| Recommended versions: The default IKEv2 authentication method EAP-MSCHAPv2 supports FortiToken Mobile 2FA. The following recommended versions support FortiToken mobile push as well as manual OTP entry when connecting to IKEv2 dialup IPsec tunnels. FortiOS: v7.4.8 and above. FortiClient: - v7.2.4 and above for Windows.
- v7.2.5 and above for MacOS.
- v7.2.5 and above for Linux.
For minimum EAP-MSCHAPv2 versions, as well as those supporting FortiToken for EAP-TTLS, see this article: Technical Tip: Required firmware/software versions for using FortiToken Mobile or OTP MFA with FortiGate IKEv2 Dialup IPsec. Configuration: - Create a local user on the FortiGate and assign an available FortiToken to the user. Go to User & Authentication -> User Definition and select 'Create New'.
From CLI: config user local edit "Test" set type password set two-factor fortitoken set fortitoken "FTKMxxxx" set email-to "xxxx@example.com" set passwd <password> next end
Note: The remaining steps may be done without user input, but the user must still activate the FortiToken before they are able to authenticate. See this document: Registering and provisioning FortiToken Mobile tokens.
- Create a user group and add the above user to it.
config user group edit "VPN_Users" set member "Test" next end - Create an IPsec tunnel using the above user group 'VPN_Users' for authentication.
config vpn ipsec phase1-interface
edit "Test-Dialup" set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set eap enable
set eap-identity send-request
set wizard-type dialup-forticlient
set authusrgrp "VPN_Users"
set ipv4-start-ip 10.40.40.2
set ipv4-end-ip 10.40.40.20
set dns-mode auto
set ipv4-split-include "VPN-v2_split"
set save-password enable
set psksecret <secret> next
end Note:
The user group can be specified in the Phase1 IPsec interface as above or in the tunnel's firewall policy. If the user group is referenced in the firewall policy, 'set authusrgrp' should not be configured in phase1-interface settings to avoid conflicts.
config vpn ipsec phase2-interface
edit "Test-Dialup"
set phase1name "Test-Dialup"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
next
end -
Create policies for the Internal LAN: config firewall policy
edit <index>
set name "vpn_VPN-v2_remote_0"
set srcintf "Test-Dialup"
set dstintf "Internal"
set srcaddr "all"
set dstaddr ""VPN-v2_split"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end -
Configuration on FortiClient is basically as per phase1 and phase2 settings on the FortiGate. Note: In some cases, when two-factor authentication is used for a dial-up tunnel but users are intermittently unable to connect or have to try multiple times before connecting, extending the IPsec negotiation timeout beyond the default 30 seconds may be necessary. This adjustment can prevent connection failures if additional time is required to enter the one-time password (OTP).
config vpn ipsec phase1-interface edit "Test-Dialup" set negotiate-timeout 50 <----- Enter an integer value from <1> to <300> <----- Default = <30>. next end FortiClient iOS does not support using FortiToken when connecting to a dial-up VPN gateway, see Remote Access. As a workaround, include the token code in the password field while connecting. - Password: p@ssw0rd.
- Token Code: 345678.
The user will enter p@ssw0rd345678 when prompted for the password. To verify the workaround, run the following commands: diagnose debug reset
diagnose vpn ike log-filter clear
diagnose vpn ike log filter rem-addr4 x.x.x.x <----- Replace x.x.x.x with the public IP of the user.
diagnose debug application ike -1
diagnose debug application fnbamd -1
diagnose debug application eap_proxy -1
diagnose debug console timestamp enable
diagnose debug enable To stop the debugs, run the following command: diagnose debug disable Without the workaround: [913] update_auth_token_session-Token is needed
[923] update_auth_token_session-Token push is skipped, waiting for an auth_token request instead
[1898] handle_req-Two-factor token is needed
[1902] handle_req-r=7
[239] fnbamd_comm_send_result-Sending result ike V=root:0:vpn_car:114 EAP 9199965560835 result FNBAM_NEED_TOKEN
ike V=root:0:vpn_car: EAP requires token for user "user_name"
ike V=root:0:vpn_car:114: responder preparing EAP pass through message With the workaround: [880] update_auth_token_session-2fa code has already been verified in concatenated password
[1898] handle_req-Two-factor token is not needed
[1902] handle_req-r=0
[631] fnbam_user_auth_group_match-req id: 9298749808649, server: user_name, local auth: 1, dn match: 0
[579] __group_match-Group 'user_group' passed group matching Related documents: Technical Tip: FortiOS IKEv2 Dialup VPN User and Multi-factor authentication resources Technical Tip: IKEv2 Dial-up IPsec tunnel with Radius and FortiToken MFA Registering and provisioning FortiToken Mobile tokens Technical Tip: IKEv2 Dial-up IPsec VPN authenticating users through LDAP with EAP-TTLS do not receive token prompt on FortiClient | 
