<version>

Determine the IKE version. FortiClient supports IKE v1 and IKE v2. Enter 1 or 2.

<prompt_certificate>

Prompt for certificate on connection.

Boolean value: [0 | 1]

<implied_SPDO>

Specify which ports allow traffic. When this setting is 0, FortiClient only allows traffic from ports 500 and 4500. When this setting is 1, FortiClient allows other traffic during the connection phase, including Internet traffic.

Boolean value: [0 | 1]

<implied_SPDO_timeout>

When <implied_SPDO> is set to 1, <implied_SPDO_timeout> is the timeout in seconds.

FortiClient blocks all outbound non-IKE packets when <implied_SPDO> is set to 1. This is a security feature in the IPsec protocol. If the network traffic goes through a captive portal, the intended IPsec VPN server may be unreachable, until the user provides some credentials on a web page. Thus, setting <implied_SPDO> to 1 may have the side effect of blocking access to the captive portal, which in turn blocks access to the IPsec VPN server.

To avoid this deadlock, set <implied_SPDO_timeout> to a value greater than 0. FortiClient allows all outbound traffic (including non-IKE traffic) for the duration configured. Some users find that a value of 30 or 60 seconds suffices. If <implied_SPDO_timeout> is set to 0, the <implied_SPDO> element behaves as if set to 0.

When <implied_SPDO> is set to 0, <implied_SPDO_timeout> is ignored.

<server>

IP address or FQDN.

<authentication_method>

Authentication method. Enter one of the following:

• Preshared Key
• X509 Certificate
• Smartcard X509 Certificate
• System Store X509 Certificate

<cert_subjectcheck>

Enable FortiClient to check the certificate configured on the FortiGate under the following command:

config vpn ipsec phase1-interface
    edit "<interface>"
        set authmethod signature
        set certificate "<certificate>"
    next
end

FortiClient checks that this certificate common name matches the VPN gateway hostname FQDN. If there is no match, the VPN connection does not succeed.

Boolean value: [0 | 1]

<preshared_key>

Encrypted value of the preshared key.

<match_type>

Enter the type of matching to use:

• simple: exact match
• wildcard: wildcard
• regex: regular expressions

<pattern>

Enter the pattern to use for the type of matching.

<match_type>

Enter the type of matching to use:

• simple: exact match
• wildcard: wildcard

<pattern>

Enter the pattern to use for the type of matching.

<match_type>

Enter the type of matching to use. Choose from:

• simple: exact match
• wildcard: wildcard
• regex: regular expressions

<pattern>

Enter the pattern to use for the type of matching.

<mode>

Connection mode. Enter one of the following: [aggressive | main]

<dhgroup>

A list of possible Diffie-Hellman (DH) protocol groups, separated by semicolons.

<key_life>

Phase 2 key expiry duration, in seconds.

<localid>

Enter the peer ID configured in the FortiGate phase 1 configuration. If Accept any peer ID has been configured, leave this field blank.

<peerid>

Enter the FortiGate certificate subject name or FQDN. The peer ID must match the certificate local ID on the FortiGate for a successful IPsec VPN connection.

<nat_traversal>

Enable NAT traversal.

Boolean value: [0 | 1]

<sase_mode>

When enabled, the IPsec VPN forces the new connection port (including the first message) to use port 4500. All traffic that goes through this IPsec VPN tunnel is seen on port 4500. IKE_SA_INIT also has the EMS serial number as its payload. You must enable this feature to provide IPsec VPN-based SASE.

For this feature to function correctly, you must configure the following on the FortiGate:

config system settings

set ike-port 4500

end

This feature only supports IKEv2 and requires NAT traversal to be enabled.

Boolean value: [0 | 1]

<mode_config>

Enable mode configuration.

Boolean value: [0 | 1]

<enable_local_lan>

Enable local LAN when using a full tunnel. This setting does not apply to split tunnels.

Boolean value: [0 | 1]

<block_outside_dns>

When this setting is 1, Windows uses only the VPN-pushed DNS server when using a full tunnel.

When this setting is 0, outside DNS server configuration is retained when the tunnel is up.

Boolean value: [0 | 1]

<nat_alive_freq>

NAT alive frequency.

<dpd>

Enable dead peer detection (DPD).

Boolean value: [0 | 1]

<dpd_retry_count>

Number of times to send unacknowledged DPD messages before declaring peer as dead.

Maximum value is 10. If the specified value is greater than the maximum (10), FortiClient uses the default value (3) instead.

<dpd_retry_interval>

Duration of DPD idle periods, in seconds.

Maximum value is 120. If the specified value is greater than the maximum (120), FortiClient uses the default value (5) instead.

<enable_ike_fragmentation>

Support fragmented IKE packets.

Boolean value: [0 | 1]

<run_fcauth_system>

When you enable this setting, non-administrators can use local machine certificates to connect IPsec VPN.

When you disable this setting, non-administrators cannot use machine certificates to connect IPsec VPN.

Boolean value: [0 | 1]

<sso_enabled>

Enable SAML single sign on login for the VPN tunnel. For this feature to function, you must configure the necessary options on the service and identity providers. See IPsec VPN SAML-based authentication.

Boolean value: [0 | 1]

<use_external_browser>

Display the SAML authentication prompt in an external browser instead of in the FortiClient GUI.

If you configure <version> as 2 and <sso_enabled> as 1, this field is automatically enabled. Only IKEv2 tunnels support using an external browser for IPsec VPN.

Boolean value: [0 | 1]

<ike_saml_port>

Enter the port number that FortiClient uses to communicate with the FortiGate, which acts as the SAML service provider.

<failover_sslvpn_connection>

If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL VPN tunnel. In the example, the SSL VPN tunnel name is "SSL VPN HQ".

<xauth_timeout>

Configure the IKE extended authentication (XAuth) timeout in seconds. Default value is two minutes (120 seconds) if not configured. Enter a value between 120 and 300 seconds.

<networkid>

Configure a network ID value between 0 to 255 to differentiate between multiple IKEv2 certificate-based phase 1 tunnels.

The network ID is a Fortinet proprietary attribute used to select the correct phase 1 between IPsec peers, so that multiple IKEv2 tunnels can be established between the same local or remote gateway pairs.

In a dialup VPN, the network ID is in the first initiator message of an IKEv2 phase 1 negotiation. The responder (hub) uses the network ID to match a phase 1 configuration with a matching network ID. The hub can then differentiate multiple dialup phase 1s that are bound to the same underlay interface and IP address. Without a network ID, the hub cannot have multiple phase 1 dialup tunnels on the same interface.

Static phase 1 configurations use network ID with the pair of gateway IPs to negotiate the correct tunnel with a matching network-id. This allows IPsec peers to use the same pair of underlay IPs to establish multiple IPsec tunnels. Without it, only a single tunnel can be established over the same pair of underlay IPs.

The <networkid> option is not supported on FortiClient iOS or Android.

<eap_method>

This option applies for FortiClient (macOS).

Configure one of the following for the EAP method:

• 1: requires EAP-MSCHAPv2 authentication.
• 2: requires EAP-TTLS/PAP authentication.
• 0: allows EAP-MSCHAPv2 or EAP-TTLS/PAP authentication.

<remove_password_for_unexpected_eap_failure>

Configure whether to remove the old saved password when FortiClient does not receive the expected “expiring due to EAP failure” message.

Boolean value: [0 | 1]

<fido_auth>

Enable to allow Yubikey (FIDO2) authentication for the FortiClient embedded browser for macOS.

Boolean value: [0 | 1]

<enabled>

Enable IKE XAuth.

Boolean value: [0 | 1]

<prompt_username>

Request a username.

Boolean value: [0 | 1]

<username>

Encrypted or non-encrypted username on the IPsec server.

<password>

Encrypted or non-encrypted password.

<attempts_allowed>

Maximum number of failed login attempts allowed.

<use_otp>

Use One Time Password (OTP).

When disabled, FortiClient does not respond to DPD during XAuth.

When enabled, FortiClient responds to DPD during XAuth, which may be necessary when two-factor authentication and DPD are both involved.

Boolean value: [0 | 1]