Technical Tip: Overview of compatible IKE versions, user authentication methods, and FortiGate/FortiClient firmware versions
Description
This article describes a simple overview of IPSec configuration. It aims to show at a glance if a particular combination of IKE version, user authentication method, and two-factor options, and FortiGate/FortiClient firmware version is functional.
Scope
FortiGate, FortiClient.
Solution
IPSec VPN is one of two options FortiGate offers for a tunnel-mode VPN. With tunnel-mode SSLVPN being phased out in v7.6, transitioning to IPSec VPN may seem daunting, especially since there are many different configuration options, and not all work with all FortiGate and/or FortiClient firmware versions.
The table below provides a brief overview of working configurations, along with relevant caveats.
| IKE version & User Authentication | FortiClient version | FortiGate version | Two-factor Authentication | Notes |
| IKEv1 local (FortiGate)/LDAP/RADIUS user | Up to v7.4.3 | Any supported firmware | Any method on FortiGate or remote RADIUS | IKEv1 is no longer available starting FortiClient v7.4.4. IKEv1 does not support FortiToken Mobile push |
| IKEv1 SAML user | No | No | No | SAML requires IKEv2 in FortiGate/FortiClient setup |
| IKEv2 local (FortiGate) | Any supported firmware | Any supported firmware | Any method on FortiGate | IKEv2 supports FortiToken Mobile push starting v7.2.8 |
| IKEv2 RADIUS user | Any supported firmware | Any supported firmware | Any method on FortiGate or FortiAuthenticator, see notes for required FortiAuthenticator versions. Third-party RADIUS servers triggering one-time passcode as a second factor is not supported* | RADIUS server must support EAP-MSCHAPv2 or EAP-TTLS. EAP-TTLS required if acting as a proxy to remote LDAP server** |
| IKEv2 LDAP user | Starting v7.4.2 | Any supported firmware | Supported starting FortiClient v7.4.4 and FortiGate v7.4.9/v7.6.1 | FortiClient must use EAP-TTLS, may impose 2FA limits*** |
| IKEv2 SAML user | Starting v7.2.4 | Starting v7.2.0 | Any method provided by the SAML IdP or IdP Proxy | Below FortiGate v7.4.9, only the internal browser on FortiClient |
Notes:
- FortiAuthenticator IKEv2 token prompt support starts in v6.4.1. FortiOS does not support third-party RADIUS server triggering an IKEv2 token prompt. See the article Technical Tip: Required firmware/software versions for using FortiToken Mobile or OTP MFA with FortiGate IKEv2 Dialup IPsec.
- Depending on how FortiAuthenticator validates the user credentials (locally, or against a different remote server), it may require a specific EAP method, which may in turn impose limits on two-factor authentication.
As an example, if a non-domain-joined FortiAuthenticator needs to verify the VPN user credentials against a remote LDAP server, EAP-TTLS must be used, and a token prompt is not supported. In this scenario, appending the token code to the user password can be used as a workaround, as outlined here: Technical Tip: How to resolve the 'EAP authentication failed due to missing token' error when using EAP-TTLS /PAP + 2FA Authentication.
To enable token prompt support for Windows Active Directory users, see Technical Tip: Authenticating Active Directory users to FortiGate IKEv2 VPN with FortiToken MFA on FortiAuthenticator.
- More information may be found here: Technical Tip: Multi-Factor Authentication support for Windows FortiClient with LDAP (EAP-TTLS).
Related articles:
Technical Tip: FortiOS IKEv2 EAP user authentication operation
Technical Tip: A guide to Dial-Up IPSec VPN Authentication and Policy Matching
Technical Tip: FortiOS IKEv2 Dialup VPN User and Multi-factor authentication resources