Fortinet white logo
Fortinet white logo

IPsec VPN

IPsec VPN

IPsec VPN configurations have one <options> section and one or more <connection> section.

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options>

<show_auth_cert_only>1</show_auth_cert_only>

<disconnect_on_log_off>1</disconnect_on_log_off>

<enabled>1</enabled>

<beep_if_error>0</beep_if_error>

<beep_continuously>0</beep_continuously>

<beep_seconds>0</beep_seconds>

<usewincert>1</usewincert>

<use_win_current_user_cert>1</use_win_current_user_cert>

<use_win_local_computer_cert>1</use_win_local_computer_cert>

<block_ipv6>1</block_ipv6>

<uselocalcert>0</uselocalcert>

<usesmcardcert>1</usesmcardcert>

<enable_udp_checksum>0</enable_udp_checksum>

<mtu_size>1300</mtu_size>

<disable_default_route>0</disable_default_route>

<check_for_cert_private_key>1</check_for_cert_private_key>

<enhanced_key_usage_mandatory>1</enhanced_key_usage_mandatory

</options>

<connections>

<connection>

<name>ipsecdemo</name>

<single_user_mode>0</single_user_mode>

<type>manual</type>

<ui>

<show_passcode>0</show_passcode>

<show_remember_password>1</show_remember_password>

<show_alwaysup>1</show_alwaysup>

<show_autoconnect>1</show_autoconnect>

<save_username>0</save_username>

</ui>

<ike_settings>

<version>1</version>

<prompt_certificate>0</prompt_certificate>

<implied_SPDO>0</implied_SPDO>

<implied_SPDO_timeout>0</implied_SPDO_timeout>

<server>ipsecdemo.fortinet.com</server>

<authentication_method>Preshared Key</authentication_method>

<auth_data>

<preshared_key>Encdab907ed117eafaadd92f82b3e768b5414e4402dbd4df4585d4202c65940f1b2e9</preshared_key>

</auth_key>

<mode>aggressive</mode>

<dhgroup>5;</dhgroup>

<key_life>28800</key_life>

<localid></localid>

<peerid></peerid>

<nat_traversal>1</nat_traversal>

<mode_config>1</mode_config>

<enable_local_lan>0</enable_local_lan>

<nat_alive_freq>5</nat_alive_freq>

<dpd>1</dpd>

<dpd_retry_count>3</dpd_retry_count>

<dpd_retry_interval>5</dpd_retry_interval>

<fgt>1</fgt>

<enable_ike_fragmentation>0</enable_ike_fragmentation>

<run_fcauth_system>0</run_fcauth_system>

<xauth_timeout>120</xauth_timeout>

<xauth>

<enabled>1</enabled>

<prompt_username>1</prompt_username>

<username>Encrypted/NonEncrypted_UsernameString</username>

<password />

<attempts_allowed>1</attempts_allowed>

<use_otp>0</use_otp>

</xauth>

<proposals>

<proposal>3DES|MD5</proposal>

<proposal>3DES|SHA1</proposal>

<proposal>AES128|MD5</proposal>

<proposal>AES128|SHA1</proposal>

<proposal>AES256|SHA256</proposal>

</proposals>

</ike_settings>

<ipsec_settings>

<remote_networks>

<network>

<addr>0.0.0.0</addr>

<mask>0.0.0.0</mask>

</network>

</remote_networks>

<dhgroup>5</dhgroup>

<key_life_type>seconds</key_life_type>

<key_life_seconds>1800</key_life_seconds>

<key_life_Kbytes>5120</key_life_Kbytes>

<replay_detection>1</replay_detection>

<pfs>1</pfs>

<use_vip>1</use_vip>

<virtualip>

<dnsserver_secondary></dnsserver_secondary>

<!-- server IP address -->

<type>modeconfig</type>

<ip>0.0.0.0</ip>

<mask>0.0.0.0</mask>

<dnsserver>0.0.0.0</dnsserver>

<winserver>0.0.0.0</winserver>

</virtualip>

<proposals>

<proposal>3DES|MD5</proposal>

<proposal>3DES|SHA1</proposal>

<proposal>AES128|MD5</proposal>

<proposal>AES128|SHA1</proposal>

<proposal>AES256|SHA256</proposal>

</proposals>

</ipsec_settings>

<on_connect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[]]>

</script>

</script>

</script>

</on_connect>

<on_disconnect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[]]>

</script>

</script>

</script>

</on_disconnect>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

The following table provides the XML tags for IPsec VPN, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<ipsecvpn> <options> elements

<show_auth_cert_only>

Supress dialog boxes from displaying in FortiClient when using SmartCard certificates.

Boolean value: [0 | 1]

0

<disconnect_on_log_off>

Drop the established VPN connection when the user logs off.

Boolean value: [0 | 1]

1

<enabled>

Enable or disable IPsec VPN.

Boolean value: [0 | 1]

1

<beep_if_error>

Beep if VPN connection attempt fails.

Boolean value: [0 | 1]

0

<beep_continuously>

Enable or disable the continuous beep.

Boolean value: [0 | 1]

1

<beep_seconds>

Enter a value for the number of seconds after which to beep if an error occurs.

60

<usewincert>

Use Microsoft Windows certificates for connections.

Boolean value: [0 | 1]

<use_win_current_user_cert>

Use Microsoft Windows current user certificates for connections.

Boolean value: [0 | 1]

1

<use_win_local_computer_cert>

Use Microsoft Windows local computer certificates for connections.

Boolean value: [0 | 1]

1

<block_ipv6>

Drop IPv6 traffic when an IPsec VPN connection is established.

Boolean value: [0 | 1]

0

<uselocalcert>

Use local certificates for connections.

Boolean value: [0 | 1]

<usesmcardcert>

Use certificates on smart cards.

Boolean value: [0 | 1]

<enable_udp_checksums>

Enable or disable UDP checksums. This setting stops FortiClient from calculating and inserting checksums into the UDP packets that it creates.

Boolean value: [0 | 1]

0

<mtu_size>

Maximum Transmit Unit (MTU) size for packets on the VPN tunnel. Set from a minimum of 576 to a maximum of 1500 bytes. The default value is 1300.

1300

<disable_default_route>

Disable the default route to the gateway when the tunnel is up and restore after the tunnel is down.

Boolean value: [0 | 1]

0

<check_for_cert_private_key>

Enable or disable checks for the Windows certificate private key. When set to 1, FortiClient checks for the Windows certificate private key.

Boolean value: [0 | 1]

0

<enhanced_key_usage_mandatory>

Enable or disable certificates with enhanced key usage. Used with <check_for_cert_private_key>. When <check_for_cert_private_key> is set to 1 and <enhanced_key_usage_manadatory> is set to 1, only the certificates with enhanced key usage are listed.

Boolean value: [0 | 1]

The <connections> XML tag may contain one or more <connection> element. Each <connection> has the following:

  • name and type: the name and type of connection
  • IKE settings: information used to establish an IPsec VPN connection
  • IPsec settings:
    • on_connect: a script to run right after a successful connection
    • on_disconnect: a script to run just after a disconnection

The following table provides VPN connection XML tags, the description, and the default value (where applicable).

XML Tag

Description

Default Value

<name>

VPN connection name.

<single_user_mode>

Enable or disable single user mode. If enabled, new and existing VPN connections cannot be established or are disconnected if more than one user is logged in.

Boolean value: [0 | 1]

0

<type>

IPSec VPN connection type.

Select: [manual | auto]

<ui> elements

The elements of the <ui></ui> XML tags are set by the FortiGate following an IPsec VPN connection.

<show_passcode>

Display Passcode instead of Password on the Remote Access tab in the console.

Boolean value: [0 | 1]

<show_remember_password>

Display the Save Password checkbox in the console.

Boolean value: [0 | 1]

<show_alwaysup>

Display the Always Up checkbox in the console.

Boolean value: [0 | 1]

<show_autoconnect>

Display the Auto Connect checkbox in the console.

Boolean value: [0 | 1]

<save_username>

Save and display the last username used for VPN connection.

Boolean value: [0 | 1]

The VPN connection name is mandatory. If a connection of this type and this name exists, its values are overwritten with the new ones.

IPsec VPN

IPsec VPN

IPsec VPN configurations have one <options> section and one or more <connection> section.

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options>

<show_auth_cert_only>1</show_auth_cert_only>

<disconnect_on_log_off>1</disconnect_on_log_off>

<enabled>1</enabled>

<beep_if_error>0</beep_if_error>

<beep_continuously>0</beep_continuously>

<beep_seconds>0</beep_seconds>

<usewincert>1</usewincert>

<use_win_current_user_cert>1</use_win_current_user_cert>

<use_win_local_computer_cert>1</use_win_local_computer_cert>

<block_ipv6>1</block_ipv6>

<uselocalcert>0</uselocalcert>

<usesmcardcert>1</usesmcardcert>

<enable_udp_checksum>0</enable_udp_checksum>

<mtu_size>1300</mtu_size>

<disable_default_route>0</disable_default_route>

<check_for_cert_private_key>1</check_for_cert_private_key>

<enhanced_key_usage_mandatory>1</enhanced_key_usage_mandatory

</options>

<connections>

<connection>

<name>ipsecdemo</name>

<single_user_mode>0</single_user_mode>

<type>manual</type>

<ui>

<show_passcode>0</show_passcode>

<show_remember_password>1</show_remember_password>

<show_alwaysup>1</show_alwaysup>

<show_autoconnect>1</show_autoconnect>

<save_username>0</save_username>

</ui>

<ike_settings>

<version>1</version>

<prompt_certificate>0</prompt_certificate>

<implied_SPDO>0</implied_SPDO>

<implied_SPDO_timeout>0</implied_SPDO_timeout>

<server>ipsecdemo.fortinet.com</server>

<authentication_method>Preshared Key</authentication_method>

<auth_data>

<preshared_key>Encdab907ed117eafaadd92f82b3e768b5414e4402dbd4df4585d4202c65940f1b2e9</preshared_key>

</auth_key>

<mode>aggressive</mode>

<dhgroup>5;</dhgroup>

<key_life>28800</key_life>

<localid></localid>

<peerid></peerid>

<nat_traversal>1</nat_traversal>

<mode_config>1</mode_config>

<enable_local_lan>0</enable_local_lan>

<nat_alive_freq>5</nat_alive_freq>

<dpd>1</dpd>

<dpd_retry_count>3</dpd_retry_count>

<dpd_retry_interval>5</dpd_retry_interval>

<fgt>1</fgt>

<enable_ike_fragmentation>0</enable_ike_fragmentation>

<run_fcauth_system>0</run_fcauth_system>

<xauth_timeout>120</xauth_timeout>

<xauth>

<enabled>1</enabled>

<prompt_username>1</prompt_username>

<username>Encrypted/NonEncrypted_UsernameString</username>

<password />

<attempts_allowed>1</attempts_allowed>

<use_otp>0</use_otp>

</xauth>

<proposals>

<proposal>3DES|MD5</proposal>

<proposal>3DES|SHA1</proposal>

<proposal>AES128|MD5</proposal>

<proposal>AES128|SHA1</proposal>

<proposal>AES256|SHA256</proposal>

</proposals>

</ike_settings>

<ipsec_settings>

<remote_networks>

<network>

<addr>0.0.0.0</addr>

<mask>0.0.0.0</mask>

</network>

</remote_networks>

<dhgroup>5</dhgroup>

<key_life_type>seconds</key_life_type>

<key_life_seconds>1800</key_life_seconds>

<key_life_Kbytes>5120</key_life_Kbytes>

<replay_detection>1</replay_detection>

<pfs>1</pfs>

<use_vip>1</use_vip>

<virtualip>

<dnsserver_secondary></dnsserver_secondary>

<!-- server IP address -->

<type>modeconfig</type>

<ip>0.0.0.0</ip>

<mask>0.0.0.0</mask>

<dnsserver>0.0.0.0</dnsserver>

<winserver>0.0.0.0</winserver>

</virtualip>

<proposals>

<proposal>3DES|MD5</proposal>

<proposal>3DES|SHA1</proposal>

<proposal>AES128|MD5</proposal>

<proposal>AES128|SHA1</proposal>

<proposal>AES256|SHA256</proposal>

</proposals>

</ipsec_settings>

<on_connect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[]]>

</script>

</script>

</script>

</on_connect>

<on_disconnect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[]]>

</script>

</script>

</script>

</on_disconnect>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

The following table provides the XML tags for IPsec VPN, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<ipsecvpn> <options> elements

<show_auth_cert_only>

Supress dialog boxes from displaying in FortiClient when using SmartCard certificates.

Boolean value: [0 | 1]

0

<disconnect_on_log_off>

Drop the established VPN connection when the user logs off.

Boolean value: [0 | 1]

1

<enabled>

Enable or disable IPsec VPN.

Boolean value: [0 | 1]

1

<beep_if_error>

Beep if VPN connection attempt fails.

Boolean value: [0 | 1]

0

<beep_continuously>

Enable or disable the continuous beep.

Boolean value: [0 | 1]

1

<beep_seconds>

Enter a value for the number of seconds after which to beep if an error occurs.

60

<usewincert>

Use Microsoft Windows certificates for connections.

Boolean value: [0 | 1]

<use_win_current_user_cert>

Use Microsoft Windows current user certificates for connections.

Boolean value: [0 | 1]

1

<use_win_local_computer_cert>

Use Microsoft Windows local computer certificates for connections.

Boolean value: [0 | 1]

1

<block_ipv6>

Drop IPv6 traffic when an IPsec VPN connection is established.

Boolean value: [0 | 1]

0

<uselocalcert>

Use local certificates for connections.

Boolean value: [0 | 1]

<usesmcardcert>

Use certificates on smart cards.

Boolean value: [0 | 1]

<enable_udp_checksums>

Enable or disable UDP checksums. This setting stops FortiClient from calculating and inserting checksums into the UDP packets that it creates.

Boolean value: [0 | 1]

0

<mtu_size>

Maximum Transmit Unit (MTU) size for packets on the VPN tunnel. Set from a minimum of 576 to a maximum of 1500 bytes. The default value is 1300.

1300

<disable_default_route>

Disable the default route to the gateway when the tunnel is up and restore after the tunnel is down.

Boolean value: [0 | 1]

0

<check_for_cert_private_key>

Enable or disable checks for the Windows certificate private key. When set to 1, FortiClient checks for the Windows certificate private key.

Boolean value: [0 | 1]

0

<enhanced_key_usage_mandatory>

Enable or disable certificates with enhanced key usage. Used with <check_for_cert_private_key>. When <check_for_cert_private_key> is set to 1 and <enhanced_key_usage_manadatory> is set to 1, only the certificates with enhanced key usage are listed.

Boolean value: [0 | 1]

The <connections> XML tag may contain one or more <connection> element. Each <connection> has the following:

  • name and type: the name and type of connection
  • IKE settings: information used to establish an IPsec VPN connection
  • IPsec settings:
    • on_connect: a script to run right after a successful connection
    • on_disconnect: a script to run just after a disconnection

The following table provides VPN connection XML tags, the description, and the default value (where applicable).

XML Tag

Description

Default Value

<name>

VPN connection name.

<single_user_mode>

Enable or disable single user mode. If enabled, new and existing VPN connections cannot be established or are disconnected if more than one user is logged in.

Boolean value: [0 | 1]

0

<type>

IPSec VPN connection type.

Select: [manual | auto]

<ui> elements

The elements of the <ui></ui> XML tags are set by the FortiGate following an IPsec VPN connection.

<show_passcode>

Display Passcode instead of Password on the Remote Access tab in the console.

Boolean value: [0 | 1]

<show_remember_password>

Display the Save Password checkbox in the console.

Boolean value: [0 | 1]

<show_alwaysup>

Display the Always Up checkbox in the console.

Boolean value: [0 | 1]

<show_autoconnect>

Display the Auto Connect checkbox in the console.

Boolean value: [0 | 1]

<save_username>

Save and display the last username used for VPN connection.

Boolean value: [0 | 1]

The VPN connection name is mandatory. If a connection of this type and this name exists, its values are overwritten with the new ones.