IPsec VPN
IPsec VPN configurations have one <options> section and one or more <connection> sections:
<forticlient_configuration>
<vpn>
<ipsecvpn>
<options>
<show_auth_cert_only>1</show_auth_cert_only>
<disconnect_on_log_off>1</disconnect_on_log_off>
<enabled>1</enabled>
<beep_if_error>0</beep_if_error>
<beep_continuously>0</beep_continuously>
<beep_seconds>0</beep_seconds>
<usewincert>1</usewincert>
<use_win_current_user_cert>1</use_win_current_user_cert>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<block_ipv6>1</block_ipv6>
<uselocalcert>0</uselocalcert>
<usesmcardcert>1</usesmcardcert>
<enable_udp_checksum>0</enable_udp_checksum>
<mtu_size>1300</mtu_size>
<disable_default_route>0</disable_default_route>
<check_for_cert_private_key>1</check_for_cert_private_key>
<enhanced_key_usage_mandatory>1</enhanced_key_usage_mandatory
<no_dns_registration>0</no_dns_registration>
<prefer_ipsecvpn_dns>1</prefer_ipsecvpn_dns>
<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
</options>
<connections>
<connection>
<name>ipsecdemo</name>
<single_user_mode>0</single_user_mode>
<type>manual</type>
<disclaimer_msg></disclaimer_msg>
<redundant_sort_method>0</redundant_sort_method>
<failover_sslvpn_connection>SSLVPN_Name</failover_sslvpn_connection>
<machine>0</machine>
<keep_running>0</keep_running>
<keep_fqdn_resolution_consistency>1</keep_fqdn_resolution_consistency>
<transport_mode>0</transport_mode>
<udp_port>5000</udp_port>
<android_cert_path>certdir/</android_cert_path>
<ui>
<show_passcode>0</show_passcode>
<show_remember_password>1</show_remember_password>
<show_alwaysup>1</show_alwaysup>
<show_autoconnect>1</show_autoconnect>
<save_username>0</save_username>
<save_password>0</save_password>
</ui>
<ike_settings>
<version>1</version>
<prompt_certificate>0</prompt_certificate>
<implied_SPDO>0</implied_SPDO>
<implied_SPDO_timeout>0</implied_SPDO_timeout>
<server>ipsecdemo.fortinet.com</server>
<authentication_method>Preshared Key</authentication_method>
<auth_data>
<preshared_key>Encdab907ed117eafaadd92f82b3e768b5414e4402dbd4df4585d4202c65940f1b2e9</preshared_key>
</auth_key>
<mode>aggressive</mode>
<dhgroup>5;</dhgroup>
<key_life>28800</key_life>
<localid></localid>
<nat_traversal>1</nat_traversal>
<sase_mode>1</sase_mode>
<mode_config>1</mode_config>
<enable_local_lan>0</enable_local_lan>
<block_outside_dns>0</block_outside_dns>
<nat_alive_freq>5</nat_alive_freq>
<dpd>1</dpd>
<dpd_retry_count>3</dpd_retry_count>
<dpd_retry_interval>5</dpd_retry_interval>
<fgt>1</fgt>
<enable_ike_fragmentation>0</enable_ike_fragmentation>
<run_fcauth_system>0</run_fcauth_system>
<sso_enabled>1</sso_enabled>
<use_external_browser>0</use_external_browser>
<ike_saml_port>10428</ike_saml_port>
<failover_sslvpn_connection>SSLVPN HQ</failover_sslvpn_connection>
<xauth_timeout>120</xauth_timeout>
<session_resume>1</session_resume>
<networkid>0</networkid>
<eap_method>1</eap_method>
<fido_auth>1</fido_auth>
<xauth>
<enabled>1</enabled>
<prompt_username>1</prompt_username>
<username>Encrypted/NonEncrypted_UsernameString</username>
<password />
<attempts_allowed>1</attempts_allowed>
<use_otp>0</use_otp>
</xauth>
<proposals>
<proposal>3DES|MD5</proposal>
<proposal>3DES|SHA1</proposal>
<proposal>AES128|MD5</proposal>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
<addr>0.0.0.0</addr>
<mask>0.0.0.0</mask>
</network>
</remote_networks>
<ipv4_split_exclude_networks>
<subnetwork>10.10.10.0/255.255.255.0</subnetwork>
<subnetwork>13.106.56.0/25</subnetwork>
<subnetwork>teams.microsoft.com</subnetwork>
</ipv4_split_exclude_networks>
<dhgroup>5</dhgroup>
<key_life_type>seconds</key_life_type>
<key_life_seconds>1800</key_life_seconds>
<key_life_Kbytes>5120</key_life_Kbytes>
<replay_detection>1</replay_detection>
<pfs>1</pfs>
<use_vip>1</use_vip>
<virtualip>
<dnsserver_secondary></dnsserver_secondary>
<type>modeconfig</type>
<ip>0.0.0.0</ip>
<mask>0.0.0.0</mask>
<dnsserver>0.0.0.0</dnsserver>
<winserver>0.0.0.0</winserver>
</virtualip>
<proposals>
<proposal>3DES|MD5</proposal>
<proposal>3DES|SHA1</proposal>
<proposal>AES128|MD5</proposal>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ipsec_settings>
<on_connect>
<script>
<os>windows</os>
<script>
<![CDATA[]]>
</script>
</script>
</on_connect>
<on_disconnect>
<script>
<os>windows</os>
<script>
<script>
<![CDATA[]]>
</script>
</script>
</script>
</on_disconnect>
<traffic_control>
<enabled>1</enabled>
<mode>2</mode>
<apps>
<app>%LOCALAPPDATA%\Microsoft\Teams\Current\Teams.exe</app>
<app>%appdata%\Zoom\bin\Zoom.exe</app>
<app>C:\Program Files (x86)\Microsoft\Skype for Desktop\skype.exe</app>
<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mcomm.exe</app>
<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mlauncher.exe</app>
<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mstart.exe</app>
</apps>
<fqdns>
<fqdn>webex.com</fqdn>
<fqdn>gotomeeting.com</fqdn>
<fqdn>youtube.com</fqdn>
</fqdns>
</traffic_control>
<tags>
<allowed>NoVuln</allowed>
<prohibited>CriticalVuln</prohibited>
</tags>
<azure_auto_login>
<enabled>1</enabled>
<azure_app>
<client_id>...</client_id>
<tenant_name>...</tenant_name>
</azure_app>
</azure_auto_login>
<vpn_before_logon>
<username_format>username</username_format>
<vpn_before_logon/>
</connection>
</connections>
</ipsecvpn>
</vpn>
</forticlient_configuration>
The following table provides the XML tags for IPsec VPN, as well as the descriptions and default values where applicable:
|
XML tag |
Description |
Default value |
|---|---|---|
|
|
||
|
<show_auth_cert_only> |
Suppress dialogs from displaying in FortiClient when using SmartCard certificates. Boolean value: |
0 |
|
<disconnect_on_log_off> |
Drop the established VPN connection when the user logs off. Boolean value: |
1 |
|
<enabled> |
Enable IPsec VPN. Boolean value: |
1 |
|
<beep_if_error> |
Beep if VPN connection attempt fails. Boolean value: |
0 |
|
<beep_continuously> |
Enable continuous beep. Boolean value: |
1 |
|
<beep_seconds> |
Enter a value for the number of seconds after which to beep if an error occurs. |
60 |
|
<usewincert> |
Use Windows certificates for connections. Boolean value: |
|
|
<use_win_current_user_cert> |
Use Windows current user certificates for connections. Boolean value: |
1 |
|
<use_win_local_computer_cert> |
Use Windows local computer certificates for connections. Boolean value: |
1 |
|
<block_ipv6> |
When you disable this setting, FortiClient allows IPv6 traffic. When you enable this setting, FortiClient blocks IPv6 traffic sent outside of VPN interface when it establishes the VPN connection. Boolean value: |
0 |
|
<uselocalcert> |
Use local certificates for connections. Boolean value: |
|
|
<usesmcardcert> |
Use certificates on smart cards. Boolean value: |
|
|
<enable_udp_checksums> |
Enable UDP checksums. This setting stops FortiClient from calculating and inserting checksums into the UDP packets that it creates. Boolean value: |
0 |
|
<mtu_size> |
Maximum Transmit Unit (MTU) size for packets on the VPN tunnel. Set from a minimum of |
|
|
<disable_default_route> |
Disable the default route to the gateway when the tunnel is up and restore after the tunnel is down. Boolean value: |
0 |
|
<check_for_cert_private_key> |
Enable checks for the Windows certificate private key. Boolean value: |
0 |
|
<enhanced_key_usage_mandatory> |
Enable certificates with enhanced key usage. Used with Boolean value: |
|
|
<no_dns_registration> |
When this setting is When this setting is When this setting is |
0 |
|
<prefer_ipsecvpn_dns> |
When you disable this setting, FortiClient only modifies DNS settings for adapters used for IPsec VPN connections. When you enable this setting, FortiClient modifies DNS settings for all active adapters. Boolean value: |
1 |
|
<disallow_invalid_server_certificate> |
When you disable this setting and an invalid server certificate is used, FortiClient displays a popup that allows the user to continue with the invalid certificate. When you enable this setting and an invalid server certificate is used, FortiClient does not display a popup and stops the connection. This setting checks the certificate used for SAML authentication that FortiOS, in the role of the SAML service provider, presents to FortiClient. On FortiOS, this certificate is configured under the following command: config user setting
set auth-cert "<certificate>"
end
Boolean value: |
|
The <connections> XML tag may contain one or more <connection> element. Each <connection> has the following:
- name and type: name and type of connection
- Internet Key Exchange (IKE) settings: information used to establish an IPsec VPN connection
- IPsec settings:
- on_connect: a script to run right after a successful connection
- on_disconnect: a script to run just after a disconnection
The following table provides VPN connection XML tags, the description, and the default value (where applicable):
|
XML tag |
Description |
Default Value |
|---|---|---|
|
<name> |
VPN connection name. |
|
|
<single_user_mode> |
Enable single user mode. If enabled, new and existing VPN connections cannot be established or are disconnected if more than one user is logged in. Boolean value: |
0 |
|
<type> |
IPsec VPN connection type. Enter one of the following: |
|
|
<disclaimer_msg> |
Enable and enter a disclaimer message that appears when the user attempts VPN connection. The user must accept the message to allow connection. |
|
|
<redundant_sort_method> |
How FortiClient determines the order in which to try connection to the IPsec VPN servers when more than one is defined. FortiClient calculates the order before each IPsec VPN connection attempt.
|
0 |
|
<failover_sslvpn_connection> |
If the IPsec VPN connection fails, FortiClient attempts to connect to the specified SSL VPN tunnel. |
|
|
<machine> |
When this setting is 1, FortiClient can connect to the tunnel without user interaction. See Boolean value: |
|
|
<keep_running> |
Ensures that the VPN tunnel remains connected if it is already connected. This is useful when there is a temporary network disconnection that causes the tunnel to drop the connection. An EMS-pushed tunnel with Boolean value: |
0 |
|
<keep_fqdn_resolution_consistency> |
Keep IPsec VPN connection gateway IP address consistent by keeping resolved FQDN in hosts file before FortiClient establishes IPsec VPN connection. Boolean value: |
0 |
|
|
Configure the desired transport mode for this connection. Possible values are:
|
|
|
<udp_port> |
If |
|
|
<tcp_port> |
If |
|
|
<android_cert_path> |
Configure a certificate location for FortiClient (Android) to automatically go to when doing the following:
See Certificate path configuration for automated certificate selection. |
|
|
The elements of the |
||
|
<show_passcode> |
Display Passcode instead of Password on the Remote Access tab in the console. Boolean value: |
|
|
<show_remember_password> |
Display the Save Password checkbox in the console. Boolean value: |
|
|
<show_alwaysup> |
Display the Always Up checkbox in the console. Boolean value: |
|
|
<show_autoconnect> |
Display the Auto Connect checkbox in the console. Boolean value: |
|
|
<save_username> |
Save and display the last username used for VPN connection. Boolean value: |
|
|
<save_password> |
When enabled, Save Password is enabled for the VPN tunnel in the FortiClient GUI. An EMS-pushed tunnel with Boolean value: |
0 |
|
|
|
|
|
<enabled> |
To enable the feature, enter Boolean value: |
|
|
<mode> |
Enter |
|
|
<app> |
Specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%,%programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. To find a running application's full path, on the Details tab in Task Manager, add the Image path name column. Once the VPN tunnel is up, FortiClient binds the specified applications to the physical interface. In the example, for the GoToMeeting path, 18068 refers to the current installed version of the GoToMeeting application. |
|
|
<fqdn> |
Specify which FQDN traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection. In the example, youtube.com equals youtube.com and *.youtube.com. After defining an FQDN, such as youtube.com in the example, if you use any popular browser such as Chrome, Edge, or Firefox to access youtube.com, this traffic does not go through the VPN tunnel. |
|
|
|
|
|
|
<allowed> |
Enter the desired security posture tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient allows the endpoint to connect to the VPN tunnel. |
|
|
<prohibited> |
Enter the desired security posture tags. If EMS has tagged this endpoint with any of the entered tags, FortiClient denies the endpoint from connecting to the VPN tunnel. |
|
|
|
||
|
<enabled> |
Enable FortiClient to autoconnect to this IPsec VPN tunnel on a Microsoft Entra ID domain-joined endpoint using the Entra ID credentials. See Autoconnect to IPsec VPN using Entra ID logon session information. Boolean value: |
|
|
<azure_app><client_id> |
Enter the Entra ID enterprise application client ID. You can find this information on the Entra ID portal. |
|
|
<azure_app><tenant_name> |
Enter the Azure tenant ID. You can find this information on the Entra ID portal. |
|
|
<vpn_before_logon><username_format> |
Configure the required username format for the VPN before logon connection to successfully authenticate. This configuration takes effect if the user selects their username from the left panel when logging into Windows instead of typing in their name. Configure one of the following:
|
username |
|
The VPN connection name is mandatory. If a connection of this type and this name exists, FortiClient overwrites its values with the new ones. |