config vpn ipsec phase2
  edit "<Phase2-Name>"
    set use-natip <enable|disable>

Notes:

  • If NATing, enabled (default) will use the public IP of FortiGate as the source selector (encryption domain), disable will use what's configured in the phase 2 settings (src-start-ip/src-end-ip or src-subnet)

Documentation

[ # ]

!! As of writing this, some (or all) versions of Android do not support AES 256 so AES 128 is in use here
crypto ikev1 policy 20
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

!! Configure Nat-T for Android phones
crypto isakmp nat-traversal

!! Configure the phase 2 transform set for Android
crypto ipsec ikev1 transform-set aes-128-sha-transport esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set aes-128-sha-transport mode transport

!! Assign the transform-set to the first dynamic-map if possible
!! note, aes-256-sha is a previously used transform-set I use with my iphone
crypto dynamic-map dynMap 10 set ikev1 transform-set aes-256-sha aes-128-sha-transport

!! Configure l2tp group-policy
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec

!! Configure tunnel-group to use the required PSK and pool
tunnel-group DefaultRAGroup general-attributes
 address-pool <ip-pool>
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key <pre-shared-key>

!! Configure group-policy of group-policy username lock to also accept l2tp
group-policy <group-policy-related-to-lock> attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec <etc>

!! Configure username with mchap encryption and lock to the required group-policy
username <username> password <password> mschap
username <username> attributes
  vpn-group-policy <group-policy-related-to-group>

[ # ]

migrate l2l

Notes:

  • This will add ikev2 options with ikev1 fallback

Documentation

[ # ]

fw tab -t http_vpnd_cookies -f   !! View currently connected clients
fw tab -t http_vpnd_cookies -x   !! Clear all currently connected clients

[ # ]

fw tab -s -t userc_users    !! Number of currently connected VPN users
fw tab -f -t userc_users    !! List of currently connected VPN users
fw tab -t vpn_enc_domain_valid -f -u    !! View encryption domains (may be very large)

!! The following are for clearing peers if 'vpn tu' cannot be accessed
vpn shell /show/tunnels/IKE/all
vpn shell /show/tunnels/ipsec/all
vpn shell /show/tunnels/ike/peer/<peer-ip>
vpn shell /show/tunnels/ipsec/peer/<peer-ip>

vpn shell /tunnels/delete/all
vpn shell /tunnels/delete/IKE/all
vpn shell /tunnels/delete/IKE/peer/<peer-ip>
vpn shell /tunnels/delete/IPsec/all
vpn shell /tunnels/delete/IPsec/peer/<peer-ip>

[ # ]

tail -f /var/log/messages | grep vpn  !! View VPN logs
echo /config/userdb/list | igcli -n   !! View VPN Users
service sslvpn-plus status            !! View SSL VPN status
tail -f /var/log/messages | grep sslvpnstatslogd  !! View SSL VPN user logs

!! View VPN Tunnels
echo /config/sad/salist | igcli -n

echo "/config/sad/saflush *" | igcli -n           !! Teardown ALL ipsec SAs
echo /config/sad/saflush <vpn name> | igcli -n  !! Teardown a specific ipsec SA
echo /config/ike/saflush | igcli -n             !! Teardown ALL ike SAs

[ # ]

show configuration security ike
show configuration security ipsec
show security ike security-associations
show security ipsec security-associations
show security ipsec satatisticss index <IndexFromSA>
clear security ike security-associations
clear security ipsec security-associations

[ # ]

cf ipsec status

[ # ]

request security ike debug-enable local remote level
show log /var/log/kmd
request security ike debug-disable

Notes:

  • This enables logging to the KMD log without the need to commit

  • SUMMARY: This is another option for typical ike/ipsec traceoptions to selectively troubleshoot VPN issues
  • PROBLEM OR GOAL: Enabling ike/ipsec traceoptions on the system can be very CPU intensive and can contribute to performance issues. Troubleshooting can be difficult with traceoptions as multiple VPNs may appear in the traceoptions output

Documentation

[ # ]

get vpn
get ike cookies
get sa active
get event include vpn

SRC    DEST    PROXY ID (SRC/DEST)
Group  Group   0.0.0.0/0.0.0.0 > 0.0.0.0/0.0.0.0
Group  Subnet  0.0.0.0/0.0.0.0 > Subnet
Subnet Subnet  Subnet > Subnet

Notes:

  • Use subnets instead of groups to solve issues with proxy id / encryption domains. 1 rule per subnet pair

[ # ]