iPhone 3G 3GS IPSec VPN Connection to Fortinet Fortigate Firewall

Stealthlude
Stealthlude used Ask the Experts™
on
Ive been trying for hours, and not making any progress.

We have a Fortinet 60B Firewall appliance at work and I am currently using PPTP VPN to get a network connection to manage my servers.

The iPhone looks like it uses a Cisco IPSec client, and also offers an L2TP but im not sure that will work as I dont see anything for L2TP in my Fortinet setup. Is L2TP same as IPSec?

Question is:  Can it and will it even work?
The Cisco IPSec client is on the phone, is there some custom settings I can use on the Fortinet or iPhone.

I even contacted Fortinet Technical support and they were not able to get me a solid answer.

Worse Case???:
Or an I just screwed and forced to buy a Cisco ASA 5505?  If I do get a Cisco 5505, can I use it with my Fortinet?  I only need the Cisco used in transparent mode or something to Authenticate the iPhones only. All other security is taken care of by the Fortinet.  Whats the best way to configure this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
L2TP and IPSEC are totally different. L2TP has only minimal encryption. Try to avoid it.
IPSEC ought to work. I'm not too sure about the settings but I will look it up.
Just out of curosity is this the way you have been trying for hours?

http://support.apple.com/kb/HT1424

As the Iphone should support PPTP vpn out of the box.

If you want to use IPSEC then it sounds like you will have to use the Cisco client and to do so you will have to buy a cisco device of some kind.

As to your question about the ASA just to do VPN connections, that will work just fine but having a secondary internet address will make it an easier install.

Regards,

3nerds
I found the problem...  iPhone or Cisco client support was not avalible until Forti OS 4.0 MR1 Patch 1

My FortiOS was running on the latest patch of 3.0

Source:
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30893&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=2159120&stateId=0%200%202157876


Create Users, User Groups & Address Objects

config user local
    edit "testuser1"
        set status enable
        set type password
        set passwd <password>
    next
end

config user group
    edit "iPhoneVPN"
        set group-type firewall
        set ldap-memberof ''
            set member " testuser1"            
        set profile ''
        set authtimeout 0
        set ftgd-wf-ovrd deny
    next
end

config firewall address

    edit "LAN"
        set associated-interface "switch"
        set comment ''
        set type ipmask
        set subnet 10.1.1.0 255.255.255.0
    next

    edit "iPhoneVPNUsers"
        set associated-interface "Any"
        set comment ''
        set type ipmask
        set subnet 172.16.101.0 255.255.255.0
    next
end


Configure IPSEC Phase 1

config vpn ipsec phase1-interface
   edit "iPhone"
        set type dynamic
        set interface "wan1"
        set ip-version 4
        set local-gw 0.0.0.0
        set localid ''
        set dpd enable
        set nattraversal enable
        set dhgrp 2
        set proposal 3des-sha1 3des-md5
        set keylife 28800
        set authmethod psk
        set peertype any
        set xauthtype auto
        set mode main
        set mode-cfg enable
        set authusrgrp "iPhoneVPN"
        set default-gw 0.0.0.0
        set default-gw-priority 0
        set dpd-retrycount 3
        set dpd-retryinterval 5
        set assign-ip enable
        set mode-cfg-ip-version 4
        set assign-ip-from range
        set add-route enable
        set ipv4-start-ip 172.16.101.1
        set ipv4-end-ip 172.16.101.254
        set ipv4-netmask 255.255.255.0
        set ipv4-dns-server1 0.0.0.0
        set ipv4-dns-server2 0.0.0.0
        set ipv4-dns-server3 0.0.0.0
        set ipv4-wins-server1 0.0.0.0
        set ipv4-wins-server2 0.0.0.0
        set ipv4-split-include "LAN"
        set unity-support enable
        set domain ''
        set banner ''
        set psksecret <psk>
        set keepalive 10
        set distance 1
        set priority 0
    next
end


Configure IPSEC Phase 2

config vpn ipsec phase2-interface
    edit "iPhone-P2"
        set dst-addr-type subnet
        set dst-port 0
        set keepalive disable
        set keylife-type seconds
        set pfs enable
        set phase1name "iPhone"
        set proposal aes256-sha1 aes256-sha256
        set protocol 0
        set replay enable
        set route-overlap use-new
        set single-source disable
        set src-addr-type subnet
        set src-port 0
        set dhgrp 2
        set dst-subnet 0.0.0.0 0.0.0.0
        set keylifeseconds 1800
        set src-subnet 0.0.0.0 0.0.0.0
    next
end


Configure Firewall Policies

   VPN -> LAN

config firewall policy
    edit 1
        set srcintf "iPhone"
        set dstintf "switch"
            set srcaddr "iPhoneVPNUsers"            
            set dstaddr "LAN"            
        set action accept
        set status enable
        set logtraffic enable
        set per-ip-shaper ''
        set session-ttl 0
        set wccp disable
        set disclaimer disable
        set natip 0.0.0.0 0.0.0.0
        set match-vip disable
        set diffserv-forward disable
        set diffserv-reverse disable
        set tcp-mss-sender 0
        set tcp-mss-receiver 0
        set comments ''
        set endpoint-check disable
        set label ''
        set identity-based disable
        set schedule "always"
            set service "ANY"            
        set profile-status disable
        set traffic-shaper ''
        set nat disable
    next
end


    LAN -> VPN

config firewall policy
    edit 2
        set srcintf "switch"
        set dstintf "iPhone"
            set srcaddr "LAN"            
            set dstaddr "iPhoneVPNUsers"            
        set action accept
        set status enable
        set logtraffic enable
        set per-ip-shaper ''
        set session-ttl 0
        set wccp disable
        set disclaimer disable
        set natip 0.0.0.0 0.0.0.0
        set match-vip disable
        set diffserv-forward disable
        set diffserv-reverse disable
        set tcp-mss-sender 0
        set tcp-mss-receiver 0
        set comments ''
        set endpoint-check disable
        set label ''
        set identity-based disable
        set schedule "always"
            set service "ANY"            
        set profile-status disable
        set traffic-shaper ''
        set nat disable
    next
end
<!--[if !supportLineBreakNewLine]-->
<!--[endif]-->


Excellent, saves me from having to get a Cisco box!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial