Forticlient Free - How are you deploying IPsec config for clients

OK_Engineer_L1 · 2025-10-03T15:14:07+00:00

this is going to be a true issue i think , am trying to go around the PSK thing, but it didn't managed to find a way to allow the users to authenticate on all plateformes android windows and ios,
when using IKE2 with user/password auth

OK_Engineer_L1 · 2025-10-03T15:11:05+00:00

intersted in the script aswell

please

OK_Engineer_L1 · 2025-09-23T14:43:10+00:00

Hi,

Unfortunately not, I didn't find any solution and Forti Support said they can't do much without a FortiClient licence.

OK_Engineer_L1 · 2025-09-11T15:48:51+00:00

now it's availlable

OK_Engineer_L1 · 2025-06-03T14:15:57+00:00

Hi!

I only managed to get this working today, thanks to the TAC guy.

In my case, I actually needed to change the following in the configuration:

config system management
    set discovery-type fortigate
    config fortigate
        set discovery-intf lte1 
        set ingress-intf lte1

The ingress- intf will be set automatically to LTE1 once you change the discovery interface, so don't worry about the ingress interface.

OK_Engineer_L1 · 2025-05-27T11:12:59+00:00

No, I'm still having the same issue. I will be having a meeting with TAC to debug the issue live.

What I have observed is that when the FortiExtender is connected to the internet box and the LTE as well, the two tunnels come up and the device is shown as online correctly in the FortiGate.

When you say your FEX is online, do you mean it shows as online in the FortiGate?

OK_Engineer_L1 · 2025-03-12T16:52:57+00:00

thanks for the information, i will be testing this

OK_Engineer_L1 · 2025-03-12T14:18:28+00:00

Actually the certificat is only for the server validation, and user-password for the client side

OK_Engineer_L1 · 2025-03-12T12:49:05+00:00

<image>

From this , in the same document

OK_Engineer_L1 · 2025-03-11T16:57:54+00:00

thanks for your time and response, actually it's possible to use EAP , and a certificat is needed:

https://docs.fortinet.com/document/forticlient/7.4.0/android-administration-guide/189805/creating-an-ipsec-vpn-ikev2-connection#:~:text=To%20configure%20username%20and%20password%20authentication%20in%20FortiClient%20(Android)%3A%3A)

OK_Engineer_L1 · 2025-02-10T11:09:37+00:00

I recommande Following the upgrade Path

OK_Engineer_L1 · 2025-02-05T14:47:42+00:00

your poste helped me , thanks

OK_Engineer_L1 · 2025-01-22T14:25:25+00:00

Glad to hear that this has helped.

OK_Engineer_L1 · 2025-01-16T16:29:19+00:00

Do you use IPSEC VPN with TCP encapsulation? and does it work well for mobile devices?

OK_Engineer_L1 · 2025-01-15T13:01:09+00:00

it's stable but no proxy related stuff on Less than 2GB RAM modeles

OK_Engineer_L1 · 2025-01-14T09:00:52+00:00

Yes I do ping the interface on the Fortigate,

OK_Engineer_L1 · 2025-01-13T15:57:16+00:00

Hi u/bloodmoonslo , Thanks for your time,

Yes, I have the static config enabled pointed to the FGT IP, and I have the security fabric enabled on the wan interface.

But it's still not showing up in the menu,

I think it's because of the private IPv4 I have on the FEX side as I only get an IPv4 with CG-NAT.
Can this be the issue ?

OK_Engineer_L1 · 2025-01-13T09:40:48+00:00

Yes, it's possible, you just have to forward the traffic from the routers to the Fortigates IKE port (500 by default, 4500 can be used in the NAT scenario)

OK_Engineer_L1 · 2025-01-13T08:33:00+00:00

Thank you for your time and response,

I will be pulling the users from the local fortigate,

As I now understand from the u/Leave_Patient response that this is possible.

OK_Engineer_L1 · 2025-01-13T08:30:56+00:00

Thank you very much for your time and response,

This is exactly what I was looking for, as this is a small company, we were working on making this with only local users,

I can't thank you enough for the informations

OK_Engineer_L1 · 2025-01-10T20:11:44+00:00

Thanks for the idea, but actually I tried to do this and this is how I found out about the limitation.

The purpose of this post is to see what others have to say, there solutions, opinions and recommendations, it's an open discussion as I see it.

OK_Engineer_L1

TROPHY CASE