IPSEC ikeV2 Dialup VPN with Okta

Forum|Forum|4 months ago
February 6, 2026
2 replies
174 views

I am trying to set up a IPSEC Dialup ikeV2 VPN using OKTA SSO and get the okta prompt and goes through but the okta prompt comes back up and VPN isn't connecting. Okta is showing the login successful. I followed the article in the forums and am having no luck.

FortiClient

emnoc

New Member

Maybe post your config or tell us if it's Radius or SAML.

jiahoong112

Staff

sounds like you are facing problems with dialup ipsec using okta saml sso where the authentication + 2FA is successful but the vpn is not connecting. This is often an indication that the ipsec tunnel negotiation is not successful or authentication timeout is happening too early.

Please start off by increasing the remoteauthtimeout value on FortiGate: https://docs.fortinet.com/document/fortiauthenticator/6.5.0/cookbook/306162/increasing-remote-authentication-timeout-using-fortigate-cli

To check ike negotiation, kindly run these commands in the fortigate to debug it:

# diag deb console time en

diag vpn ike log filter name <ipsec-name> -> rem-addr4 for the public source-ip of your endpoint that you are connecting with

diag deb app ike -1

diag deb enable

-> reproduce issue

To disable the debug:

# diag deb disable

diag deb reset

>> Please ensure the phase1 and phase2 selectors on FortiClient and FortiGate are configured the same. It's also worth deleting the existing vpn profile on FortiClient and recreating it.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded