Fortinet black logo

IKE settings

IKE settings

FortiClient automatically performs IKE based on preshared keys or X.509 digital certificates.

The following table provides the XML tags for IKE settings, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<version>

Determine the IKE version. FortiClient 7.0.0 supports IKE v1 and IKE v2. Enter 1 or 2.

1

<prompt_certificate>

Prompt for certificate on connection.

Boolean value: [0 | 1]

<implied_SPDO>

Specify which ports allow traffic. When this setting is 0, FortiClient only allows traffic from ports 500 and 4500. When this setting is 1, FortiClient allows other traffic during the connection phase, including Internet traffic.

Boolean value: [0 | 1]

<implied_SPDO_timeout>

When <implied_SPDO> is set to 1, <implied_SPDO_timeout> is the timeout in seconds.

FortiClient blocks all outbound non-IKE packets when <implied_SPDO> is set to 1. This is a security feature in the IPsec protocol. If the network traffic goes through a captive portal, the intended IPsec VPN server may be unreachable, until the user provides some credentials on a web page. Thus, setting <implied_SPDO> to 1 may have the side effect of blocking access to the captive portal, which in turn blocks access to the IPsec VPN server.

To avoid this deadlock, set <implied_SPDO_timeout> to a value greater than 0. FortiClient allows all outbound traffic (including non-IKE traffic) for the duration configured. Some users find that a value of 30 or 60 seconds suffices. If <implied_SPDO_timeout> is set to 0, the <implied_SPDO> element behaves as if set to 0.

When <implied_SPDO> is set to 0, <implied_SPDO_timeout> is ignored.

<server>

IP address or FQDN.

<authentication_method>

Authentication method. Enter one of the following:

  • Preshared Key
  • X509 Certificate
  • Smartcard X509 Certificate
  • System Store X509 Certificate

<auth_data> elements

<preshared_key>

Encrypted value of the preshared key.

<auth_data><certificate> elements

FortiClient searches all certificate stores until it finds a match for the certificate name and issuer supplied.

The XML sample provided in IPsec VPN only shows XML configuration when using a preshared key. See Sample XML using certificate authentication for example of XML configuration for a System Store X509 certificate.

<auth_data><certificate><common_name> elements

Elements for common name of the certificate for VPN logon.

<match_type>

Enter the type of matching to use:

  • simple: exact match
  • wildcard: wildcard
  • regex: regular expressions

<pattern>

Enter the pattern to use for the type of matching.

<auth_data><certificate><issuer> elements

<match_type>

Enter the type of matching to use:

  • simple: exact match
  • wildcard: wildcard

<pattern>

Enter the pattern to use for the type of matching.

<mode>

Connection mode. Enter one of the following: [aggressive | main]

<dhgroup>

A list of possible Diffie-Hellman (DH) protocol groups, separated by semicolons.

<key_life>

Phase 2 key expiry duration, in seconds.

28800

<localid>

Enter the peer ID configured in the FortiGate phase 1 configuration. If Accept any peer ID has been configured, leave this field blank.

<peerid>

Enter the FortiGate certificate subject name or FQDN. The peer ID must match the certificate local ID on the FortiGate for a successful IPsec VPN connection.

<nat_traversal>

Enable NAT traversal.

Boolean value: [0 | 1]

<mode_config>

Enable mode configuration.

Boolean value: [0 | 1]

<enable_local_lan>

Enable local LAN when using a full tunnel. This setting does not apply to split tunnels.

Boolean value: [0 | 1]

0

<block_outside_dns>

When this setting is 1, Windows uses only the VPN-pushed DNS server when using a full tunnel.

When this setting is 0, outside DNS server configuration is retained when the tunnel is up.

Boolean value: [0 | 1]

0

<nat_alive_freq>

NAT alive frequency.

<dpd>

Enable dead peer detection (DPD).

Boolean value: [0 | 1]

1

<dpd_retry_count>

Number of times to send unacknowledged DPD messages before declaring peer as dead.

3

<dpd_retry_interval>

Duration of DPD idle periods, in seconds.

5

<enable_ike_fragmentation>

Support fragmented IKE packets.

0

<run_fcauth_system>

When this setting is 1, non-administrator users can use local machine certificates to connect IPsec VPN. When this setting is 0, non-administrator users cannot use machine certificates to connect IPsec VPN.

Boolean value: [0 | 1]

0

<failover_sslvpn_connection>

If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL VPN tunnel. In the example, the SSL VPN tunnel name is "SSL VPN HQ".

<xauth_timeout>

Configure the IKE extended authentication (XAuth) timeout in seconds. Default value is two minutes (120 seconds) if not configured. Enter a value between 120 and 300 seconds.

120

<xauth> elements

<enabled>

Enable IKE XAuth.

Boolean value: [0 | 1]

<prompt_username>

Request a username.

Boolean value: [0 | 1]

<username>

Encrypted or non-encrypted username on the IPsec server.

<password>

Encrypted or non-encrypted password.

<attempts_allowed>

Maximum number of failed login attempts allowed.

<use_otp>

Use One Time Password (OTP).

When disabled, FortiClient does not respond to DPD during XAuth.

When enabled, FortiClient responds to DPD during XAuth, which may be necessary when two-factor authentication and DPD are both involved.

Boolean value: [0 | 1]

0

<proposals> elements

<proposal>

Encryption and authentication types to use, separated by a pipe.

Example:

<proposal>3DES|MD5<proposal>

Multiple elements accepted.

First setting: Encryption type: DES, 3DES, AES128, AES192, AES256

Second setting: Authentication type: MD5, SHA1, SHA256, SHA384, SHA512

Sample XML using certificate authentication

<ipsecvpn>

...

<connections>

<connection>

...

<ike_settings>

<auth_data>

<certificate>

<common_name>

<match_type>

<![CDATA[wildcard]]>

</match_type>

<pattern>

<![CDATA[*]]>

</pattern>

</common_name>

<issuer>

<match_type>

<![CDATA[simple]]>

</match_type>

<pattern>

<![CDATA[Certificate Authority]]>

</pattern>

</issuer>

</certificate>

</auth_data>

</ike_settings>

...

</connection>

</connections>

...

</ipsecvpn>

This is a balanced but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted. See IPsec VPN for a more complete XML configuration example using a preshared key for authentication.

IKE settings

FortiClient automatically performs IKE based on preshared keys or X.509 digital certificates.

The following table provides the XML tags for IKE settings, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<version>

Determine the IKE version. FortiClient 7.0.0 supports IKE v1 and IKE v2. Enter 1 or 2.

1

<prompt_certificate>

Prompt for certificate on connection.

Boolean value: [0 | 1]

<implied_SPDO>

Specify which ports allow traffic. When this setting is 0, FortiClient only allows traffic from ports 500 and 4500. When this setting is 1, FortiClient allows other traffic during the connection phase, including Internet traffic.

Boolean value: [0 | 1]

<implied_SPDO_timeout>

When <implied_SPDO> is set to 1, <implied_SPDO_timeout> is the timeout in seconds.

FortiClient blocks all outbound non-IKE packets when <implied_SPDO> is set to 1. This is a security feature in the IPsec protocol. If the network traffic goes through a captive portal, the intended IPsec VPN server may be unreachable, until the user provides some credentials on a web page. Thus, setting <implied_SPDO> to 1 may have the side effect of blocking access to the captive portal, which in turn blocks access to the IPsec VPN server.

To avoid this deadlock, set <implied_SPDO_timeout> to a value greater than 0. FortiClient allows all outbound traffic (including non-IKE traffic) for the duration configured. Some users find that a value of 30 or 60 seconds suffices. If <implied_SPDO_timeout> is set to 0, the <implied_SPDO> element behaves as if set to 0.

When <implied_SPDO> is set to 0, <implied_SPDO_timeout> is ignored.

<server>

IP address or FQDN.

<authentication_method>

Authentication method. Enter one of the following:

  • Preshared Key
  • X509 Certificate
  • Smartcard X509 Certificate
  • System Store X509 Certificate

<auth_data> elements

<preshared_key>

Encrypted value of the preshared key.

<auth_data><certificate> elements

FortiClient searches all certificate stores until it finds a match for the certificate name and issuer supplied.

The XML sample provided in IPsec VPN only shows XML configuration when using a preshared key. See Sample XML using certificate authentication for example of XML configuration for a System Store X509 certificate.

<auth_data><certificate><common_name> elements

Elements for common name of the certificate for VPN logon.

<match_type>

Enter the type of matching to use:

  • simple: exact match
  • wildcard: wildcard
  • regex: regular expressions

<pattern>

Enter the pattern to use for the type of matching.

<auth_data><certificate><issuer> elements

<match_type>

Enter the type of matching to use:

  • simple: exact match
  • wildcard: wildcard

<pattern>

Enter the pattern to use for the type of matching.

<mode>

Connection mode. Enter one of the following: [aggressive | main]

<dhgroup>

A list of possible Diffie-Hellman (DH) protocol groups, separated by semicolons.

<key_life>

Phase 2 key expiry duration, in seconds.

28800

<localid>

Enter the peer ID configured in the FortiGate phase 1 configuration. If Accept any peer ID has been configured, leave this field blank.

<peerid>

Enter the FortiGate certificate subject name or FQDN. The peer ID must match the certificate local ID on the FortiGate for a successful IPsec VPN connection.

<nat_traversal>

Enable NAT traversal.

Boolean value: [0 | 1]

<mode_config>

Enable mode configuration.

Boolean value: [0 | 1]

<enable_local_lan>

Enable local LAN when using a full tunnel. This setting does not apply to split tunnels.

Boolean value: [0 | 1]

0

<block_outside_dns>

When this setting is 1, Windows uses only the VPN-pushed DNS server when using a full tunnel.

When this setting is 0, outside DNS server configuration is retained when the tunnel is up.

Boolean value: [0 | 1]

0

<nat_alive_freq>

NAT alive frequency.

<dpd>

Enable dead peer detection (DPD).

Boolean value: [0 | 1]

1

<dpd_retry_count>

Number of times to send unacknowledged DPD messages before declaring peer as dead.

3

<dpd_retry_interval>

Duration of DPD idle periods, in seconds.

5

<enable_ike_fragmentation>

Support fragmented IKE packets.

0

<run_fcauth_system>

When this setting is 1, non-administrator users can use local machine certificates to connect IPsec VPN. When this setting is 0, non-administrator users cannot use machine certificates to connect IPsec VPN.

Boolean value: [0 | 1]

0

<failover_sslvpn_connection>

If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL VPN tunnel. In the example, the SSL VPN tunnel name is "SSL VPN HQ".

<xauth_timeout>

Configure the IKE extended authentication (XAuth) timeout in seconds. Default value is two minutes (120 seconds) if not configured. Enter a value between 120 and 300 seconds.

120

<xauth> elements

<enabled>

Enable IKE XAuth.

Boolean value: [0 | 1]

<prompt_username>

Request a username.

Boolean value: [0 | 1]

<username>

Encrypted or non-encrypted username on the IPsec server.

<password>

Encrypted or non-encrypted password.

<attempts_allowed>

Maximum number of failed login attempts allowed.

<use_otp>

Use One Time Password (OTP).

When disabled, FortiClient does not respond to DPD during XAuth.

When enabled, FortiClient responds to DPD during XAuth, which may be necessary when two-factor authentication and DPD are both involved.

Boolean value: [0 | 1]

0

<proposals> elements

<proposal>

Encryption and authentication types to use, separated by a pipe.

Example:

<proposal>3DES|MD5<proposal>

Multiple elements accepted.

First setting: Encryption type: DES, 3DES, AES128, AES192, AES256

Second setting: Authentication type: MD5, SHA1, SHA256, SHA384, SHA512

Sample XML using certificate authentication

<ipsecvpn>

...

<connections>

<connection>

...

<ike_settings>

<auth_data>

<certificate>

<common_name>

<match_type>

<![CDATA[wildcard]]>

</match_type>

<pattern>

<![CDATA[*]]>

</pattern>

</common_name>

<issuer>

<match_type>

<![CDATA[simple]]>

</match_type>

<pattern>

<![CDATA[Certificate Authority]]>

</pattern>

</issuer>

</certificate>

</auth_data>

</ike_settings>

...

</connection>

</connections>

...

</ipsecvpn>

This is a balanced but incomplete XML configuration fragment. All closing tags are included, but some important elements to complete the IPsec VPN configuration are omitted. See IPsec VPN for a more complete XML configuration example using a preshared key for authentication.