Technical Tip: How to configure IPsec VPN Tunnel using IKE v2
| Description | This article describes how to configure an IPsec VPN Tunnel using IKE v2 in FortiClient. |
| Scope | FortiClient, FortiGate. |
| Solution | The FortiGate IPsec tunnels can be configured using IKEv2. 
This document provides an example of configuring IPsec VPN connectivity using a local user defined on the FortiGate device. For detailed instructions on creating local users, remote users, or user groups, refer to the following Fortinet documentation: Summary of the FortiGate GUI configuration:  The following commands need to be applied manually via CLI; these are needed for IKEv2 user authentication: config vpn ipsec phase1-interface edit "Dialup" set eap enable set eap-identity send-request set authusrgrp "Test" next end If the IKEv2 IPsec tunnel is intended for use by multiple user groups, unset the 'authusrgrp' setting. When this option is unset, user groups must instead be specified in the source field of the firewall policy. The behavior is similar to the 'Inherit from policy' XAUTH option used for IKEv1 IPsec tunnels. config vpn ipsec phase1-interface edit "Dialup" unset authusrgrp next end For more information about configuring single or multiple user groups for IPsec see the documentation: Using single or multiple user groups for user authentication | FortiOS Administration Guide show vpn ipsec phase1-interface Dialup config vpn ipsec phase1-interface edit "Dialup" set type dynamic set interface "port1" set ike-version 2 set peertype any set net-device disable set mode-cfg enable set proposal aes256-sha256 set comments "VPN: Dialup (Created by VPN wizard)" set eap enable set eap-identity send-request set authusrgrp "Test" set ipv4-start-ip 10.212.134.200 set ipv4-end-ip 10.212.134.210 set dns-mode auto set ipv4-split-include "Hub_local_subnet_0" set save-password enable next end If more than one IPsec tunnel is configured, it is necessary to configure a 'Peer ID' (and 'Local ID' when it is IKEv2) following the article, Technical Tip: How to use Peer IDs to select an IPsec dialup tunnel on a FortiGate configured with multiple dialup tunnels. Note: It is recommended to use the wizard to avoid having to manually create the routes, object groups, and firewall policies. Once the tunnel VPN is created, create a firewall policy to allow traffic from the 'Dial-up' VPN interface to the internal network (for example, port5) as shown below:
Note: Ensure that the user group is defined either under the VPN configuration or within the firewall policy. For more details, refer to the FortiGate Administration Guide: Using single or multiple user groups for user authentication | FortiOS Administration Guide. FortiClient configuration: 
Example of a successful VPN connection on FortiClient: 
Debugging on the FortiGate. diagnose debug console timestamp enable diagnose debug application ike -1 diagnose debug enable 2025-11-04 10:08:37.248480 ike V=root:0: comes 10.5.136.51:500->10.5.136.37:500,ifindex=3,vrf=0,len=425.... 2025-11-04 10:08:37.251832 ike V=root:0: IKEv2 exchange=SA_INIT id=ed45b1cf0a8d97eb/0000000000000000 len=425 ... 2025-11-04 10:08:40.443729 ike V=root:0:ed45b1cf0a8d97eb/0000000000000000:8: SA proposal chosen, matched gateway Dialup 2025-11-04 10:08:40.445756 ike V=root:0:Dialup:Dialup: created connection: 0x5577091aeb50 3 10.5.136.37->10.5.136.51:500. 2025-11-04 10:08:40.447227 ike V=root:0:Dialup:8: FEC vendor ID received FEC but IP not set 2025-11-04 10:08:40.448346 ike 0:Dialup:8: FCT EAP 2FA extension vendor ID received ... 2025-11-04 10:08:40.532393 ike V=root:0:Dialup:8: send EAP message to FNBAM 2025-11-04 10:08:40.533942 ike V=root:0:Dialup:8: initiating EAP authentication 2025-11-04 10:08:40.534866 ike V=root:0:Dialup: EAP user "test1" 2025-11-04 10:08:40.535649 ike V=root:0:Dialup: auth group Test 2025-11-04 10:08:40.537402 ike V=root:0:Dialup: EAP 8895080476674 pending 2025-11-04 10:08:40.538414 ike V=root:0:Dialup:8 EAP 8895080476674 result FNBAM_CHALLENGED 2025-11-04 10:08:40.539525 ike V=root:0:Dialup: EAP challenged for user "test1" 2025-11-04 10:08:40.540562 ike V=root:0:Dialup:8: responder preparing EAP pass through message ... 2025-11-04 10:08:40.584462 ike V=root:0:Dialup:8 EAP 8895080476674 result FNBAM_SUCCESS 2025-11-04 10:08:40.585445 ike V=root:0:Dialup: EAP succeeded for user "test1" group "Test" 2FA=no ... 2025-11-04 10:08:40.605543 ike V=root:0:Dialup:8: authentication succeeded 2025-11-04 10:08:40.606490 ike V=root:0:Dialup:8: responder creating new child ... 2025-11-04 10:08:40.609811 ike V=root:0:Dialup:8: mode-cfg type 1 request 0:'' 2025-11-04 10:08:40.610774 ike V=root:0:Dialup: mode-cfg allocate 10.212.134.200/0.0.0.0 2025-11-04 10:08:40.611875 ike V=root:0:Dialup:8: mode-cfg using allocated IPv4 10.212.134.200 ... 2025-11-04 10:08:40.708782 ike V=root:0:Dialup:5: add route 10.212.134.200/255.255.255.255 gw 10.212.134.200 oif Dialup(24) metric 15 priority 1 2025-11-04 10:08:40.711253 ike V=root:0:Dialup_0:8:Dialup:5: tunnel 1 of VDOM limit 0/0 2025-11-04 10:08:40.718609 ike V=root:0:Dialup_0:8:Dialup:5: added IPsec SA: SPIs=28e9cb7b/48cc26ae 2025-11-04 10:08:40.719863 ike V=root:0:Dialup_0:8:Dialup:5: sending SNMP tunnel UP trap To stop the debugging, run the following commands:
diagnose debug disable diagnose debug reset
The last message, 'sending SNMP tunnel UP trap', indicates that the tunnel is up and running. DNS Suffixes for IPsec tunnels with IKEv2 IPsec VPN are supported on FortiOS v7.6.4 and later, FortiClient v7.4.4 and later.
Users connecting to an IKEv2 dial-up VPN will need to access resources by the full FQDN (for example, hostname.domain.tld) instead of just the hostname. This feature is scheduled to be added in v7.6.4 and FortiClient v7.4.4. Notes:
Related articles: Technical Tip: IKEv2 Dialup IPsec tunnel with Radius and FortiToken MFA. Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity Technical Tip: How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard) Troubleshooting Tip: IPsec VPNs tunnels Technical Tip: Setting multiple DNS server for IPSec dial-up VPN Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication Technical Tip : How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP. Technical Tip: IPSec dial-up full tunnel with FortiClient Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations Technical Tip: Dynamic routing (BGP) over IPsec tunnel Technical Tip: OSPF with IPSec VPN for network redundancy Technical Tip: Dynamic dial-up VPN with OSPF Technical Tip: Fortinet Auto Discovery VPN (ADVPN) Technical Tip: 'set net-device' new route-based IPsec logic Technical Tip: Simple OCVPN deployment Technical Tip: SD-WAN integration with OCVPN Technical Tip: Configure IPsec VPN with SD-WAN Technical Tip: SD-WAN with DDNS type IPsec Technical Tip: SD-WAN primary and backup ipsec tunnel Scenario Troubleshooting Tip: IPsec VPN Phase 1 Process - Aggressive Mode Technical Tip: Hard timeout for Dialup IPSEC VPN Tunnel Technical Tip: How to set DNS suffix for VPN SSL and IPsec in the FortiGate configuration |
