Description

This article describes a dial-up IPsec tunnel configuration in which the user authenticates using user credentials and 2FA using FortiToken Mobile.

Scope

FortiToken Mobile.

Solution

1. Create a local user on the FortiGate and assign an available FortiToken to the user. Go to User & Authentication > User Definition and select 'Create New'.

config user local

    edit "test-user"

        set type password

        set two-factor fortitoken

        set fortitoken "FTKMxxxx"

        set email-to "xxxx@example.com"

    next

end

Note:

This user can be any type of user to which a FortiToken can be applied. For example, it can be a type LDAP user as well.

2. Create a user group and add the above user to it.

config user group

    edit "test-group"

        set member  "test-user"

    next

end

3. Create an IPsec tunnel using the above user group 'test-group' for authentication.
   
   

config vpn ipsec phase1-interface

    edit "Test-Dialup"

        set type dynamic

        set interface "wan1"

        set keylife 28800

        set mode aggressive

        set peertype one

        set net-device enable

        set mode-cfg enable

        set ipv4-dns-server1 1.1.1.1

        set proposal aes128-sha1

        set dpd on-idle

        set dhgrp 5

        set xauthtype auto

        set authusrgrp "test-group"

        set peerid "test"

        set ipv4-start-ip 172.58.95.4

        set ipv4-end-ip 172.58.95.100

        set psksecret fortinet

    next

end

edit "Test-Dialup"

        set phase1name "Test-Dialup"

        set proposal aes128-sha256

        set dhgrp 5

        set keylifeseconds 28800

    next

end

4. Create the required firewall policies to allow traffic.

config firewall policy

    edit 1

        set srcintf "Test-Dialup"

        set dstintf "internal"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set logtraffic all

    next

end

For detailed steps of Dialup Full IPsec tunnel, refer to: Technical Tip: IPSec dial-up full tunnel with FortiClient

The same steps can be applied in the case of Split Dialup IPsec tunnel as well. For details steps of split dialup IPsec tunnel, refer to:

Technical Note: FortiClient Dialup IPsec VPN (Split Tunneling)

Result:
The client can connect to the dialup IPsec tunnel after providing the correct FortiToken:

name=Test-Dialup_0 ver=1 serial=28 172.17.x.x:4500->10.21.x.x:64917 tun_id=172.58.x.x tun_id6=::10.0.x.x dst_mtu=1500 dpd-link=on weight=1

bound_if=6 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/66488 options[103b8]=npu create_dev rgwy-chg rport-chg frag-rfc  role=primary accept_traffic=1 overlay_id=0

parent=Test-Dialup index=0

proxyid_num=1 child_num=0 refcnt=5 ilast=1 olast=1 ad=/0

stat: rxp=2 txp=0 rxb=15664 txb=0

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=1

natt: mode=silent draft=32 interval=10 remote_port=64917

fec: egress=0 ingress=0

proxyid=Test-Dialup proto=0 sa=1 ref=2 serial=1 add-route

  src: 0:0.0.0.0-255.255.255.255:0

  dst: 0:172.58.95.4-172.58.95.4:0

  SA:  ref=4 options=2a6 type=00 soft=0 mtu=1422 expire=53/0B replaywin=1024

       seqno=1 esn=0 replaywin_lastseq=00000002 qat=0 rekey=0 hash_search_len=1

  life: type=01 bytes=0/0 timeout=109/120

  dec: spi=63bb038c esp=aes key=16 a9363909df9058f95eb92c59eff23bb2

       ah=sha1 key=20 b3c1d0d3bf1ada2e679ad95012c098a7a784f2b2

  enc: spi=cf9c2e82 esp=aes key=16 2e727cb0ff4acd793ae3814b4456a21b

       ah=sha1 key=20 4b09c555a5695fdadb45f5240c4b3bc01a3bb312

  dec:pkts/bytes=4/15994, enc:pkts/bytes=0/0

  npu_flag=02 npu_rgwy=10.21.x.x npu_lgwy=172.17.x.x npu_selid=1e dec_npuid=1 enc_npuid=0