My understanding is that FortiNet doesn’t want us deploying the free client remotely and, since the start of EMS, they have made fcconfig not able to be used via command line to import and export the config.
Has anyone got this to work recently? I’ve tried importing the registry keys to bring over the config. The client does show the vpn profile with everything configured correctly. However, when I try to connect, the logs show “no response from the peer, phase1 retransmit reaches maximum count”. Comparing packet captures on a working and non-working device (a device with the reg keys imported) the FortiGate responds to the client with a source port of 4500 but with a destination port of 500 IF the client had its forticlient configured using an import of reg keys. However, if the client was manually configured or restored configuration via the GUI of the app, the FortiGate would respond with a source port of 4500 but AND a destination port of 4500.
For reasons unknown, the fortigate responds to the dial up client on a different port than it was expecting. I believe the reason the FortiClient logs show that there was no response from peer is because it’s expecting that traffic over port 4500 not 500. For clarity, in both situations, both devices are initiating the dial up vpn on 4500. I have an ongoing ticket with FortiGate where they were unsure as to why the fortigate was behaving this way, but are reviewing the logs more to investigate. Keep in mind that all settings and vpn tunnel configs match on both forticlients. Also, if I just do a restore under system in settings, everything works as expect and the fortigate responds correctly.
Before we purchased EMS I would deploy the client, then deploy a registry key containing the configuration. My guess is they are trying to stop you from doing this to force you to purchase their EMS product.
This may not fit your needs, but if you already going this far, is there a reason not to use the built-in Windows VPN client (assuming this is the client OS ofc)?
That config would be easy to roll out using standard tools.
I’m doing the forticlientvpn free version. Haven’t perfected the import via Intune, but have the install/upgrade of versions working. But the fcconfig export and import worked for me. set it up manually on a pc, fcconfig export, then a command to import.
I just did this yesterday as part of our transition to IPSEC VPN tunnels. I skipped the export and just wrote the Powershell script based on the registry entries I had on my laptop. Then published it through Intune with the customized VPN profiles. Worked like a charm for both SSL and IPSEC tunnels.
This may not be of much help, but I’ve found that both dial-in IPSec and SSL VPN both easy to just deploy the registry keys as-us. This includes the latest flavour of the free vpn client available as of beginning of February.
Found that 40% hanging on SSL VON only happens when its a self-signed cert where the cert chain is not implicitly trusted. Had to manually import, through the same deployment process, the intermediate and root certificates used, if there are any self or internally signed certificates.
As for EAP on IPSec, unfortunately do not have experience with it failing to help. Exported the registry key as just a .reg, and imported using reg.exe import,
Verify the version of Forticlient VPN, and ensure you’re deploying the same that is in use.
As well, look at any custom local-in policies or global deny policies which may be blocking the traffic to those endpoints. Found the Geo database isn’t as accurate or as quick to update as some online GeoDB, which has caused some issues in the past.
That’s what it seems like to me. I’ve just configured a new SSL VPN, configured it in forticlient, tested good, imported reg keys into another PC, and it’s stuck at 40%. I believe that this is a feature and not a bug
Yes, that was my first course of action. We currently use a watchguard and use a p2s ikev2 vpn. We use the windows native client and push the config via intune.
However, when setting this up on the fortigate, there’s some issue with EAP authentication that we couldn’t get sorted out. We use a radius group and when it was time to send the eap auth to the radius server, it wouldn’t and the vpn would fail. However, when this same vpn was used with forticlient, it would work. I was never able to get it sorted out with support.
Hi, I know this is an old post, but I doing this now for ipsec tunnels, would you be able to share your PS script for this?? We’re looking to deploy via Intune too.
I’m revisiting the IKEv2 topic to use with windows native. Being that EAP needs to be configured via CLI, I remember an issue we ran into was that when enabling EAP, the CLI still won’t allow the config to save with out a PSK. The below guide shows the command “set psksecret ENC” which results in “incomplete command in the en. Command fail. Return code -160”
What do you configure here or what may I be doing wrong? I saw somewhere that this command is not available after version 6.x something like that.
I see. Without knowing your timeline etc., I would probably retry that and see if it can be solved. I don’t use radius in my setup, but I did see a couple of tech docs on https://docs.fortinet.com/ about your scenario.
I’ve used the free FortiClient VPN client for some specific cases, and I don’t recommend it. It feels like FortiGate doesn’t want us to use it, and who knows if it changes or gets shut down. At least you know that won’t happen on Windows.
Even with elevated, can you still run the export to c:? I’ll check what I ran and where I ran it from and report back. This was about 2-3 months ago I did it so I gotta check my notes
I did it with the IntuneWinAppUtil.exe and the FortiClient.msi. I’ll send you a sanitized version of the install script. You’ll need to add your own values for the majority of the settings.
The “set psksecret ENC” command is incomplete. It is expected an encrypted passkey used for the dial-up VPN.
Try “set psksecret ” and then once you enter exit the code block by entering “end” it will encrypt the passkey and then when you do “show config vpn ipsec phase1-interface” you’ll see the encrypted passkey.
