Configuring an IPsec VPN for iOS devices This recipe uses the IPsec VPN Wizard to provide a group of remote iOS users with secure, encrypted access to the corporate network. The tunnel provides group members with access to the internal network, but forces them through the FortiGate unit when accessing the Internet. This recipe was tested using an iPad 2 running iOS version 7.1. 1. Creating a user group for iOS users 2. Adding a firewall address for the local network 3. Configuring IPsec VPN using the IPsec VPN Wizard 4. Creating a security policy for access to the Internet 5. Configuring VPN on the iOS device 6. Results WAN 1 172.20.120.123 FortiGate Local LAN 10.10.111.1-10.10.111.254 Internal Network Internet IPsec Remote User (iPad) 1. Creating a user group for iOS users Go to User & Device > User > User Definition. Create a new Local User with the User Creation Wizard. Proceed through each step of the wizard, carefully entering the appropriate information. Go to User & Device > User > User Groups. Create a user group for iOS users and add the user you created. 2. Adding a firewall address for the local network Go to Policy & Objects > Objects > Addresses. Add a firewall address for the Local LAN, including the subnet and local interface. 3. Configuring the IPsec VPN using the IPsec VPN Wizard Go to VPN > IPSec > Wizard. Name the VPN connection and select Dial Up - iOS (Native) and click Next. Set the Incoming Interface to the internet-facing interface. Select Pre-shared Key for the Authentication Method. Enter a pre-shared key and select the iOS user group, then click Next. The pre-shared key is a credential for the VPN and should differ from the user’s password. Set Local Interface to an internal interface (in the example, port 1) and set Local Address to the local LAN address. Enter an IP range for VPN users in the Client Address Range field. The IP range you enter here prompts FortiOS to create a new firewall object for the VPN tunnel using the name of your tunnel followed by the _range suffix (in this case, iOSvpn_Native_range). In addition, FortiOS automatically creates a security policy to allow remote users to access the internal network. 4. Creating a security policy for access to the Internet Go to Policy & Objects > Policy > IPv4. Create a security policy allowing remote iOS users to access the Internet securely through the FortiGate unit. Set Incoming Interface to the tunnel interface and set Source Address to all. Set Outgoing Interface to wan1 and Destination Address to all. Set Service to all and ensure that you enable NAT. 5. Configuring VPN on the iOS device On the iPad, go to Settings > General > VPN and select Add VPN Configuration. Enter the VPN address, user account, and password in their relevant fields. Enter the pre-shared key in the Secret field. 6. Results On the FortiGate unit, go to VPN > Monitor > IPsec Monitor and view the status of the tunnel. Users on the internal network will be accessible using the iOS device. Go to Log & Report > Traffic Log > Forward Traffic to view the traffic. Select an entry to view more information. Remote iOS users can also access the Internet securely via the FortiGate unit. Go to Log & Report > Traffic Log > Forward Traffic to view the traffic. Select an entry to view more information. You can also view the status of the tunnel on the iOS device itself. On the device, go to Settings > VPN > Status and view the status of the connection. Lastly, using a Ping tool, you can send a ping packet from the iOS device directly to an IP address on the LAN behind the FortiGate unit to verify the connection through the VPN tunnel.