2FA over Dailup Remote Access IPSEC VPN using IKEv2 ?

Question

Hello, I'm new to Fortigate but am testing various possible VPN configurations in advance of replacing a Cisco ASA pair with a pair of 600Es. I've tested 2FA (FTM) over SSL - the simplest way. But in the past some techs have requested ipsec remote access vpns. I've tested this using ikev1 along with xauth so that as well as the PSK, a username and password and token are required. Works fine.

But now I'd like to try to do this with ikev2. So my question is: On Fortigate, can you configure a dialup vpn using ikev2 with PSK and require a username and password and token? I've seen documents that seem to hint that this could be done with EAP but I've tried it and debug shows this message so I'm doing something wrong: ike 0:IKEV2-TEST:897: responder received EAP msg ike 0:IKEV2-TEST:897: send EAP message to FNBAM ike 0:IKEV2-TEST:897: initiating EAP authentication ike 0:IKEV2-TEST: EAP user "incs2" ike 0:IKEV2-TEST: EAP failed for user "incs2" ike 0:IKEV2-TEST: EAP response is empty ike 0:IKEV2-TEST: connection expiring due to EAP failure ike 0:IKEV2-TEST: deleting ike 0:IKEV2-TEST: deleted The user incs2 is saved on the client with the right password. On the firewall I have: edit "IKEV2-TEST" set type dynamic set interface "wan1" set ike-version 2 set local-gw 192.168.*.* set peertype any set mode-cfg enable set ipv4-dns-server1 192.168.*.* set ipv4-dns-server2 192.168.*.* set ipv4-dns-server3 192.168.*.* set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set dpd on-idle set comments "VPN: IKEV2-TEST (Created by VPN wizard)" set dhgrp 5 set eap enable set eap-identity send-request set ipv4-start-ip 172.29.1.71 set ipv4-end-ip 172.29.1.80 set ipv4-split-include "IKEV2-TEST_split" set save-password enable set psksecret ENC b4L...aXfCE1A== set dpd-retryinterval 60 next end The connection works fine if I remove the EAP settings and disable EAP on the client but I do need to use 2FA - I can always use IKEv1 if this isn't possible. Thanks for your time, Chris.

ChrisUNN · Answer

Managed to get the VPN to connect by adding the authusgrp parameter in the phase 1 interface config but now I need to add 2FA with Fortitoken. Still a problem because it connects without 2FA but won't connect when the user has 2FA configured.

edit "IKEV2-TEST" set type dynamic set interface "wan1" set ike-version 2 set local-gw 192.168.*.* set peertype any set mode-cfg enable set ipv4-dns-server1 192.168.*.* set ipv4-dns-server2 192.168.*.* set ipv4-dns-server3 192.168.*.* set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set dpd on-idle set comments "VPN: IKEV2-TEST (Created by VPN wizard)" set dhgrp 5 set eap enable set eap-identity send-request set authusrgrp "ikev2-users" set ipv4-start-ip 172.29.1.71 set ipv4-end-ip 172.29.1.80 set ipv4-split-include "IKEV2-TEST_split" set save-password enable set psksecret ENC +kVfy00FMDsHW8yfu13WjzYqQH0Jkw== set dpd-retryinterval 60

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded