IPsec settings

The following table provides the XML tags for IPsec settings, as well as the descriptions and default values where applicable.

XML tag Description Default value

<remote_networks> elements


Specifies a network address <addr> with subnet mask <mask>.


Network IP address.


Subnet mask to apply to network address <addr>.


Configure negative split tunnel or network exclusion for IPsec VPN using the <subnetwork> subelement. This feature supports FQDN, resolved from the client and expanded into a list of networks.

If negative split tunnel configuration is also received from FortiOS, FortiClient uses the settings from FortiOS and ignores the <ipv4_split_exclude_networks> settings. See Configure VPN remote gateway.


A list of possible DH protocol groups, separated by semicolons.


Phase 2 key re-key duration type. Select one of the following:

  • seconds
  • kbytes
  • both


Phase 2 key maximum life in seconds. 1800


Phase 2 key maximum life in KB. 5120


Detect an attempt to replay a previous VPN session.


Enable perfect forward secrecy (PFS).

Boolean value: [0 | 1]


Use a virtual IP address.

Boolean value: [0 | 1]

<virtualip> elements


Enter the virtual IP address type: [modeconfig | dhcpoveripsec]


Enter the IP address.


Enter the Network mask.


Enter the DNS server IP address.


Enter the secondary DNS server IP address.


Enter the Windows server IP address.

<proposals> elements


Encryption and authentication types to use, separated by a pipe.



Multiple elements accepted.

First setting: Encryption type: DES, 3DES, AES128, AES192, AES256

Second setting: Authentication type: MD5, SHA1, SHA256, SHA384, SHA512

The on_connect and on_disconnect structure and scripting format are similar to those described in SSL VPN.