How to connect an iPhone to Fortigate firewall for tunneling

This article provides a sample IPSec VPN configuration for use with iPhone and iPad. I’ve tested the following on a Fortigate 60C with FortiOS v4.0 MR3 Patch 9  and v5.0,build3608 (GA Patch 7) but I think it will work even with previous firmware versions.

This is the only way to connect an iPhone or an iPad with a Tunnel VPN, because the FortiClient APP  only supports Web Bookmarks.

Let’s go!

1. Create User

1

2

3

4

5

6

config user ``local

edit ``"user1"

set status ``enable

set type password

set passwd user1password

end

2. Create Group

1

2

3

4

config user group

edit ``"AppleVPNUsers"

set member ``"user1"

end

3. Create an entry for the internal network

1

2

3

4

5

config firewall address

edit ``"INTERNAL_LAN"

set subnet <ip here subnet here> (ie: 192.168.29.0 255.255.255.0)

next

end

4. Create an entry for the subnet for the remote devices

1

2

3

4

5

config firewall address

edit ``"appleVPNsubnet"

set subnet 10.3.3.0 255.255.255.0

next

end

5. Create VPN Phase 1 and 2

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

config vpn ipsec phase1-interface

edit ``"AppleVPN"

set type dynamic

set interface ``"wan1"

set dhgrp 2

set peertype one

set xauthtype auto

set mode aggressive

set mode-cfg ``enable

set proposal aes256-md5 aes256-sha1

set peerid ``"apple"

set authusrgrp ``"AppleVPNUsers"

set ipv4-start-ip 10.3.3.1

set ipv4-end-ip 10.3.3.254

set ipv4-netmask 255.255.255.0

set psksecret <your-presharedkey-here>

set ipv4-dns-server1 <your-internal-dnsserverip-here>

set ipv4-dns-server2 8.8.4.4

end

config vpn ipsec phase2-interface

edit ``"AppleVPNp2"

set keepalive ``enable

set pfs disable

set phase1name ``"AppleVPN"

set proposal aes256-md5 aes256-sha1

end

6. Create Firewall Policies

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

config firewall policy

edit 0

set srcintf ``"AppleVPN"

set dstintf ``"internal1"

set srcaddr ``"appleVPNsubnet"

set dstaddr ``"INTERNAL_LAN"

set action accept

set schedule ``"always"

set service ``"ANY"

next

edit 0

set srcintf ``"internal1"

set dstintf ``"AppleVPN"

set srcaddr ``"INTERNAL_LAN"

set dstaddr ``"appleVPNsubnet"

set action accept

set schedule ``"always"

set service ``"ANY"

next

edit 0

set srcintf ``"AppleVPN"

set dstintf ``"wan1"

set srcaddr ``"appleVPNsubnet"

set dstaddr ``"all"

set action accept

set schedule ``"always"

set service ``"ANY"

set nat ``enable

end

7. Create static route

1

2

3

4

5

config router static

edit 5

set device ``"AppleVPN"

set dst 10.3.3.0 255.255.255.0

end

And you’ve done on your Fortinet device. Now you have to configure your Apple device using the Cisco VPN Client

Configuration required on the iPad/iPhone Cisco VPN Client: description: FortiGate VPN server: IP of the FortiGate WAN interface that is configured for VPN (interface : wan1 in this case) account: user1 password: user1password Use certificate: off group name: apple secret: Pre-shared key for the tunnel, from the phase one step

And that’s all Happy tunneling