As a workaround to establish a VPN between an Android device and the FortiGate firewall, it is possible to configure a custom dail-up VPN with IKev2.
This solution is feasible where end users do not want to connect to VPN via the Forticlient application installed in their Android device.
To configure a VPN connection with the Ikev2-PSK method in the FortiGate firewall, follow the steps below:
Go toVPN -> IPsec Tunnels -> Create New -> IPsec Tunnel -> Select Template type as 'Custom', give a name to the VPN connection,and select Next.
1
2
3
4
Create a policy and route accordingly to allow traffic from the Andriod-VPN tunnel interface to the LAN interface.
1
CLI configuration.
Dail-UP ikev2 Cli config:
config vpn ipsec phase1-interface
edit "Android-VPN"
set type dynamic
set interface "wan1"
set ike-version 2
set local-gw 1.1.1.1
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 8.8.8.8
set proposal aes128-sha256 aes192-sha384 aes256-sha512 aes128gcm-prfsha256 aes256gcm-prfsha512
set dhgrp 16 15 14
set ipv4-start-ip 192.168.140.1
set ipv4-end-ip 192.168.140.254
set ipv4-netmask 255.255.254.0
set ipv4-split-include "Test_local_subnet_1"
set psksecret ENC
FuEutStPeywrTFqw/8qo1XBl2fpJ9B8Ww5E+AibYu5i7k5mNZgM2jZwiwXNbL+DPJ1O/4UvNHIrwkRabgmad5gSuxo/KQIGU5ABGuhdo74A==
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "Android-VPN"
set phase1name "Android-VPN"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set pfs disable
next
end
config firewall policy
edit 13
set name "Android -VPN"
set uuid de0f1e18-2148-51ee-f79f-5a640f7b4b50
set srcintf "Android-VPN"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "Test_local_subnet_1"
set schedule "always"
set service "ALL"
set nat enable
next
end
Android Configuration:
1
2
Note:
- If any peer-id in the ikev2 config (FortiGate firewall) is specified, then use the same id in the 'IPsec Identifier' Field.
- If no peer id is configured on the FortiGate firewall, then type any dummy value or name. without any valuein the 'IPsec Identifier' Field, it is not possible to save the VPN config in an Android phone.