Skip to main content
gstefou
gstefou
Explorer
April 30, 2025
Solved

2FA on IPSec VPN using IKEv1 Main Mode for FC VPN iOS

  • April 30, 2025
  • 1 reply
  • 2105 views

Hello,

 

We recently started migrating our SSL-VPN to IPSec. Something we just noticed is that the IPSec setup is not fully compatible for iOS version of FortiClientVPN application.

 

FC VPN at its latest version for iOS devices supports IKEv1 only on Main Mode (we went with aggressive mode on our initial config).

For remote users authentication we’re using a FortiAuth server that communicates with the firewall using RADIUS and to the AD Servers using LDAP. FortiAuth checks if the user exists on AD and then sends an authentication token to the user for 2FA.

 

We started noticing that the last part with the authentication is problematic for FC v7.4.6 on iOS devices and after investigation with Fortinet they informed us that FC VPN on iOS rejects the authentication packets and drops the tunnel afterwards. 

For testing purposes, we disabled the 2FA option within the ForitAuth for the spesific user we login and the tunnel was able to connect succesfully without authentication just the username\password combination. 

 

Have anyone experienced a similar issue with IPSec VPN and IKEv1 on Main Mode ?

 

! Just a disclaimer here !

We have VPN configured using IKEv1 on aggressive for several months now and haven’t noticed simila issue on 2FA with Windows, MacOS or android.

Best answer by hambisanait

We ran into the same issue. Here is the fix for iOS. We now have a standard tunnel and an iOS tunnel. The standard tunnel uses IKEv1 while the iOS tunnel uses IKEv2 per below.

 

  1. This is an overview of VPN supported configurations for iOS 

https://docs.fortinet.com/document/forticlient/7.4.0/ios-administration-guide/914561/remote-access 

 

  1. Must use IKE2 not IKE1. Apple does not support authentication via IKE1 on iOS 
  1. Must Configure EAP through CLI for IKE2 and assign the appropriate Group as it is not exposed on the UI 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-multiple-groups-with-EAP-for-IKEv2-SAML/ta-p/334453 

 

Commands to enable EAP and set the Auth Group 

#conf vpn ipsec phase1-interface 
#edit IOSTunnel 
#set eap enable 
#set eap-identity send-request 
#set authusrgroup <groupname> 

 

This process worked perfect for us.

1 reply

hambisanait
hambisanaitAnswer
New Member
April 30, 2025

We ran into the same issue. Here is the fix for iOS. We now have a standard tunnel and an iOS tunnel. The standard tunnel uses IKEv1 while the iOS tunnel uses IKEv2 per below.

 

  1. This is an overview of VPN supported configurations for iOS 

https://docs.fortinet.com/document/forticlient/7.4.0/ios-administration-guide/914561/remote-access 

 

  1. Must use IKE2 not IKE1. Apple does not support authentication via IKE1 on iOS 
  1. Must Configure EAP through CLI for IKE2 and assign the appropriate Group as it is not exposed on the UI 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-multiple-groups-with-EAP-for-IKEv2-SAML/ta-p/334453 

 

Commands to enable EAP and set the Auth Group 

#conf vpn ipsec phase1-interface 
#edit IOSTunnel 
#set eap enable 
#set eap-identity send-request 
#set authusrgroup <groupname> 

 

This process worked perfect for us.

gstefou
gstefouAuthor
Explorer
April 30, 2025

Hambi, 

 

Thanks a lot for your help! 

I will give it a try the next couple days and will reply here if i have any issues. 

 

Is there any explaination on why it was working on SSL-VPN and not on IPSec VPN ?

I guess it's something fortinet cannot fix as long as Apple deosn't support the authentication on IKEv1... 

 

Apple at it's finest. 

Terms & ConditionsAccessibility statement