Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
bmeta
Staff & Editor
Staff & Editor

Created on ‎06-03-2020 02:34 AM Edited on ‎11-25-2025 04:04 AM By Moderator

Article Id 196140

Technical Tip: How to configure IPsec VPN Tunnel using IKE v2

Description

 

This article describes how to configure an IPsec VPN Tunnel using IKE v2 in FortiClient.

 

Scope

 

FortiClient, FortiGate.

Solution

 

The FortiGate IPsec tunnels can be configured using IKE v2.

 

This document provides an example of configuring IPsec VPN connectivity using a local user defined on the FortiGate device.

For detailed instructions on creating local users, remote users, or user groups, refer to the following Fortinet documentation:
Users 
User groups 

 
Summary of the FortiGate GUI configuration:
 
FGT configuration - 'Dialup' VPN.jpg
 
Which results in a CLI output as the following example:
 
show vpn ipsec phase1-interface Dialup
config vpn ipsec phase1-interface
    edit "Dialup"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set comments "VPN: Dialup (Created by VPN wizard)"
        set eap enable
        set eap-identity send-request
        set authusrgrp "Test"
        set ipv4-start-ip 10.212.134.200
        set ipv4-end-ip 10.212.134.210
        set dns-mode auto
        set ipv4-split-include "Hub_local_subnet_0"
        set save-password enable
    next
end

Create a firewall policy to allow traffic from the 'Dialup' VPN interface to the internal network (for example, port5) as shown below:
 

FW policy.jpg

 

Note: Ensure that the user group is defined either under the VPN configuration or within the firewall policy.

For more details, refer to the FortiGate Administration Guide: Using single or multiple user groups for user authentication.


FortiClient configuration:
 
FCT-VPN-1.jpg

 

 
Example of a successful VPN connection on FortiClient:

FCT-VPN.jpg

 


Debugging on the FortiGate.
 
diagnose debug console timestamp  enable
diagnose debug application ike -1
diagnose debug enable

2025-11-04 10:08:37.248480 ike V=root:0: comes 10.5.136.51:500->10.5.136.37:500,ifindex=3,vrf=0,len=425....
2025-11-04 10:08:37.251832 ike V=root:0: IKEv2 exchange=SA_INIT id=ed45b1cf0a8d97eb/0000000000000000 len=425
...
2025-11-04 10:08:40.443729 ike V=root:0:ed45b1cf0a8d97eb/0000000000000000:8: SA proposal chosen, matched gateway Dialup
2025-11-04 10:08:40.445756 ike V=root:0:Dialup:Dialup: created connection: 0x5577091aeb50 3 10.5.136.37->10.5.136.51:500.
2025-11-04 10:08:40.447227 ike V=root:0:Dialup:8: FEC vendor ID received FEC but IP not set
2025-11-04 10:08:40.448346 ike 0:Dialup:8: FCT EAP 2FA extension vendor ID received
...
2025-11-04 10:08:40.532393 ike V=root:0:Dialup:8: send EAP message to FNBAM
2025-11-04 10:08:40.533942 ike V=root:0:Dialup:8: initiating EAP authentication
2025-11-04 10:08:40.534866 ike V=root:0:Dialup: EAP user "test1"
2025-11-04 10:08:40.535649 ike V=root:0:Dialup: auth group Test
2025-11-04 10:08:40.537402 ike V=root:0:Dialup: EAP 8895080476674 pending
2025-11-04 10:08:40.538414 ike V=root:0:Dialup:8 EAP 8895080476674 result FNBAM_CHALLENGED
2025-11-04 10:08:40.539525 ike V=root:0:Dialup: EAP challenged for user "test1"
2025-11-04 10:08:40.540562 ike V=root:0:Dialup:8: responder preparing EAP pass through message
...
2025-11-04 10:08:40.584462 ike V=root:0:Dialup:8 EAP 8895080476674 result FNBAM_SUCCESS
2025-11-04 10:08:40.585445 ike V=root:0:Dialup: EAP succeeded for user "test1" group "Test" 2FA=no
...
2025-11-04 10:08:40.605543 ike V=root:0:Dialup:8: authentication succeeded
2025-11-04 10:08:40.606490 ike V=root:0:Dialup:8: responder creating new child
...
2025-11-04 10:08:40.609811 ike V=root:0:Dialup:8: mode-cfg type 1 request 0:''
2025-11-04 10:08:40.610774 ike V=root:0:Dialup: mode-cfg allocate 10.212.134.200/0.0.0.0
2025-11-04 10:08:40.611875 ike V=root:0:Dialup:8: mode-cfg using allocated IPv4 10.212.134.200
...
2025-11-04 10:08:40.708782 ike V=root:0:Dialup:5: add route 10.212.134.200/255.255.255.255 gw 10.212.134.200 oif Dialup(24) metric 15 priority 1
2025-11-04 10:08:40.711253 ike V=root:0:Dialup_0:8:Dialup:5: tunnel 1 of VDOM limit 0/0
2025-11-04 10:08:40.718609 ike V=root:0:Dialup_0:8:Dialup:5: added IPsec SA: SPIs=28e9cb7b/48cc26ae
2025-11-04 10:08:40.719863 ike V=root:0:Dialup_0:8:Dialup:5: sending SNMP tunnel UP trap
 
To stop the debugging, run the following commands:

 

diagnose debug disable

diagnose debug reset

 

The last message, 'sending SNMP tunnel UP trap', indicates that the tunnel is up and running.
 
Regarding DNS Suffixes for IPsec tunnels, IKEv2 IPsec VPN does not currently support adding a DNS suffix at this time.

 

Users connecting to an IKEv2 dial-up VPN will need to access resources by the full FQDN (for example, hostname.domain.tld) instead of just the hostname. This feature is scheduled to be added in v7.6.4 and FortiClient v7.4.4.
 
Note: FortiClient v7.4.4 and above does not support IKEv1. If planning to deploy FortiClient v7.4.4 or later, ensure that IKEv2 is configured.
 

Related articles:

Technical Tip: IKEv2 Dialup IPsec tunnel with Radius and FortiToken MFA.

Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity

Technical Tip: How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard)

Troubleshooting Tip: IPsec VPNs tunnels

Technical Tip: Setting multiple DNS server for IPSec dial-up VPN

Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels

Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication

Technical Tip : How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.

Technical Tip: IPSec dial-up full tunnel with FortiClient

Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations

Technical Tip: Dynamic routing (BGP) over IPsec tunnel

Technical Tip: OSPF with IPSec VPN for network redundancy

Technical Tip: Dynamic dial-up VPN with OSPF

Technical Tip: Fortinet Auto Discovery VPN (ADVPN)

Technical Tip: 'set net-device' new route-based IPsec logic

Technical Tip: Simple OCVPN deployment

Technical Tip: SD-WAN integration with OCVPN

Technical Tip: Configure IPsec VPN with SD-WAN

Technical Tip: SD-WAN with DDNS type IPsec

Technical Tip: SD-WAN primary and backup ipsec tunnel Scenario

Troubleshooting Tip: IPsec VPN Phase 1 Process - Aggressive Mode

Technical Tip: Configuring more than one Main-Mode Pre-Shared Key (PSK) *dialup* IPSec phase1 on a F...

Technical Tip: Hard timeout for Dialup IPSEC VPN Tunnel

Technical Tip: How to set DNS suffix for VPN SSL and IPsec in the FortiGate configuration 

68035
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.