Hi,
I had a chat with ChatGPT and it seems using IPSEC, custom VPN Tunnel, it is possible to use the native VPN client in MacOS or Windows.
ChatGPT even said, it is possible to configure both IPSEC, VPN Tunnel and SSL VPN.
Can someone please confirm this?
Absolutely you can.
From a quick google and a glance, this KB article should get you in the ballpark: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-establish-VPN-connection-between-Windows-10/ta-p/200001
Also, the standard warning; please be very careful with how you use ChatGPT with technical subjects. It will at some point straight up lie to you and either tell you about things that don’t exist, or worse, give you incomplete advise and open you up to troubleshooting headaches or security vulnerabilities.
IPSec can be done on Mac for sure, with the windows native I am not 100% sure.
You can get IPSEC working 100% even with native win/mac/ios/android vpn capabilities. (yes, there might be some caveats due to some mysterious outdated OS versions but overall it is doable).
As with sslvpn, I’ve seen guys was able to connect (and even use saml 2fa) with linux using openvpn, but I haven’t done it myself.
I have a IKEv2 dial up implementation which is working great for OS interoperability using the native clients on each operating system (MAC, Windows and Linux). As far as I’m aware, the SSL VPN implementation requires FortiClient.
Question is, why would you, what are the upsides or downsides?
yea. IPsec for sure. I did before in the past
I successful use strongswan in linux against a fortinet ipsec tunnel
I just got working IPSEC VPN with MacOS native VPN client and Windows. But when I connect with VPN, I don’t have internet access. Is this a normal scenario with a VPN?
i’m doing site2site IPSEC w/ Unifi Router
Linux can do IPsec as well.
I think you mean OpenConnect on Linux, not OpenVPN. Also on Androids, BSDs, macOS, Solaris, and Windows, using ARM, i386, MIPS, PowerPC, and x86_64.
Might I introduce you to the long list of SSL-VPN CVEs of the past few years?
Yes we also do IPSEC to other sites - mostly Forti to Forti. However I’m looking for end user solution
I can confirm it’s working on Windows. Windows native client.
How is using the native Windows client going to solve the server side CVE?
I mean IPSec. I don’t think SSLVPN could work.
The Windows native client doesn’t use the SSL-VPN component on the FortiGate.
I just got it to work on Mac as well, with an Apple Profile. It also requires a SAN in the server certificate. Hope it helps.
It use IPSEC, but what’s the advantage of using the windows client on the machine
A lot of people have had issues with FortiClient, or just have a distrust of the FortiClient software in general, so when they set up IPSEC remote access on the FortiGate instead of SSL-VPN then they go the extra mile and use an alternative VPN client as well. This is typically just the built-in windows client, though could be any.
I wouldn’t be surprised if the IPSEC functionality of FortiClient is fine, it’s just the poor reputation of FortiClient.