iOS device as dialup client

This is a sample configuration of dialup IPsec VPN with an iPhone or iPad as the dialup client.

You can configure dialup IPsec VPN with an iOS device as the dialup client using the GUI or CLI.

To configure IPsec VPN with an iOS device as the dialup client on the GUI:
  1. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a VPN name.
    2. For Template Type, select Remote Access.
    3. For Remote Device Type, select Native > iOS Native.
    4. For NAT Configuration, set No NAT Between Sites.
    5. Click Next.
  2. Configure the following settings for Authentication:
    1. For Incoming Interface, select wan1.
    2. For Authentication Method, select Pre-shared Key.
    3. In the Pre-shared Key field, enter your-psk as the key.
    4. From the User Group dropdown list, select vpngroup.
    5. Deselect Require 'Group Name' on VPN client.
    6. Click Next.
  3. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select lan.
    2. Configure the Local Address as local_network.
    3. Configure the Client Address Range as 10.10.2.1-10.10.2.200.
    4. Keep the default values for the Subnet Mask, DNS Server, and Enable IPv4 Split tunnel.
    5. Click Create.
To configure IPsec VPN with an iOS device as the dialup client using the CLI:
  1. In the CLI, configure the user and group.
    config user local     edit "vpnuser1"          set type password         set passwd your-password     next  end config user group     edit "vpngroup"          set member "vpnuser1"     next  end
  2. Configure the internal interface. The LAN interface connects to the corporate internal network. Traffic from this interface routes out the IPsec VPN tunnel. Creating an address group for the protected network behind this FortiGate causes traffic to this network group to go through the IPsec tunnel.
    config system interface      edit "lan"         set vdom "root"         set ip 10.10.111.1 255.255.255.0     next end  config firewall address     edit "local_subnet_1"          set ip 10.10.111.0 255.255.255.0      next  end   config firewall address     edit "local_subnet_2"          set ip 10.10.112.0 255.255.255.0      next  end   config firewall addrgrp     edit "local_network"          set member "local_subnet_1" "local_subnet_2"      next  end
  3. Configure the WAN interface. The WAN interface is the interface connected to the ISP. It can work in static mode (as shown in this example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface.
    config system interface      edit "wan1"         set vdom "root"         set ip 172.20.120.123 255.255.255.0     next end
  4. Configure the client address pool. You must create a firewall address to assign an IP address to a client from the address pool.
    config firewall address     edit "client_range"         set type iprange         set comment "VPN client range"         set start-ip 10.10.2.1         set end-ip 10.10.2.200     next end
  5. Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature authentication is also an option.
    config vpn ipsec phase1-interface     edit "for_ios_p1"         set type dynamic         set interface "wan1"         set peertype any         set net-device enable         set mode-cfg enable         set proposal aes256-sha256 aes256-md5 aes256-sha1         set dpd on-idle         set dhgrp 14 5 2         set xauthtype auto         set authusrgrp "vpngroup"         set assign-ip-from name         set ipv4-name "client_range"         set dns-mode auto         set ipv4-split-include "local_network"         set psksecret your-psk         set dpd-retryinterval 60     next end
  6. Configure the IPsec phase2-interface.
    config vpn ipsec phase2-interface      edit "for_ios_p2"          set phase1name "for_ios_p1"          set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305          set pfs disable         set keepalive enable     next  end
  7. Configure the firewall policy to allow client traffic flow over the IPsec VPN tunnel.
    config firewall policy      edit 1          set name "ios_vpn"          set srcintf "for_ios_p1"          set dstintf "lan"          set srcaddr "ios_range"          set dstaddr "local_network"          set action accept          set schedule "always"          set service "ALL"      next  end
  8. Configure the iOS device.
    1. In the iOS device, go to Settings > General > VPN and select Add VPN Configuration.
    2. Set the Type to IPsec and enter a Description. Set the Server to the FortiGate's Internet-facing interface, and enter the username in Account. Enter the user password, the preshared IPsec VPN secret, then select Done.
    3. Ensure that the IPsec VPN configuration is highlighted (indicated by a checkmark), and select the Not Connected button. The IPsec VPN connects with the user's credentials and secret. The status changes to Connected, and a VPN icon appears at the top of the screen.
  9. Run diagnose commands to check the IPsec phase1/phase2 interface status. The diagnose debug application ike -1 command is the key to troubleshoot why the IPsec tunnel failed to establish.
    1. Run the diagnose vpn ike gateway list command. The system should return the following:
      vd: root/0 name: for_ios_p1_0 version: 1 interface: port1 15 addr: 172.20.120.123:4500 -> 172.20.120.254:64916 created: 17s ago xauth-user: u1 assigned IPv4 address: 10.10.2.1/255.255.255.255 nat: me peer IKE SA: created 1/1 established 1/1 time 150/150/150 ms IPsec SA: created 1/1 established 1/1 time 10/10/10 ms id/spi: 2 3c844e13c75591bf/80c2db92c8d3f602 direction: responder status: established 17-17s ago = 150ms proposal: aes256-sha256 key: 0032ea5ee160d775-51f3bf1f9909101b-b89c7b5a77a07784-2c92cf9c921801ac lifetime/rekey: 3600/3312 DPD sent/recv: 00000000/00000000
    2. Run the diagnose vpn tunnel list command. The system should return the following:
      list all ipsec tunnel in vd 0 = = name=for_ios_p1_0 ver=1 serial=172.20.120.123:4500->172.20.120.254:64916 bound_if=15 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/984 options[03d8]=npu create_dev no-sysctl rgwy-chg rport-chg frag-rfc accept_traffic=1 parent=for_ios_p1 index=0 proxyid_num=1 child_num=0 refcnt=12 ilast=23 olast=23 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0 natt: mode=keepalive draft=32 interval=10 remote_port=64916 proxyid=for_ios_p1 proto=0 sa=1 ref=2 serial=1 add-route src: 0:10.10.111.0-10.10.111.255:0 dst: 0:10.10.2.1-10.10.2.1:0 SA: ref=3 options=a7 type=00 soft=0 mtu=1422 expire=3564/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 life: type=01 bytes=0/0 timeout=3587/3600 dec: spi=36274d15 esp=aes key=32 5a599d796f8114c83d6589284f036fc33bdf4456541e2154b4ac2217b6aec869 ah=sha1 key=20 f1efdeb77d6f856a8dd3a30cbc23cb0f8a3e0340 enc: spi=00b0d9ab esp=aes key=32 e9232d7a1c4f390fd09f8409c2d85f80362d940c08c73f245908ab1ac3af322f ah=sha1 key=20 a3890d6c5320756291cad85026d3a78fd42a1b42 dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=172.20.120.254 npu_lgwy=172.20.120.123 npu_selid=1 dec_npuid=0 enc_npuid=0