IPsec VPN with native Mac OS X client


In this recipe, you will learn how to create an IPsec VPN on a FortiGate, and connect to it using the default Mac OS X client.

This configuration allows Mac users to securely access an internal network and browse the Internet through the VPN tunnel. This recipe assumes that a user group (mac-users) has already been created.

This recipe was tested using Mac OS X El Capitan version 10.11.5.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Configuring the IPsec VPN using the Wizard

Go to VPN > IPsec Wizard.

Name the VPN connection, set Template Type to Remote Access, select the Cisco Client remote device type, and select Next

Set Incoming Interface to the Internet-facing interface.

Select the Pre-shared Key authentication method and enter a pre-shared key.

Apply the appropriate User Group and select Next.

Set Local Interface to the internal interface and set Local Address to all.

Enter a Client Address Range for VPN users and select Create.

Disable split tunneling if you want all traffic (Internet and internal) to go through the IPsec VPN tunnel.

The VPN Creation Wizard provides a summary of created objects.

2. Creating a security policy for remote access to the Internet

Go to Policy & Objects > IPv4 Policy and create a new policy that allows remote users to securely access the Internet.

Set Incoming Interface to the newly created tunnel interface and set Outgoing Interface to the Internet-facing interface.

Set Source to all, Destination Address to all, Schedule to always, and Service to ALL.

Enable NAT and select OK.

3. Results

On the Mac, go to System Preferences > Network and select the Plus (+) button.
Set Interface to VPN, set VPN Type to Cisco IPsec, and select Create.
Set Server Address to the IP address of the FortiGate, enter the network account details for the user, and open Authentication Settings.

Select the Shared Secret authentication and enter the same pre-shared key that was entered in the IPsec VPN Wizard, then select OK.

Be sure to Apply your network configuration.

In the Network window on the Mac, select the VPN and select Connect.

You should now be able to browse the Internet and have access to the internal network.

On the FortiGate, go to Monitor > IPsec Monitor and confirm that the tunnel Status is Up.

Adam Bristow

Adam Bristow

Technical Writer at Fortinet
Adam Bristow is a Technical Writer working for the FortiOS technical documentation team. He has a Honours Bachelor of Arts in English and Minor in Film Studies and a graduate certificate in Technical Writing from Algonquin College. Stay tuned for more FortiOS Cookbook videos!
Adam Bristow
  • Was this helpful?
  • Yes   No
You must select Cisco Client because the native Mac OS client is a Cisco client. If you require an IPsec VPN created for Mac mobile devices (such as iPhones and iPads), select the iOS Native remote device type.
  • Sheik Shahidh

    Hi Adam, I just want to know, is there any option to force the Phase1 & Phase2 proposal in MAC…

  • Alexander Tatevyan

    Hi Adam. Is there a way to configure SSL VPN tunnel with native OS X client? I searched for a lightweight SSL VPN client in Downloads section (I have support contract), but it is not available for 5.x FortiGate firmware releases. So, the only option is to use the full version of FortiClient so far, it seems.

    • Adam Bristow

      Hello Alexander,

      Thank you for your question.

      This would be something best answered by someone from our support team. When I attempt to change the VPN Type in the native Mac OS X client, the only options that appear are L2TP over IPSec, Cisco IPSec, and IKEv2. There may be a way, but I would recommend either contacting support or creating the SSL VPN using FortiClient.

      Best regards,


  • Jim C

    Adam, I’d like to ask for some clarification on this article. With reference to your diagram (picture) at the top, I would think it represents the non-split tunnel configuration where all traffic is sent through the tunnel. In this case a secondary policy would need to be created (as you describe) or else non-LAN traffic would not pass back to the internet.

    My understanding (could be wrong) is that when “split-tunnel” is selected, the diagram would show regular internet (surfing traffic, etc) going from the Mac to where-ever via the internet and only LAN targeted traffic tunneled through the VPN. If that is correct, I think it would be helpful to show both diagrams, as this is confusing as it stands.

    • Adam Bristow

      Hello Jim,

      Than your for your comment! It’s very much appreciated as we strive to make our recipes and all our documentation as accessible and understandable as possible.

      You are correct about the diagram, however it’s intention is just to show the network topology, not necessarily the traffic flow. When I can, I will try to add some annotations to correctly represent the flow of traffic.

      Best regards,


      • Jim C

        Adam, thanks for the quick reply. Hopefully this will help others.