How to connect an iPhone to Fortigate firewall for tunneling

Posted by erwin on Wednesday, January 27, 2016

TOC

This article provides a sample IPSec VPN configuration for use with iPhone and iPad. I’ve tested the following on a Fortigate 60C with FortiOS v4.0 MR3 Patch 9  and v5.0,build3608 (GA Patch 7) but I think it will work even with previous firmware versions.

This is the only way to connect an iPhone or an iPad with a Tunnel VPN, because the FortiClient APP  only supports Web Bookmarks.

Let’s go!

1) Create User

1 2 3 4 5 6 `config user ``local` `edit ``"user1"` `set` `status ``enable` `set` `type` `password` `set` `passwd` `user1password` `end`

2) Create Group

1 2 3 4 `config user group` `edit ``"AppleVPNUsers"` `set` `member ``"user1"` `end`

3) Create an entry for the internal network

1 2 3 4 5 `config firewall address` `edit ``"INTERNAL_LAN"` `set` `subnet (ie: 192.168.29.0 255.255.255.0)` `next` `end`

4) Create an entry for the subnet for the remote devices

1 2 3 4 5 `config firewall address` `edit ``"appleVPNsubnet"` `set` `subnet 10.3.3.0 255.255.255.0` `next` `end`

5) Create VPN Phase 1 and 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 `config vpn ipsec phase1-interface` `edit ``"AppleVPN"` `set` `type` `dynamic` `set` `interface ``"wan1"` `set` `dhgrp 2` `set` `peertype one` `set` `xauthtype auto` `set` `mode aggressive` `set` `mode-cfg ``enable` `set` `proposal aes256-md5 aes256-sha1` `set` `peerid ``"apple"` `set` `authusrgrp ``"AppleVPNUsers"` `set` `ipv4-start-ip 10.3.3.1` `set` `ipv4-end-ip 10.3.3.254` `set` `ipv4-netmask 255.255.255.0` `set` `psksecret ` `set` `ipv4-dns-server1 ` `set` `ipv4-dns-server2 8.8.4.4` `end` `config vpn ipsec phase2-interface` `edit ``"AppleVPNp2"` `set` `keepalive ``enable` `set` `pfs disable` `set` `phase1name ``"AppleVPN"` `set` `proposal aes256-md5 aes256-sha1` `end`

6) Create Firewall Policies

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 `config firewall policy` `edit 0` `set` `srcintf ``"AppleVPN"` `set` `dstintf ``"internal1"` `set` `srcaddr ``"appleVPNsubnet"` `set` `dstaddr ``"INTERNAL_LAN"` `set` `action accept` `set` `schedule ``"always"` `set` `service ``"ANY"` `next` `edit 0` `set` `srcintf ``"internal1"` `set` `dstintf ``"AppleVPN"` `set` `srcaddr ``"INTERNAL_LAN"` `set` `dstaddr ``"appleVPNsubnet"` `set` `action accept` `set` `schedule ``"always"` `set` `service ``"ANY"` `next` `edit 0` `set` `srcintf ``"AppleVPN"` `set` `dstintf ``"wan1"` `set` `srcaddr ``"appleVPNsubnet"` `set` `dstaddr ``"all"` `set` `action accept` `set` `schedule ``"always"` `set` `service ``"ANY"` `set` `nat ``enable` `end`

7) Create static route

1 2 3 4 5 `config router static` `edit 5` `set` `device ``"AppleVPN"` `set` `dst 10.3.3.0 255.255.255.0` `end`

And you’ve done on your Fortinet device. Now you have to configure your Apple device using the Cisco VPN Client

Configuration required on the iPad/iPhone Cisco VPN Client: description: FortiGate VPN server: IP of the FortiGate WAN interface that is configured for VPN (interface : wan1 in this case) account: user1 password: user1password Use certificate: off group name: apple secret: Pre-shared key for the tunnel, from the phase one step

And that’s all Happy tunneling


comments powered by Disqus