Configuring IKE Mode Config
IKE Mode Config is configured with the CLI command config vpn ipsec phase1-interface
. The mode-cfg
variable enables IKE Mode Config. The type
field determines whether you are creating an IKE Mode Config server or a client. Setting type
to dynamic
creates a server configuration, otherwise the configuration is a client.
Configuring an IKE Mode Config client
If the FortiGate unit will connect as a dialup client to a remote gateway that supports IKE Mode Config, the relevant vpn ipsec phase1-interface
variables are as follows:
Variable | Description |
---|---|
ike-version 1
|
IKE v1 is the default for FortiGate IPsec VPNs. IKE Mode Config is also compatible with IKE v2 (RFC 4306). Use syntax ike-version 2 . |
mode-cfg enable
|
Enable IKE Mode Config. |
type {ddns | static}
|
If you set type to dynamic , an IKE Mode Config server is created. |
assign-ip {enable | disable}
|
Enable to request an IP address from the server. |
interface <interface_name>
|
This is a regular IPsec VPN field. Specify the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound. |
proposal <encryption_combination>
|
This is a regular IPsec VPN field that determines the encryption and authentication settings that the client will accept. For more information, see Phase 1 parameters. |
mode-cfg-ip-version {4|6}
|
Select if the Method client receives an IPv4 or IPv6 IP address. The default is 4 . the ip‑version setting matches this variable’s value. |
ip-version <4 | 6>
|
This is a regular IPsec VPN field. By default, IPsec VPNs use IPv4 addressing. You can set ip‑version to 6 to create a VPN with IPv6 addressing. |
For a complete list of available variables, see the CLI Reference.
Configuring an IKE Mode Config server
If the FortiGate unit will accept connection requests from dialup clients that support IKE Mode Config, the following vpn ipsec phase1-interface
settings are required before any other configuration is attempted:
Variable | Description |
---|---|
ike-version 1
|
IKE v1 is the default for FortiGate IPsec VPNs. IKE Mode Config is also compatible with IKE v2 (RFC 4306). Use syntax ike-version 2 . |
mode-cfg enable
|
Enable IKE Mode Config. |
type dynamic
|
Any other setting creates an IKE Mode Config client. |
interface <interface_name>
|
This is a regular IPsec VPN field. Specify the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound. |
proposal <encryption_combination>
|
This is a regular IPsec VPN field that determines the encryption and authentication settings that the server will accept. For more information, see Phase 1 parameters. |
ip-version <4 | 6>
|
This is a regular IPsec VPN field. By default, IPsec VPNs use IPv4 addressing. You can set ip‑version to 6 to create a VPN with IPv6 addressing. |
For a complete list of available variables, see the CLI Reference.
After you have enabled the basic configuration, you can configure:
- IP address assignment for clients
- DNS and WINS server assignment
IP address assignment
Usually you will want to assign IP addresses to clients. The simplest method is to assign addresses from a specific range, similar to a DHCP server.
If your clients are authenticated by a RADIUS server, you can obtain the user’s IP address assignment from the Framed-IP-Address attribute. The user must be authenticated using XAuth.
IKE Mode Config can also use a remote DHCP server to assign the client IP addresses. Up to eight addresses can be selected for either IPv4 or IPv6. After the DHCP proxy has been configured, the assign-ip-from
command is used to assign IP addresses via DHCP.
To assign IP addresses from an address range - CLI
If your VPN uses IPv4 addresses,
config vpn ipsec phase1-interface
edit vpn1
set mode-cfg-ipversion 4
set assign-ip enable
set assign-ip-type ip
set assign-ip-from range
set ipv4-start-ip <range_start>
set ipv4-end-ip <range_end>
set ipv4-netmask <netmask>
end
If your VPN uses IPv6 addresses,
config vpn ipsec phase1-interface
edit vpn1
set mode-cfg-ipversion 6
set assign-ip enable
set assign-ip-type ip
set assign-ip-from range
set ipv6-start-ip <range_start>
set ipv6-end-ip <range_end>
end
To assign IP addresses from a RADIUS server - CLI
The users must be authenticated by a RADIUS server and assigned to the FortiGate user group <grpname>
. Since the IP address will not be static, type
is set to dynamic, and mode-cfg
is enabled. This is IKE Configuration Method so that compatible clients can configure themselves with settings that the FortiGate unit provides.
config vpn ipsec phase1-interface
edit vpn1
set type dynamic
set mode-cfg enable
set assign-ip enable
set assign-ip-from usrgrp
set xauthtype auto
set authusrgrp <grpname>
end
To assign IP address from DHCP - CLI
The DHCP proxy must first be enabled for IKE Mode Config to use DHCP to assign the VPN client IP address(es).
config system settings
set dhcp-proxy enable
set dhcp-server-ip [ipv4 address]
set dhcp6-server-ip [ipv6-address]
(Up to 8 server addresses can be configured)
end
config vpn ipsec phase1-interface
edit vpn1
set mode-cfg enable
set assign-ip-from dhcp
next
end
Certificate groups
IKE certificate groups consisting of up to four RSA certificates can be used in IKE Phase 1. Since CA and local certificates are global, the IKE daemon loads them once for all VDOMs and indexes them into trees based on subject and public key hash (for CA certificates), or certificate name (for local certicates). Certifcates are linked together based on the issuer, and certificate chains are built by traversing these links. This reduces the need to keep multiple copies of certificates that could exist in multiple chains.
IKE certificate groups can be configured through the CLI.
Configuring the IKE local ID (CLI):
config vpn certificate local
edit <name>
set ike-localid <string>
set ike-localid-type {asnldn | fqdn}
end