof ''
set member " testuser1"
set profile ''
set authtimeout 0
set ftgd-wf-ovrd deny
next
end
config firewall address
edit "LAN"
set associated-interface "switch"
set comment ''
set type ipmask
set subnet 10.1.1.0 255.255.255.0
next
edit "iPhoneVPNUsers"
set associated-interface "Any"
set comment ''
set type ipmask
set subnet 172.16.101.0 255.255.255.0
next
end
Configure IPSEC Phase 1
config vpn ipsec phase1-interface
edit "iPhone"
set type dynamic
set interface "wan1"
set ip-version 4
set local-gw 0.0.0.0
set localid ''
set dpd enable
set nattraversal enable
set dhgrp 2
set proposal 3des-sha1 3des-md5
set keylife 28800
set authmethod psk
set peertype any
set xauthtype auto
set mode main
set mode-cfg enable
set authusrgrp "iPhoneVPN"
set default-gw 0.0.0.0
set default-gw-priority 0
set dpd-retrycount 3
set dpd-retryinterval 5
set assign-ip enable
set mode-cfg-ip-version 4
set assign-ip-from range
set add-route enable
set ipv4-start-ip 172.16.101.1
set ipv4-end-ip 172.16.101.254
set ipv4-netmask 255.255.255.0
set ipv4-dns-server1 0.0.0.0
set ipv4-dns-server2 0.0.0.0
set ipv4-dns-server3 0.0.0.0
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
set ipv4-split-include "LAN"
set unity-support enable
set domain ''
set banner ''
set psksecret <psk>
set keepalive 10
set distance 1
set priority 0
next
end
Configure IPSEC Phase 2
config vpn ipsec phase2-interface
edit "iPhone-P2"
set dst-addr-type subnet
set dst-port 0
set keepalive disable
set keylife-type seconds
set pfs enable
set phase1name "iPhone"
set proposal aes256-sha1 aes256-sha256
set protocol 0
set replay enable
set route-overlap use-new
set single-source disable
set src-addr-type subnet
set src-port 0
set dhgrp 2
set dst-subnet 0.0.0.0 0.0.0.0
set keylifeseconds 1800
set src-subnet 0.0.0.0 0.0.0.0
next
end
Configure Firewall Policies
VPN -> LAN
config firewall policy
edit 1
set srcintf "iPhone"
set dstintf "switch"
set srcaddr "iPhoneVPNUsers"
set dstaddr "LAN"
set action accept
set status enable
set logtraffic enable
set per-ip-shaper ''
set session-ttl 0
set wccp disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set match-vip disable
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set endpoint-check disable
set label ''
set identity-based disable
set schedule "always"
set service "ANY"
set profile-status disable
set traffic-shaper ''
set nat disable
next
end
LAN -> VPN
config firewall policy
edit 2
set srcintf "switch"
set dstintf "iPhone"
set srcaddr "LAN"
set dstaddr "iPhoneVPNUsers"
set action accept
set status enable
set logtraffic enable
set per-ip-shaper ''
set session-ttl 0
set wccp disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set match-vip disable
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set endpoint-check disable
set label ''
set identity-based disable
set schedule "always"
set service "ANY"
set profile-status disable
set traffic-shaper ''
set nat disable
next
end
Not tested (yet...) 🙂 ) I don't have FortiOS 4.0 (yet)
Source:
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&external Id=FD30893&sliceId=1&docTypeID=DTKCARTICLE_11&dialogID=2159120&stateId=0%200%202157876
Techical Note : iPhone VPN support on the FortiGate (IPSec , PPtP , SSL)
Products
FortiGate
Description
This article gives a status of which VPN types are supported between a FortiGate and an iPhone.
IPSec : connection from an iPhone using Cisco IPSec VPN client (Unity client) is supported since FortiOS v4.0 MR1p1.
PPtP : connection from an iPhone to a FortiGate is supported with PPtP (*).
SSL VPN Tunnel mode : not currently supported for Safari WEB Browser.
SSL VPN Web Mode : Apple Safari 1.3 (or later) is supported.
(*) See also the related article at the of this page "The FortiGate unit cannot push DNS/WINS server information to PPTP Clients"
Solution
The following Fortigate CLI configuration provides an example for an iPhone-to-FortiGate IPSec setting. For iPhone configuration please refer to the iPhone product documentation.
Create Users, User Groups & Address Objects
config user local
edit "testuser1"
set status enable
set type password
set passwd <password>
next
end
config user group
edit "iPhoneVPN"
set group-type firewall
set ldap-memberof ''
set member " testuser1"
set profile ''
set authtimeout 0
set ftgd-wf-ovrd deny
next
end
config firewall address
edit "LAN"
set associated-interface "switch"
set comment ''
set type ipmask
set subnet 10.1.1.0 255.255.255.0
next
edit "iPhoneVPNUsers"
set associated-interface "Any"
set comment ''
set type ipmask
set subnet 172.16.101.0 255.255.255.0
next
end
Configure IPSEC Phase 1
config vpn ipsec phase1-interface
edit "iPhone"
set type dynamic
set interface "wan1"
set ip-version 4
set local-gw 0.0.0.0
set localid ''
set dpd enable
set nattraversal enable
set dhgrp 2
set proposal 3des-sha1 3des-md5
set keylife 28800
set authmethod psk
set peertype any
set xauthtype auto
set mode main
set mode-cfg enable
set authusrgrp "iPhoneVPN"
set default-gw 0.0.0.0
set default-gw-priority 0
set dpd-retrycount 3
set dpd-retryinterval 5
set assign-ip enable
set mode-cfg-ip-version 4
set assign-ip-from range
set add-route enable
set ipv4-start-ip 172.16.101.1
set ipv4-end-ip 172.16.101.254
set ipv4-netmask 255.255.255.0
set ipv4-dns-server1 0.0.0.0
set ipv4-dns-server2 0.0.0.0
set ipv4-dns-server3 0.0.0.0
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
set ipv4-split-include "LAN"
set unity-support enable
set domain ''
set banner ''
set psksecret <psk>
set keepalive 10
set distance 1
set priority 0
next
end
Configure IPSEC Phase 2
config vpn ipsec phase2-interface
edit "iPhone-P2"
set dst-addr-type subnet
set dst-port 0
set keepalive disable
set keylife-type seconds
set pfs enable
set phase1name "iPhone"
set proposal aes256-sha1 aes256-sha256
set protocol 0
set replay enable
set route-overlap use-new
set single-source disable
set src-addr-type subnet
set src-port 0
set dhgrp 2
set dst-subnet 0.0.0.0 0.0.0.0
set keylifeseconds 1800
set src-subnet 0.0.0.0 0.0.0.0
next
end
Configure Firewall Policies
VPN -> LAN
config firewall policy
edit 1
set srcintf "iPhone"
set dstintf "switch"
set srcaddr "iPhoneVPNUsers"
set dstaddr "LAN"
set action accept
set status enable
set logtraffic enable
set per-ip-shaper ''
set session-ttl 0
set wccp disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set match-vip disable
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set endpoint-check disable
set label ''
set identity-based disable
set schedule "always"
set service "ANY"
set profile-status disable
set traffic-shaper ''
set nat disable
next
end
LAN -> VPN
config firewall policy
edit 2
set srcintf "switch"
set dstintf "iPhone"
set srcaddr "LAN"
set dstaddr "iPhoneVPNUsers"
set action accept
set status enable
set logtraffic enable
set per-ip-shaper ''
set session-ttl 0
set wccp disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set match-vip disable
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set endpoint-check disable
set label ''
set identity-based disable
set schedule "always"
set service "ANY"
set profile-status disable
set traffic-shaper ''
set nat disable
next
end
Not tested (yet...) 🙂 ) I don't have FortiOS 4.0 (yet)
Source:
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&external Id=FD30893&sliceId=1&docTypeID=DTKCARTICLE_11&dialogID=2159120&stateId=0%200%202157876
I have spent allot of time trying to get a solution for a customer of ours to connect using there iphone without using PPTP. I found a forti SSL VPN app available on the US store however i am unable to access it. Log a case with fortinet who did come back to with me the same KB article, however I have requested further information regarding when the forti SSL VPN app will be available on the UK app store.
If anybody has access to the US store could they please download it and give it a try.
Thanks
If anybody has access to the US store could they please download it and give it a try.
Thanks
Confirmed Iphone 3.1.2 IPSEC VPN client working with Fortigate 200-A. Follow the steps posted above and it will work. Just remember to not enter anything for the group name, this was giving me issues and once I removed it, everything worked.
Finally!
Finally!
VPN and Fortigate firewall