Merge IPSec-VPN and SSL-VPN into common VPN-Zone with 3rd party Radius for 2FA?

Forum|Forum|1 year ago
March 6, 2025
3 replies
1123 views

Can I just flip the switch on IPSec XAUTH² to 'inherit from policy' and use the same rules as SSL-VPN, where you have to specify a Source and User/Group?

Last time I tried this, the FortiGate acted as a MITM for IPSec users and redirected HTTPS³ to its own IP, causing a certificate error. I had to roll back without investigating further.

FortiGate 200F 7.2.11

² XAUTH is set to a group containing a remote group which is a radius of our 2FA token.

³Split Tunnel, so not all HTTPS requests, only the ones where a FW rule was hit.

Best answer by Anthony_E

To merge IPsec-VPN and SSL-VPN into a common VPN zone using a third-party RADIUS server for two-factor authentication (2FA) on a FortiGate:

Configure RADIUS Server: Go to `User & Authentication` -> `RADIUS Servers`. Create a new RADIUS server entry with the necessary details (IP address, secret, etc.).
- Test connectivity to ensure the RADIUS server is reachable.
Set Up User Groups: Go to `User & Authentication` -> `User Groups`. Create a user group for VPN users and add the RADIUS server as a member.
Configure IPsec VPN: Go to `VPN` -> `IPsec Wizard` to create a new IPsec VPN. Set the authentication method to use the RADIUS server. Configure the necessary Phase 1 and Phase 2 settings.
Configure SSL VPN: Go to `VPN` -> `SSL-VPN Settings`. Set the authentication method to use the RADIUS server. Configure the SSL VPN portal and IP pools.
Create a VPN Zone: Go to `Network` -> `Interfaces`. Create a new zone and add both the IPsec and SSL VPN interfaces to this zone.
Configure Firewall Policies: Go to `Policy & Objects` -> `Firewall Policy`. Create policies to allow traffic from the VPN zone to the internal network. Ensure the source user is set to the user group configured with the RADIUS server.
Enable Two-Factor Authentication: Ensure the RADIUS server is configured to support 2FA, such as using FortiToken or another method. Verify that users are prompted for 2FA when connecting to the VPN.

Anthony_E

Staff

Hello,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Best Regards

Anthony_E

Staff

Hello,

We are still looking for someone to help you.

We will come back to you ASAP.

Thanks,

Best Regards

Anthony_EAnswer

Staff

To merge IPsec-VPN and SSL-VPN into a common VPN zone using a third-party RADIUS server for two-factor authentication (2FA) on a FortiGate:

Configure RADIUS Server: Go to `User & Authentication` -> `RADIUS Servers`. Create a new RADIUS server entry with the necessary details (IP address, secret, etc.).
- Test connectivity to ensure the RADIUS server is reachable.
Set Up User Groups: Go to `User & Authentication` -> `User Groups`. Create a user group for VPN users and add the RADIUS server as a member.
Configure IPsec VPN: Go to `VPN` -> `IPsec Wizard` to create a new IPsec VPN. Set the authentication method to use the RADIUS server. Configure the necessary Phase 1 and Phase 2 settings.
Configure SSL VPN: Go to `VPN` -> `SSL-VPN Settings`. Set the authentication method to use the RADIUS server. Configure the SSL VPN portal and IP pools.
Create a VPN Zone: Go to `Network` -> `Interfaces`. Create a new zone and add both the IPsec and SSL VPN interfaces to this zone.
Configure Firewall Policies: Go to `Policy & Objects` -> `Firewall Policy`. Create policies to allow traffic from the VPN zone to the internal network. Ensure the source user is set to the user group configured with the RADIUS server.
Enable Two-Factor Authentication: Ensure the RADIUS server is configured to support 2FA, such as using FortiToken or another method. Verify that users are prompted for 2FA when connecting to the VPN.

Best Regards

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded