IKEv2 Remote Access VPN using ForticlientVPN

 

Interface:

config system interface

    edit "port1"

        set vdom "root"

        set ip 192.168.0.108 255.255.255.0

        set allowaccess ping https ssh http

        set type physical

        set netflow-sampler both

        set alias "WAN1"

        set lldp-reception enable

        set role wan

        set snmp-index 1

        set secondary-IP enable

        set mtu-override enable

        set mtu 1000

    next

    edit "port4"

        set vdom "root"

        set ip 20.20.20.108 255.255.255.0

        set allowaccess ping

        set type physical

        set alias "LAN"

        set snmp-index 8

    next

VPN Config:

Phase1:

config vpn ipsec phase1-interface

    edit "IKEv2"

        set type dynamic

        set interface "port1"

        set ike-version 2

        set peertype one

        set net-device disable

        set mode-cfg enable

        set ipv4-dns-server1 192.168.0.254

        set proposal aes256-sha256

        set dhgrp 2

        set transport udp

        set peerid "user1"

        set ipv4-start-ip 10.10.10.3

        set ipv4-end-ip 10.10.10.4

        set ipv4-netmask 255.255.255.0

        set ipv4-split-include "20.20.20.0/24"

        set psksecret ENC yMXzKH52xd7a7eBbWJNyg9nUY7Y+F9VaBHbFreG+pcInvxYre+1Iox7cT+UsNxv2huBP1kjV2xdcNw/6eq8dcEYbcsXP2Ka7A2PzUxoEnpmDI2NoNuB+Gg6G69weFYuMYzVb00G2PbYSlbOMvqrXPTdS+SzABg6qInhEWBS9kFSH4rrG/I8gpaxlEsgYpRx63ggkGFlmMjY3dkVA

    next

end

Phase2:

config vpn ipsec phase2-interface

    edit "P2"

        set phase1name "IKEv2"

        set proposal aes256-sha256

        set dhgrp 14

    next

end

Policy:

config firewall policy

    edit 1

        set name "IKEv2_allow_in"

        set uuid 16b42f20-7aa7-51ef-b25b-409c77664dee

        set srcintf "IKEv2"

        set dstintf "port4"

        set action accept

        set srcaddr "all"

        set dstaddr "20.20.20.0/24"

        set schedule "always"

        set service "ALL"

    next

end