Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Francesko
Staff
Staff

Created on ‎12-29-2025 08:59 AM

Article Id 424524

Technical Tip: Dial-Up IPsec IKEv2 with LDAP authentication and 2FA with FortiToken / FortiToken Cloud

Description

This article describes how to configure IKEv2 IPsec using LDAP authentication with FortiToken or FortiToken Cloud for two-factor authentication.
Scope

FortiOS v7.4.9, v7.6.1 and later, FortiClient v7.4.4 and later
Solution

To enable two-factor authentication (2FA) for IKEv2 IPsec users authenticated against an external LDAP server, with secondary authentication enforced through FortiToken or FortiToken Cloud, the following configuration is required:

 

  1. LDAP Server configuration:

 

config user ldap

    edit "LDAP"

        set server "ldap.fortilab.local"

        set cnid "userPrincipalName"

        set dn "DC=fortilab,DC=local"

        set type regular

        set username "admin@fortilab.local"

        set password fortinet

        set secure ldaps

        set ca-cert "ldapcert"

        set port 636

    next

end

 

  1. Local LDAP user with two-factor authentication enabled, matching the corresponding user account on the LDAP server:

 

config user local

    edit "test@fortilab.local"

        set type ldap

        set two-factor fortitoken-cloud

        set email-to "admin@fortilab.local"

        set ldap-server "LDAP"

    next

end

 

  1. User group referencing the local LDAP user:

 

config user group

    edit "LocalGRP"

        set member "test@fortilab.local"

    next

end

 

  1. Dial-Up IPsec IKEv2 configuration:

 

config vpn ipsec phase1-interface

    edit "IKEv2"

        set type dynamic

        set interface "wan1"

        set ike-version 2

        set peertype any

        set net-device disable

        set mode-cfg enable

        set proposal aes128-sha1 aes256-sha256

        set dpd on-idle

        set dhgrp 5

        set eap enable

        set eap-identity send-request

        set transport udp

        set ipv4-start-ip 192.168.30.5

        set ipv4-end-ip 192.168.30.20

        set dns-mode auto

        set ipv4-split-include "Loopbackaddress"

        set client-auto-negotiate enable

        set client-keep-alive enable

        set psksecret fortinet

        set dpd-retryinterval 60

    next

end

config vpn ipsec phase2-interface

    edit "IKEv2P2"

        set phase1name "IKEv2"

        set proposal aes128-sha1 aes256-sha256

        set dhgrp 5

    next

end

 

  1. Firewall policy configuration:

 

config firewall policy

    edit 1

        set name "IKEv2VPN"

        set srcintf "IKEv2"

        set dstintf "Loopback"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set groups "LocalGRP"

    next

end

 

Validation of EAP user identity and 2FA status:

 

FGT # diagnose vpn ike gateway list | grep eap-user -A 4 -B 9

name: IKEv2_0

version: 2

interface: port15 29

addr: 10.191.19.236:4500 -> 10.5.143.230:58773

tun_id: 192.168.30.5/::10.0.0.17

remote_location: 0.0.0.0

network-id: 0

transport: UDP

created: 1109s ago

eap-user: test@local.lab

2FA: yes

groups:

  LocalGRP 4

peer-id: 10.5.143.230

 

kb.jpg

 

Important notes:

  • EAP-TTLS is configured using the EAP Authentication Method option in the FortiClient EMS GUI starting with v7.4.4.
  • FortiClient for Windows v7.4.3 supports EAP-TTLS only through XML configuration and does not support EAP-TTLS when used with multi-factor (2FA) authentication.
  • The user group should be referenced in either the Phase 1 VPN configuration or the firewall policy. Configuring it in both locations can cause overlay traffic to fail.
  • This guide is specifically written for scenarios where the VPN user is configured as a local LDAP user on the FortiGate, with two-factor authentication (2FA) using FortiToken or FortiToken Cloud enabled directly in the user configuration.
    For deployments in which FortiToken is assigned using FortiIdentity Cloud and 2FA is enabled directly in the LDAP configuration for remote LDAP users, refer to Technical Tip: Multi-Factor Authentication support for Windows FortiClient with LDAP (EAP-TTLS).

 

Remote LDAP user - 2FA configuration use case:

config user ldap

    edit "LDAPRemote"

        set server "ldap.fortilab.local"

        set cnid "userPrincipalName"

        set dn "DC=fortilab,DC=local"

        set type regular

        set two-factor fortitoken-cloud

        set two-factor-filter "(&(objectCategory=Person)(userPrincipalName=*)(memberOf=CN=vpnldap,OU=lab,DC=fortilab,DC=local))"

        set username "admin@fortilab.local"

        set password fortinet

        set secure ldaps

        set ca-cert "ldapcert"

        set port 636

    next

end

 

Related articles:

Technical Tip: How to enable EAP-TTLS for IPSec IKEv2 tunnels in VPN-only (unlicensed) FortiClient

Technical Tip: Overview of compatible IKE versions, user authentication methods, and FortiGate/Forti...

Technical Tip: A guide to dial-up IPSec VPN authentication and policy matching
41
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.