Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Matt_B
Staff & Editor
Staff & Editor

Created on ‎12-17-2025 09:17 PM

Article Id 423288

Technical Tip: FortiOS IKEv2 Dialup VPN User and Multi-factor authentication resources

Description

 

This article provides an overview of guides and resources for User and Multi-Factor authentication in FortiOS IKEv2 Dialup IPsec VPN.

Scope

 

FortiOS v7 and later.

Solution

 

Determine the User source and required MFA method(s) and refer to the table below.

 

Non-SSO authentication

User source

MFA method

Related Links
Active Directory FortiToken assigned to FortiGate

Technical Tip: IKEv2 Dialup IPsec tunnel with RADIUS and FortiToken MFA

Technical Tip: Multi-Factor Authentication support for Windows FortiClient with LDAP (EAP-TTLS)
FortiToken assigned to FortiAuthenticator

Technical Tip: Authenticating Active Directory users to FortiGate IKEv2 VPN with FortiToken MFA on F...
IKE gateway certificate authentication

IPsec IKEv2 VPN 2FA with EAP and certificate authentication

Technical Tip: Certificate authentication for IKEv2 VPN with RADIUS or LDAP user authentication
Remote RADIUS FortiToken assigned to FortiGate Same as Technical Tip: IKEv2 Dialup IPsec tunnel with RADIUS and FortiToken MFA
FortiToken or other OTP factors assigned on FortiGate

Local Users

Remote Users
Third-party MFA (Duo, Okta, etc.)

See third-party documentation. Configured timeouts must be long enough for user to perform the third-party MFA, see Technical Tip: Explaining global 'set remoteauthtimeout', user radius 'set timeout', and how they wo...
Local FortiGate Users FortiToken

Add FortiToken multi-factor authentication
E-mail/SMS

Technical Tip: Email Two-Factor Authentication on FortiGate

Technical Tip: Configuring SMS Two-Factor Authentication with 3rd party SMS provider
SSO (SAML) authentication

User source

MFA option

Related Links

Entra ID

FortiToken, E-mail/SMS

SAML IdP proxy for Azure
Third-Party MFA (e.g. Microsoft Authenticator)

Technical Tip: How to configure Microsoft Entra ID SAML authentication for Dial-up IPsec VPN

Technical Tip: SSL VPN with Azure SAML authentication with multi-factor authentication (MFA)
Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4
[Note: IPsec VPN and SSL VPN SSO configuration and options are similar.]
Google Workspace FortiToken, E-mail/SMS

SAML IdP proxy for Google Workspace
Third-party MFA

Technical Tip: Fortinet SSL VPN with G Suite MFA using SAML and SSO

[Note: IPsec VPN and SSL VPN SSO configuration and options are similar.]
Any SSO FortiIdentity Cloud

FortiIdentity Cloud | Use Cases

FortiIdentity Cloud | Using SSO Applications
IKE gateway certificate authentication

Technical Tip: Certificate Authentication for FortiClient remote access dialup IPsec clients with SA...

 

User Sources:

  • Active Directory: Windows Active Directory, third-party LDAP, Azure AD, or Entra Connect.
  • Remote RADIUS: User credentials stored on FortiAuthenticator or authenticated against a third-party RADIUS server.
  • Local FortiGate Users: Users with credentials stored on FortiGate.
  • Entra ID: User credentials exist only in Entra and cannot be authenticated using Active Directory methods.
  • SSO: FortiGate IPsec as SAML SP to an external SAML IDP. External SAML IDPs include Entra ID, Google Workspace, and FortiIdentity Cloud as local or proxy IDPs.

If multiple user sources are required, it may be necessary to leverage network-id to configure multiple remote gateways. See the following articles:

Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication.

Technical Tip: FortiClient support for multiple IKEv2 dialup tunnels at the same FortiGate Remote Ga...

 

MFA Methods:

  • FortiToken: FortiIdentity Cloud, FortiToken Mobile, hardware FortiToken. One-time password (OTP) entry in FortiClient. On supported FortiOS versions, FortiIdentity Cloud and FortiToken Mobile also support push authentication using the FortiToken Mobile app.
  • E-mail/SMS: FortiGate or FortiAuthenticator delivers the OTP to the user's configured e-mail address or phone number using e-mail or SMS. User enters OTP on FortiClient, similar to FortiToken use cases.
  • IKE gateway certificate authentication: Authenticating to FortiOS dialup gateway using a client certificate rather than a pre-shared key. Considered a form of MFA if the client certificates are only installed on particular devices.
  • Third-Party: Any MFA method triggered on a non-Fortinet authentication product. Includes DUO, Entra MFA, Google Authenticator and other methods. FortiGate has no visibility on these MFA methods; from FortiGate's perspective, third-party MFA is simply unusually slow remote authentication.


Note:

IKEv2 Dialup IPsec VPN is the recommended alternative to FortiOS SSL VPN tunnel mode, and IKEv2 is recommended over IKEv1 for most new FortiOS remote access VPN deployments. See SSL VPN tunnel mode to IPsec VPN migration

Related articles:
Technical Tip: Required firmware/software versions for using FortiToken Mobile or OTP MFA with Forti...

Technical Tip: FortiOS IKEv2 EAP user authentication operation

Technical Tip: IKEv2 dialup gateway with RADIUS user groups does not support other authentication se...
Technical Tip: Using the same TCP port for IPsec SAML authentication and IKE TCP encapsulation in Fo...

 

Agentless Remote Access Resources:
SSL VPN to ZTNA Migration Guide

ZTNA Architecture | What is ZTNA Architecture?

SWG agentless mode

200
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.