Skip to main content
nothingel
nothingel
New Member
October 4, 2011
Question

IPsec VPN with Fortitoken and iPad/iPhone

  • October 4, 2011
  • 6 replies
  • 10169 views
I was wondering if anyone has any experience with using IPsec VPNs in combination with Fortitokens on iPads or iPhones? (I can successfully connect using a simple username+password combo via the builtin Cisco client on iOS.) This paragraph from the MR3 " what' s new" section seems relevant:
When FortiToken is used in a third-party IPsec client configuration, each user that has two-factor authentication enabled and configured must use the token password code when only a password is supported to gain access. This authentication using only a password is not supported when the password and token password code are sent in CHAP or MS-CHAP form, and the local user is authenticated using a remote server. This is because FortiOS is unable to extract back both the password and the token password code.
Based on the quoted paragraph, I' m not sure if users' passwords+OTP is used in the password field or if the OTP is used exclusively instead of the users' regular passwords. In my case, the users' passwords are verified using LDAP. I' m also potentially interested in using certificates in lieu of passwords but still require the Fortitoken, if that' s possible. Thanks!

    6 replies

    nothingel
    nothingelAuthor
    New Member
    November 2, 2011
    Just to update everyone-- Fortitokens work just fine from an iPad. The user must supply his/her password with the token immediately after the password. The user' s password can be verified against a LDAP server. I only wish the iPad would remember the user' s password but bring up the prompt anyway so that only the code needed to be added. Nonetheless, I' m overall pleased with the experience. I haven' t tested certificates on the iPad at all yet. I also hope that Fortinet will one day supply a SSL VPN app. Some vendors apparently already do.
    kogan
    kogan
    New Member
    February 23, 2012
    Is this still correct? I tried it and couldn' t connect with password+FortiToken. I can connect just with password though. So, if my password is " apple" and my FortiToken code is " 123 456" I have to enter the password " apple123456" without quotation marks? Edit: I only use local users...
    nothingel
    nothingelAuthor
    New Member
    February 24, 2012
    Yes, you have the right format. I' m not sure why it' s not working for you. My setup on 4.3.5 is still working great. You do have an actual hardware token, right? It doesn' t work if you' re trying to send the code via e-mail (although this works fine for the SSL VPN).
    kogan
    kogan
    New Member
    February 27, 2012
    Yes, it' s a hardware token. I press the button before trying to log-in so I can see, if I have enough time to enter the code though. If the token nearly expired I wait for the next one and then switch the IPSec connection on the iPod on. I also tried to change the password from just numbers to just letters, didn' t help. By 4.3.5 you mean v4.0,build 0513,120130 (MR3 Patch 5)? My router is the FortiGate 51B. Is this relevant? There is the FW Version FG50BH-4.00-FW-build513-120130 active though... It seems it' s the firmware for a FortiGate 50B? I don' t do the updates so I will also ask the admin for details. EDIT: Just some errors...
    Sylvia
    Sylvia
    Explorer
    June 1, 2012
    Yes, you have the right format. I' m not sure why it' s not working for you. My setup on 4.3.5 is still working great. You do have an actual hardware token, right? It doesn' t work if you' re trying to send the code via e-mail (although this works fine for the SSL VPN).
    Hi nothingel, i have the same problem as kogan... Can you confirm that you can build up an IPSec tunnel between a FG and an iPad with the build-in VPN client? If so, can you send us an configuration example? Fortinet Support told me that this is not possible... Many thanks, Sylvia
    nothingel
    nothingelAuthor
    New Member
    March 6, 2012
    Do the tokens work with " admin" accounts? Or perhaps SSL VPN? I suggest trying these since they' re more straight-forward than the IPsec VPN setup, IMHO. The outcome should help determine if the token setup is at fault or not.
    nothingel
    nothingelAuthor
    New Member
    June 4, 2012
    I am surprised (or not) that Fortinet says it' s not possible. Have you checked the Knowledgebase? There' s a couple of entries about iPhone IPsec configuration. Just search for " iphone" . Yes, my setup definitely works using the native " Cisco" IPsec client on iOS and a Fortigate. Fortinet' s hardware token also works. Here' s a phase1 config: 
     edit " tun-dialup"           set type dynamic          set interface " wan1"           set dhgrp 2          set keylife 3600          set peertype dialup          set xauthtype auto          set mode aggressive          set mode-cfg enable          set proposal aes256-sha1          set negotiate-timeout 15          set authusrgrp " IPsec-Xauth"           set usrgrp " IPsec-PSKs"           set ipv4-start-ip 10.0.0.1          set ipv4-end-ip 10.0.0.15          set dns-mode auto          set domain " domain.com"           set banner " This is the optional banner"           set keepalive 60          set dpd-retryinterval 30      next
    And here' s phase2 (yes, the names are the same, but it doesn' t matter) 
        edit " tun-dialup"           set keepalive enable          set phase1name " tun-dialup"           set proposal aes256-sha1          set route-overlap allow          set dhgrp 2      next
    With the config above, you' ll need two sets of users, one in the " IPsec-PSKs" group and another in the " IPsec-Xauth" group. The IPsec-PSKs group contains the individual keys used by each device. You could share a single key among all devices but I don' t recommend it beyond testing. The IPsec-Xauth group is the standard username/password which could be local users/passwords or a server-based backend like LDAP.
    Terms & ConditionsAccessibility statement