Ios Vpn Configuration

FortiGate-to-iPhone IPSec VPN configuration guide (Japanese and English version)
http://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD31619&languageId=

Description
The attachments to this article provide a FortiGate to iPhone IPSec VPN setup guide including the GUI configurations steps (Japanese and English versions).

The article also gives a FortiGate CLI configuration example for a FortiGate to iPhone IPSec setting.

This configuration is not compatable with v4.0 MR3, for this firmware version refer to the related article "Technical Note : iPhone and iPad Dialup User IPSec VPN sample configuration for FortiOS v4.0 MR3".
Scope
FortiOS v4.0 MR1 and FortiOS v4.0 MR2.

Solution
The following FortiGate CLI configuration provides an example for a FortiGate to iPhone IPSec setting. Refer to iPhone product documentation for the iPhone configuration.

Create Users, User Groups and Address Objects:
config user local
edit "testuser1"
set status enable
set type password
set passwd <password>
next
end

config user group
edit "iPhoneVPN"
set group-type firewall
set ldap-memberof ''
set member " testuser1"
set profile ''
set authtimeout 0
set ftgd-wf-ovrd deny
next
end

config firewall address

edit "LAN"
set associated-interface "switch"
set comment ''
set type ipmask
set subnet 10.1.1.0 255.255.255.0
next

edit "iPhoneVPNUsers"
set associated-interface "Any"
set comment ''
set type ipmask
set subnet 172.16.101.0 255.255.255.0
next
end

Configure IPSec Phase 1:
config vpn ipsec phase1-interface
edit "iPhone"
set type dynamic
set interface "wan1"
set ip-version 4
set local-gw 0.0.0.0
set localid ''
set dpd enable
set nattraversal enable
set dhgrp 2
set proposal 3des-sha1 3des-md5
set keylife 28800
set authmethod psk
set peertype any
set xauthtype auto
set mode main
set mode-cfg enable
set authusrgrp "iPhoneVPN"
set default-gw 0.0.0.0
set default-gw-priority 0
set dpd-retrycount 3
set dpd-retryinterval 5
set assign-ip enable
set mode-cfg-ip-version 4
set assign-ip-from range
set add-route enable
set ipv4-start-ip 172.16.101.1
set ipv4-end-ip 172.16.101.254
set ipv4-netmask 255.255.255.0
set ipv4-dns-server1 0.0.0.0
set ipv4-dns-server2 0.0.0.0
set ipv4-dns-server3 0.0.0.0
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
set ipv4-split-include "LAN"
set unity-support enable
set domain ''
set banner ''
set psksecret <psk>
set keepalive 10
set distance 1
set priority 0
next
end
Configure IPSec Phase 2:
config vpn ipsec phase2-interface
edit "iPhone-P2"
set dst-addr-type subnet
set dst-port 0
set keepalive disable
set keylife-type seconds
set pfs enable
set phase1name "iPhone"
set proposal aes256-sha1 aes256-sha256
set protocol 0
set replay enable
set route-overlap use-new
set single-source disable
set src-addr-type subnet
set src-port 0
set dhgrp 2
set dst-subnet 0.0.0.0 0.0.0.0
set keylifeseconds 1800
set src-subnet 0.0.0.0 0.0.0.0
next
end
Configure Firewall Policies:

VPN => LAN
config firewall policy
edit 1
set srcintf "iPhone"
set dstintf "switch"
set srcaddr "iPhoneVPNUsers"
set dstaddr "LAN"
set action accept
set status enable
set logtraffic enable
set per-ip-shaper ''
set session-ttl 0
set wccp disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set match-vip disable
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set endpoint-check disable
set label ''
set identity-based disable
set schedule "always"
set service "ANY"
set profile-status disable
set traffic-shaper ''
set nat disable
next
end
LAN => VPN
config firewall policy
edit 2
set srcintf "switch"
set dstintf "iPhone"
set srcaddr "LAN"
set dstaddr "iPhoneVPNUsers"
set action accept
set status enable
set logtraffic enable
set per-ip-shaper ''
set session-ttl 0
set wccp disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set match-vip disable
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set endpoint-check disable
set label ''
set identity-based disable
set schedule "always"
set service "ANY"
set profile-status disable
set traffic-shaper ''
set nat disable
next
end