Situation

Use FortiClient to connect to the dial-up IPsec VPN (IKEv1) and authenticate with your local username and password.

Solution

[1]
# 建立User
Log in Fortigate WebUI > User & Authentication > User Definition

[2]
Create New > Local User > "Username/Password"

[3]
# 建立User Group
Fortigate WebUI > User & Authentication > User Groups

[4]
Create New > "Name" > Members

[5]
# 建立IPsec
VPN > IPsec Tunnels > Create New > Custom

[6-1]
# 輸入IPsec相關參數 - Network
1. Remote Gateway: Dialup User
2. Mode Config: Enable
3. Use system DNS in mode config: Enable
4. Assign IP From: Address/Address Group
5. Client Address Range: "Your Address Name"
---

[6-2]
# 輸入IPsec相關參數 - Authentication
6. PSK: "Your PSK"
7. IKE: IKE1
8. Mode: Aggressive or Main(ID protection)
9. Peer ID: "Your FortiClient Local ID" or any
---

[6-3]
# 輸入IPsec相關參數 - Phase 1 Proposal
Encryption: AES256
Authentication: SHA256
DH group: 20
Local ID: "FortiGate Local ID"
---

[6-4]
＃ 輸入IPsec相關參數 - XAUTH
Type: Auto Server
User Group: Choose > "Your User Group"
---

[6-5]
# 輸入IPsec相關參數 - Phase2 Selectors > 選擇本地網段與對點網段要走tunnel的
Local Address: 0.0.0.0/0
Remote Address: 0.0.0.0/0

Encryption: AES256
Authentication: SHA256
DH group: 20

Check

Use FortiClient and login user account.

TroubleShooting

[1]
# 確認參數
get vpn ike gateway

[2]
# 確認phase 1有沒有起來
diagnose vpn ike gateway list name "Your_Tunnel_Name"
> status: Established(Phase1 Success)
> status: Connecting(Phase1 Fail)

[3]
# 清除舊的 debug 設定
diagnose debug reset                    

# 增加debug時間戳記
diagnose debug console timestamp enable

# 開啟 IKE 模組 debug (所有資訊)
diagnose debug application ike -1       

# 打開 debug 輸出
diagnose debug enable              

# 清除舊的 debug 設定
diagnose debug reset

# 關閉 debug 輸出
diagnose debug disable