Fortinet black logo

IPsec VPN

IPsec VPN

IPsec VPN configurations have one <options> section and one or more <connection> sections.

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options>

<show_auth_cert_only>1</show_auth_cert_only>

<disconnect_on_log_off>1</disconnect_on_log_off>

<enabled>1</enabled>

<beep_if_error>0</beep_if_error>

<beep_continuously>0</beep_continuously>

<beep_seconds>0</beep_seconds>

<usewincert>1</usewincert>

<use_win_current_user_cert>1</use_win_current_user_cert>

<use_win_local_computer_cert>1</use_win_local_computer_cert>

<block_ipv6>1</block_ipv6>

<uselocalcert>0</uselocalcert>

<usesmcardcert>1</usesmcardcert>

<enable_udp_checksum>0</enable_udp_checksum>

<mtu_size>1300</mtu_size>

<disable_default_route>0</disable_default_route>

<check_for_cert_private_key>1</check_for_cert_private_key>

<enhanced_key_usage_mandatory>1</enhanced_key_usage_mandatory

<no_dns_registration>0</no_dns_registration>

</options>

<connections>

<connection>

<name>ipsecdemo</name>

<single_user_mode>0</single_user_mode>

<type>manual</type>

<disclaimer_msg></disclaimer_msg>

<redundant_sort_method>0</redundant_sort_method>

<failover_sslvpn_connection>SSLVPN_Name</failover_sslvpn_connection>

<machine>0</machine>

<ui>

<show_passcode>0</show_passcode>

<show_remember_password>1</show_remember_password>

<show_alwaysup>1</show_alwaysup>

<show_autoconnect>1</show_autoconnect>

<save_username>0</save_username>

</ui>

<ike_settings>

<version>1</version>

<prompt_certificate>0</prompt_certificate>

<implied_SPDO>0</implied_SPDO>

<implied_SPDO_timeout>0</implied_SPDO_timeout>

<server>ipsecdemo.fortinet.com</server>

<authentication_method>Preshared Key</authentication_method>

<auth_data>

<preshared_key>Encdab907ed117eafaadd92f82b3e768b5414e4402dbd4df4585d4202c65940f1b2e9</preshared_key>

</auth_key>

<mode>aggressive</mode>

<dhgroup>5;</dhgroup>

<key_life>28800</key_life>

<localid></localid>

<nat_traversal>1</nat_traversal>

<mode_config>1</mode_config>

<enable_local_lan>0</enable_local_lan>

<block_outside_dns>0</block_outside_dns>

<nat_alive_freq>5</nat_alive_freq>

<dpd>1</dpd>

<dpd_retry_count>3</dpd_retry_count>

<dpd_retry_interval>5</dpd_retry_interval>

<fgt>1</fgt>

<enable_ike_fragmentation>0</enable_ike_fragmentation>

<run_fcauth_system>0</run_fcauth_system>

<failover_sslvpn_connection>SSLVPN HQ</failover_sslvpn_connection>

<xauth_timeout>120</xauth_timeout>

<xauth>

<enabled>1</enabled>

<prompt_username>1</prompt_username>

<username>Encrypted/NonEncrypted_UsernameString</username>

<password />

<attempts_allowed>1</attempts_allowed>

<use_otp>0</use_otp>

</xauth>

<proposals>

<proposal>3DES|MD5</proposal>

<proposal>3DES|SHA1</proposal>

<proposal>AES128|MD5</proposal>

<proposal>AES128|SHA1</proposal>

<proposal>AES256|SHA256</proposal>

</proposals>

</ike_settings>

<ipsec_settings>

<remote_networks>

<network>

<addr>0.0.0.0</addr>

<mask>0.0.0.0</mask>

</network>

</remote_networks>

<ipv4_split_exclude_networks>

<subnetwork>10.10.10.0/255.255.255.0</subnetwork>

<subnetwork>13.106.56.0/25</subnetwork>

<subnetwork>teams.microsoft.com</subnetwork>

</ipv4_split_exclude_networks>

<dhgroup>5</dhgroup>

<key_life_type>seconds</key_life_type>

<key_life_seconds>1800</key_life_seconds>

<key_life_Kbytes>5120</key_life_Kbytes>

<replay_detection>1</replay_detection>

<pfs>1</pfs>

<use_vip>1</use_vip>

<virtualip>

<dnsserver_secondary></dnsserver_secondary>

<!-- server IP address -->

<type>modeconfig</type>

<ip>0.0.0.0</ip>

<mask>0.0.0.0</mask>

<dnsserver>0.0.0.0</dnsserver>

<winserver>0.0.0.0</winserver>

</virtualip>

<proposals>

<proposal>3DES|MD5</proposal>

<proposal>3DES|SHA1</proposal>

<proposal>AES128|MD5</proposal>

<proposal>AES128|SHA1</proposal>

<proposal>AES256|SHA256</proposal>

</proposals>

</ipsec_settings>

<on_connect>

<script>

<os>windows</os>

<script>

<![CDATA[]]>

</script>

</script>

</on_connect>

<on_disconnect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[]]>

</script>

</script>

</script>

</on_disconnect>

<traffic_control>

<enabled>1</enabled>

<mode>2</mode>

<apps>

<app>%LOCALAPPDATA%\Microsoft\Teams\Current\Teams.exe</app>

<app>%appdata%\Zoom\bin\Zoom.exe</app>

<app>C:\Program Files (x86)\Microsoft\Skype for Desktop\skype.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mcomm.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mlauncher.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mstart.exe</app>

</apps>

<fqdns>

<fqdn>webex.com</fqdn>

<fqdn>gotomeeting.com</fqdn>

<fqdn>youtube.com</fqdn>

</fqdns>

</traffic_control>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

The following table provides the XML tags for IPsec VPN, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<ipsecvpn> <options> elements

<show_auth_cert_only>

Supress dialog boxes from displaying in FortiClient when using SmartCard certificates.

Boolean value: [0 | 1]

0

<disconnect_on_log_off>

Drop the established VPN connection when the user logs off.

Boolean value: [0 | 1]

1

<enabled>

Enable IPsec VPN.

Boolean value: [0 | 1]

1

<beep_if_error>

Beep if VPN connection attempt fails.

Boolean value: [0 | 1]

0

<beep_continuously>

Enable the continuous beep.

Boolean value: [0 | 1]

1

<beep_seconds>

Enter a value for the number of seconds after which to beep if an error occurs.

60

<usewincert>

Use Windows certificates for connections.

Boolean value: [0 | 1]

<use_win_current_user_cert>

Use Windows current user certificates for connections.

Boolean value: [0 | 1]

1

<use_win_local_computer_cert>

Use Windows local computer certificates for connections.

Boolean value: [0 | 1]

1

<block_ipv6>

Drop IPv6 traffic when an IPsec VPN connection is established.

Boolean value: [0 | 1]

0

<uselocalcert>

Use local certificates for connections.

Boolean value: [0 | 1]

<usesmcardcert>

Use certificates on smart cards.

Boolean value: [0 | 1]

<enable_udp_checksums>

Enable UDP checksums. This setting stops FortiClient from calculating and inserting checksums into the UDP packets that it creates.

Boolean value: [0 | 1]

0

<mtu_size>

Maximum Transmit Unit (MTU) size for packets on the VPN tunnel. Set from a minimum of 576 to a maximum of 1500 bytes. The default value is 1300.

1300

<disable_default_route>

Disable the default route to the gateway when the tunnel is up and restore after the tunnel is down.

Boolean value: [0 | 1]

0

<check_for_cert_private_key>

Enable checks for the Windows certificate private key. When set to 1, FortiClient checks for the Windows certificate private key.

Boolean value: [0 | 1]

0

<enhanced_key_usage_mandatory>

Enable certificates with enhanced key usage. Used with <check_for_cert_private_key>. When <check_for_cert_private_key> is set to 1 and <enhanced_key_usage_manadatory> is set to 1, only the certificates with enhanced key usage are listed.

Boolean value: [0 | 1]

<no_dns_registration>

When this setting is 0, FortiClient registers the IPsec VPN adapter's address in the Active Directory (AD) DNS server.

When this setting is 1, FortiClient does not register the IPsec VPN adapter's address in the AD DNS server.

When this setting is 2, FortiClient registers only its own tunnel interface IP address in the AD DNS server.

0

The <connections> XML tag may contain one or more <connection> element. Each <connection> has the following:

  • name and type: the name and type of connection
  • Internet Key Exchange (IKE) settings: information used to establish an IPsec VPN connection
  • IPsec settings:
    • on_connect: a script to run right after a successful connection
    • on_disconnect: a script to run just after a disconnection

The following table provides VPN connection XML tags, the description, and the default value (where applicable).

XML tag

Description

Default Value

<name>

VPN connection name.

<single_user_mode>

Enable single user mode. If enabled, new and existing VPN connections cannot be established or are disconnected if more than one user is logged in.

Boolean value: [0 | 1]

0

<type>

IPsec VPN connection type. Enter one of the following: [manual | auto]

<disclaimer_msg>

Enable and enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection.

<redundant_sort_method>

How FortiClient determines the order in which to try connection to the IPsec VPN servers when more than one is defined. FortiClient calculates the order before each IPsec VPN connection attempt.

  • When the value is 0, FortiClient tries the order explicitly defined in the <server> tag.
  • When the value is 1, FortiClient determines the order by the ping response speed.
  • When the value is 2, FortiClient determines the order by the TCP round trip time.

0

<failover_sslvpn_connection>

If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL VPN tunnel.

<machine>

When this setting is 1, FortiClient can connect to the tunnel without user interaction. See <on_os_start_connect> in VPN options.

Boolean value: [0 | 1]

<ui> elements

The elements of the <ui></ui> XML tags are set by the FortiGate following an IPsec VPN connection.

<show_passcode>

Display Passcode instead of Password on the Remote Access tab in the console.

Boolean value: [0 | 1]

<show_remember_password>

Display the Save Password checkbox in the console.

Boolean value: [0 | 1]

<show_alwaysup>

Display the Always Up checkbox in the console.

Boolean value: [0 | 1]

<show_autoconnect>

Display the Auto Connect checkbox in the console.

Boolean value: [0 | 1]

<save_username>

Save and display the last username used for VPN connection.

Boolean value: [0 | 1]

<traffic_control> elements

<enabled>

To enable the feature, enter 1. To disable the feature, enter 0.

Boolean value: [0 | 1]

<mode>

Enter 2 so that network traffic for all defined applications and FQDNs do not go through the VPN tunnel. You must configure this value as 2 for the feature to function.

<app>

Specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%,%programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces.

To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

Once the VPN tunnel is up, FortiClient binds the specified applications to the physical interface.

In the example, for the GoToMeeting path, 18068 refers to the current installed version of the GoToMeeting application.

<fqdn>

Specify which FQDN traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection.

In the example, youtube.com equals youtube.com and *.youtube.com.

After defining an FQDN, such as youtube.com in the example, if you use any popular browser such as Chrome, Edge, or Firefox to access youtube.com, this traffic does not go through the VPN tunnel.

The VPN connection name is mandatory. If a connection of this type and this name exists, FortiClient overwrites its values with the new ones.

IPsec VPN

IPsec VPN configurations have one <options> section and one or more <connection> sections.

<forticlient_configuration>

<vpn>

<ipsecvpn>

<options>

<show_auth_cert_only>1</show_auth_cert_only>

<disconnect_on_log_off>1</disconnect_on_log_off>

<enabled>1</enabled>

<beep_if_error>0</beep_if_error>

<beep_continuously>0</beep_continuously>

<beep_seconds>0</beep_seconds>

<usewincert>1</usewincert>

<use_win_current_user_cert>1</use_win_current_user_cert>

<use_win_local_computer_cert>1</use_win_local_computer_cert>

<block_ipv6>1</block_ipv6>

<uselocalcert>0</uselocalcert>

<usesmcardcert>1</usesmcardcert>

<enable_udp_checksum>0</enable_udp_checksum>

<mtu_size>1300</mtu_size>

<disable_default_route>0</disable_default_route>

<check_for_cert_private_key>1</check_for_cert_private_key>

<enhanced_key_usage_mandatory>1</enhanced_key_usage_mandatory

<no_dns_registration>0</no_dns_registration>

</options>

<connections>

<connection>

<name>ipsecdemo</name>

<single_user_mode>0</single_user_mode>

<type>manual</type>

<disclaimer_msg></disclaimer_msg>

<redundant_sort_method>0</redundant_sort_method>

<failover_sslvpn_connection>SSLVPN_Name</failover_sslvpn_connection>

<machine>0</machine>

<ui>

<show_passcode>0</show_passcode>

<show_remember_password>1</show_remember_password>

<show_alwaysup>1</show_alwaysup>

<show_autoconnect>1</show_autoconnect>

<save_username>0</save_username>

</ui>

<ike_settings>

<version>1</version>

<prompt_certificate>0</prompt_certificate>

<implied_SPDO>0</implied_SPDO>

<implied_SPDO_timeout>0</implied_SPDO_timeout>

<server>ipsecdemo.fortinet.com</server>

<authentication_method>Preshared Key</authentication_method>

<auth_data>

<preshared_key>Encdab907ed117eafaadd92f82b3e768b5414e4402dbd4df4585d4202c65940f1b2e9</preshared_key>

</auth_key>

<mode>aggressive</mode>

<dhgroup>5;</dhgroup>

<key_life>28800</key_life>

<localid></localid>

<nat_traversal>1</nat_traversal>

<mode_config>1</mode_config>

<enable_local_lan>0</enable_local_lan>

<block_outside_dns>0</block_outside_dns>

<nat_alive_freq>5</nat_alive_freq>

<dpd>1</dpd>

<dpd_retry_count>3</dpd_retry_count>

<dpd_retry_interval>5</dpd_retry_interval>

<fgt>1</fgt>

<enable_ike_fragmentation>0</enable_ike_fragmentation>

<run_fcauth_system>0</run_fcauth_system>

<failover_sslvpn_connection>SSLVPN HQ</failover_sslvpn_connection>

<xauth_timeout>120</xauth_timeout>

<xauth>

<enabled>1</enabled>

<prompt_username>1</prompt_username>

<username>Encrypted/NonEncrypted_UsernameString</username>

<password />

<attempts_allowed>1</attempts_allowed>

<use_otp>0</use_otp>

</xauth>

<proposals>

<proposal>3DES|MD5</proposal>

<proposal>3DES|SHA1</proposal>

<proposal>AES128|MD5</proposal>

<proposal>AES128|SHA1</proposal>

<proposal>AES256|SHA256</proposal>

</proposals>

</ike_settings>

<ipsec_settings>

<remote_networks>

<network>

<addr>0.0.0.0</addr>

<mask>0.0.0.0</mask>

</network>

</remote_networks>

<ipv4_split_exclude_networks>

<subnetwork>10.10.10.0/255.255.255.0</subnetwork>

<subnetwork>13.106.56.0/25</subnetwork>

<subnetwork>teams.microsoft.com</subnetwork>

</ipv4_split_exclude_networks>

<dhgroup>5</dhgroup>

<key_life_type>seconds</key_life_type>

<key_life_seconds>1800</key_life_seconds>

<key_life_Kbytes>5120</key_life_Kbytes>

<replay_detection>1</replay_detection>

<pfs>1</pfs>

<use_vip>1</use_vip>

<virtualip>

<dnsserver_secondary></dnsserver_secondary>

<!-- server IP address -->

<type>modeconfig</type>

<ip>0.0.0.0</ip>

<mask>0.0.0.0</mask>

<dnsserver>0.0.0.0</dnsserver>

<winserver>0.0.0.0</winserver>

</virtualip>

<proposals>

<proposal>3DES|MD5</proposal>

<proposal>3DES|SHA1</proposal>

<proposal>AES128|MD5</proposal>

<proposal>AES128|SHA1</proposal>

<proposal>AES256|SHA256</proposal>

</proposals>

</ipsec_settings>

<on_connect>

<script>

<os>windows</os>

<script>

<![CDATA[]]>

</script>

</script>

</on_connect>

<on_disconnect>

<script>

<os>windows</os>

<script>

<script>

<![CDATA[]]>

</script>

</script>

</script>

</on_disconnect>

<traffic_control>

<enabled>1</enabled>

<mode>2</mode>

<apps>

<app>%LOCALAPPDATA%\Microsoft\Teams\Current\Teams.exe</app>

<app>%appdata%\Zoom\bin\Zoom.exe</app>

<app>C:\Program Files (x86)\Microsoft\Skype for Desktop\skype.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mcomm.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mlauncher.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mstart.exe</app>

</apps>

<fqdns>

<fqdn>webex.com</fqdn>

<fqdn>gotomeeting.com</fqdn>

<fqdn>youtube.com</fqdn>

</fqdns>

</traffic_control>

</connection>

</connections>

</ipsecvpn>

</vpn>

</forticlient_configuration>

The following table provides the XML tags for IPsec VPN, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<ipsecvpn> <options> elements

<show_auth_cert_only>

Supress dialog boxes from displaying in FortiClient when using SmartCard certificates.

Boolean value: [0 | 1]

0

<disconnect_on_log_off>

Drop the established VPN connection when the user logs off.

Boolean value: [0 | 1]

1

<enabled>

Enable IPsec VPN.

Boolean value: [0 | 1]

1

<beep_if_error>

Beep if VPN connection attempt fails.

Boolean value: [0 | 1]

0

<beep_continuously>

Enable the continuous beep.

Boolean value: [0 | 1]

1

<beep_seconds>

Enter a value for the number of seconds after which to beep if an error occurs.

60

<usewincert>

Use Windows certificates for connections.

Boolean value: [0 | 1]

<use_win_current_user_cert>

Use Windows current user certificates for connections.

Boolean value: [0 | 1]

1

<use_win_local_computer_cert>

Use Windows local computer certificates for connections.

Boolean value: [0 | 1]

1

<block_ipv6>

Drop IPv6 traffic when an IPsec VPN connection is established.

Boolean value: [0 | 1]

0

<uselocalcert>

Use local certificates for connections.

Boolean value: [0 | 1]

<usesmcardcert>

Use certificates on smart cards.

Boolean value: [0 | 1]

<enable_udp_checksums>

Enable UDP checksums. This setting stops FortiClient from calculating and inserting checksums into the UDP packets that it creates.

Boolean value: [0 | 1]

0

<mtu_size>

Maximum Transmit Unit (MTU) size for packets on the VPN tunnel. Set from a minimum of 576 to a maximum of 1500 bytes. The default value is 1300.

1300

<disable_default_route>

Disable the default route to the gateway when the tunnel is up and restore after the tunnel is down.

Boolean value: [0 | 1]

0

<check_for_cert_private_key>

Enable checks for the Windows certificate private key. When set to 1, FortiClient checks for the Windows certificate private key.

Boolean value: [0 | 1]

0

<enhanced_key_usage_mandatory>

Enable certificates with enhanced key usage. Used with <check_for_cert_private_key>. When <check_for_cert_private_key> is set to 1 and <enhanced_key_usage_manadatory> is set to 1, only the certificates with enhanced key usage are listed.

Boolean value: [0 | 1]

<no_dns_registration>

When this setting is 0, FortiClient registers the IPsec VPN adapter's address in the Active Directory (AD) DNS server.

When this setting is 1, FortiClient does not register the IPsec VPN adapter's address in the AD DNS server.

When this setting is 2, FortiClient registers only its own tunnel interface IP address in the AD DNS server.

0

The <connections> XML tag may contain one or more <connection> element. Each <connection> has the following:

  • name and type: the name and type of connection
  • Internet Key Exchange (IKE) settings: information used to establish an IPsec VPN connection
  • IPsec settings:
    • on_connect: a script to run right after a successful connection
    • on_disconnect: a script to run just after a disconnection

The following table provides VPN connection XML tags, the description, and the default value (where applicable).

XML tag

Description

Default Value

<name>

VPN connection name.

<single_user_mode>

Enable single user mode. If enabled, new and existing VPN connections cannot be established or are disconnected if more than one user is logged in.

Boolean value: [0 | 1]

0

<type>

IPsec VPN connection type. Enter one of the following: [manual | auto]

<disclaimer_msg>

Enable and enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection.

<redundant_sort_method>

How FortiClient determines the order in which to try connection to the IPsec VPN servers when more than one is defined. FortiClient calculates the order before each IPsec VPN connection attempt.

  • When the value is 0, FortiClient tries the order explicitly defined in the <server> tag.
  • When the value is 1, FortiClient determines the order by the ping response speed.
  • When the value is 2, FortiClient determines the order by the TCP round trip time.

0

<failover_sslvpn_connection>

If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL VPN tunnel.

<machine>

When this setting is 1, FortiClient can connect to the tunnel without user interaction. See <on_os_start_connect> in VPN options.

Boolean value: [0 | 1]

<ui> elements

The elements of the <ui></ui> XML tags are set by the FortiGate following an IPsec VPN connection.

<show_passcode>

Display Passcode instead of Password on the Remote Access tab in the console.

Boolean value: [0 | 1]

<show_remember_password>

Display the Save Password checkbox in the console.

Boolean value: [0 | 1]

<show_alwaysup>

Display the Always Up checkbox in the console.

Boolean value: [0 | 1]

<show_autoconnect>

Display the Auto Connect checkbox in the console.

Boolean value: [0 | 1]

<save_username>

Save and display the last username used for VPN connection.

Boolean value: [0 | 1]

<traffic_control> elements

<enabled>

To enable the feature, enter 1. To disable the feature, enter 0.

Boolean value: [0 | 1]

<mode>

Enter 2 so that network traffic for all defined applications and FQDNs do not go through the VPN tunnel. You must configure this value as 2 for the feature to function.

<app>

Specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%,%programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces.

To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

Once the VPN tunnel is up, FortiClient binds the specified applications to the physical interface.

In the example, for the GoToMeeting path, 18068 refers to the current installed version of the GoToMeeting application.

<fqdn>

Specify which FQDN traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection.

In the example, youtube.com equals youtube.com and *.youtube.com.

After defining an FQDN, such as youtube.com in the example, if you use any popular browser such as Chrome, Edge, or Firefox to access youtube.com, this traffic does not go through the VPN tunnel.

The VPN connection name is mandatory. If a connection of this type and this name exists, FortiClient overwrites its values with the new ones.