Enabling DTLS
FortiClient (Android) 7.2.1 and later versions support SSL VPN with DTLS. By default, FortiClient (Android) disables DTLS in advanced settings. You can enable DTLS in advanced settings or by registering FortiClient (Android) to EMS that has DTLS enabled for mobile devices.
To enable DTLS:
- In FortiOS, ensure that DTLS is enabled to allow SSL VPN connections to use DTLS:
config vpn ssl settings
set dtls-tunnel enable
get | grep dtls
end
The following shows example output:
dtls-tunnel : enable dtls-hello-timeout : 10 dtls-heartbeat-idle-timeout: 3 dtls-heartbeat-interval: 3 dtls-heartbeat-fail-count: 3 dtls-max-proto-ver : dtls1-2 dtls-min-proto-ver : dtls1-0
- In FortiClient (Android), go to FortiClient settings > Prefer DTLS Tunnel. Ensure that the option is enabled.
When FortiClient (Android) is registered to EMS, EMS controls this setting.
- Connect to the FortiGate that has
dtls-tunnelenabled via SSL VPN. - In the FortiOS CLI, verify that the connect uses DTLS by running the following commands:
diagnose debug application sslvpn -1 diagnose debug enable
The console should show that DTLS is established:
[2201:root:4]DTLS established: DTLSv1 ECDHE-RSA-AES256-GCM-SHA384 from
[2201:root:4]sslvpn_dtls_handle_client_data:971 got type clthello-tun
[2201:root:4]sslvpn_dtls_handle_client_data:1117 got cookie: K0JnTBo++SI9Kq/x4D70AMhk