FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 14 - IPsec VPN > Supporting IKE Mode config clients > Configuring IKE Mode Config

Configuring IKE Mode Config

IKE Mode Config is configured with the CLI command config vpn ipsec phase1-interface. The mode-cfg variable enables IKE Mode Config. The type field determines whether you are creating an IKE Mode Config server or a client. Setting type to dynamic creates a server configuration, otherwise the configuration is a client.

Configuring an IKE Mode Config client

If the FortiGate unit will connect as a dialup client to a remote gateway that supports IKE Mode Config, the relevant vpn ipsec phase1-interface variables are as follows:

Variable Description
ike-version 1 IKE v1 is the default for FortiGate IPsec VPNs.

IKE Mode Config is also compatible with IKE v2
(RFC 4306). Use syntax ike-version 2.
mode-cfg enable Enable IKE Mode Config.
type {ddns | static} If you set type to dynamic, an IKE Mode Config server is created.
assign-ip {enable | disable} Enable to request an IP address from the server.
interface <interface_name> This is a regular IPsec VPN field. Specify the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound.
proposal <encryption_combination> This is a regular IPsec VPN field that determines the encryption and authentication settings that the client will accept. For more information, see Phase 1 parameters.
mode-cfg-ip-version {4|6} Select if the Method client receives an IPv4 or IPv6 IP address. The default is 4. the ip‑version setting matches this variable’s value.
ip-version <4 | 6> This is a regular IPsec VPN field. By default, IPsec VPNs use IPv4 addressing. You can set ip‑version to 6 to create a VPN with IPv6 addressing.

For a complete list of available variables, see the CLI Reference.

Configuring an IKE Mode Config server

If the FortiGate unit will accept connection requests from dialup clients that support IKE Mode Config, the following vpn ipsec phase1-interface settings are required before any other configuration is attempted:

Variable Description
ike-version 1 IKE v1 is the default for FortiGate IPsec VPNs.

IKE Mode Config is also compatible with IKE v2
(RFC 4306). Use syntax ike-version 2.
mode-cfg enable Enable IKE Mode Config.
type dynamic Any other setting creates an IKE Mode Config client.
interface <interface_name> This is a regular IPsec VPN field. Specify the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound.
proposal <encryption_combination> This is a regular IPsec VPN field that determines the encryption and authentication settings that the server will accept. For more information, see Phase 1 parameters.
ip-version <4 | 6> This is a regular IPsec VPN field. By default, IPsec VPNs use IPv4 addressing. You can set ip‑version to 6 to create a VPN with IPv6 addressing.

For a complete list of available variables, see the CLI Reference.

After you have enabled the basic configuration, you can configure:

  • IP address assignment for clients
  • DNS and WINS server assignment

IP address assignment

Usually you will want to assign IP addresses to clients. The simplest method is to assign addresses from a specific range, similar to a DHCP server.

If your clients are authenticated by a RADIUS server, you can obtain the user’s IP address assignment from the Framed-IP-Address attribute. The user must be authenticated using XAuth.

IKE Mode Config can also use a remote DHCP server to assign the client IP addresses. Up to eight addresses can be selected for either IPv4 or IPv6. After the DHCP proxy has been configured, the assign-ip-from command is used to assign IP addresses via DHCP.

To assign IP addresses from an address range - CLI

If your VPN uses IPv4 addresses,

config vpn ipsec phase1-interface

edit vpn1

set mode-cfg-ipversion 4

set assign-ip enable

set assign-ip-type ip

set assign-ip-from range

set ipv4-start-ip <range_start>

set ipv4-end-ip <range_end>

set ipv4-netmask <netmask>

end

 

If your VPN uses IPv6 addresses,

config vpn ipsec phase1-interface

edit vpn1

set mode-cfg-ipversion 6

set assign-ip enable

set assign-ip-type ip

set assign-ip-from range

set ipv6-start-ip <range_start>

set ipv6-end-ip <range_end>

end

To assign IP addresses from a RADIUS server - CLI

The users must be authenticated by a RADIUS server and assigned to the FortiGate user group <grpname>. Since the IP address will not be static, type is set to dynamic, and mode-cfg is enabled. This is IKE Configuration Method so that compatible clients can configure themselves with settings that the FortiGate unit provides.

config vpn ipsec phase1-interface

edit vpn1

set type dynamic

set mode-cfg enable

set assign-ip enable

set assign-ip-from usrgrp

set xauthtype auto

set authusrgrp <grpname>

end

To assign IP address from DHCP - CLI

The DHCP proxy must first be enabled for IKE Mode Config to use DHCP to assign the VPN client IP address(es).

config system settings

set dhcp-proxy enable

set dhcp-server-ip [ipv4 address]

set dhcp6-server-ip [ipv6-address]

 

(Up to 8 server addresses can be configured)

end

 

config vpn ipsec phase1-interface

edit vpn1

set mode-cfg enable

set assign-ip-from dhcp

next

end

Certificate groups

IKE certificate groups consisting of up to four RSA certificates can be used in IKE Phase 1. Since CA and local certificates are global, the IKE daemon loads them once for all VDOMs and indexes them into trees based on subject and public key hash (for CA certificates), or certificate name (for local certicates). Certifcates are linked together based on the issuer, and certificate chains are built by traversing these links. This reduces the need to keep multiple copies of certificates that could exist in multiple chains.

IKE certificate groups can be configured through the CLI.

Configuring the IKE local ID (CLI):

config vpn certificate local

edit <name>

set ike-localid <string>

set ike-localid-type {asnldn | fqdn}

end