Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Staff & Editor
Staff & Editor

Created on ‎08-14-2022 06:58 AM Edited on ‎12-10-2025 10:53 PM By Community Manager

Article Id 220818

Technical Tip: IKEv2 Dialup IPsec tunnel with RADIUS and FortiToken MFA

Description

 

This article describes how to configure a dial-up IPsec VPN using IKEv2 and Multifactor authentication with FortiToken.

 

Scope

 

FortiGate, FortiToken, RADIUS, and Active Directory.

 

Solution

 

The XAuth method is only available for IKEv1. The authentication framework supported for IKEv2 is EAP. To select a user group, EAP must be enabled, which requires a RADIUS server. The remote RADIUS server must support EAP-MSCHAPv2 because for IKEV2, FortiClient will use EAP-MSCHAPv2 by default.

 

Considering Microsoft NPS is popular, the configuration example below is performed with NPS as a RADIUS server.

 

Configuration Steps for Microsoft NPS.

 

Note:

This configuration assumes the NPS server role has been installed and registered to Active Directory.

 

  1. Create a RADIUS Client for the FortiGate IP address and the Shared Secret to be configured in FortiGate:

 

CarlosColombini_0-1660411083021.png

 

  1. Create a Connection Request Policy with the condition for FortiGate's IP Address and keep other settings as default:

     

    CarlosColombini_1-1660411408749.png

     

  2. Create a Network Policy. Make sure it is enabled and 'Grant access' is selected.

     

    CarlosColombini_2-1660411582746.png

     

  3. Add a condition to match a specific Active Directory group:

     

    CarlosColombini_3-1660411648998.png

     

  4. Configure the constraints tab as below. Make sure MSCHAPv2 is also selected for FortiToken to work, and add 'Microsoft: Secured password (EAP-MSCHAP v2)'.

     

    CarlosColombini_4-1660411759471.png

     

  5. Keep the 'Settings' tab with default options, and select 'OK':

     

    CarlosColombini_5-1660411974240.png

     

Configuration Steps for FortiGate:

  1. Create a RADIUS server entry if there is not one already. This is the IP address of the NPS:

 

CarlosColombini_2-1660412722834.png

 

  1. Create a remote RADIUS user or modify the existing one as per below:

     

    CarlosColombini_0-1660412519912.png

     

  2. Create or modify a firewall group and add the user to it:

     

    CarlosColombini_1-1660412603126.png

     

  3. Create the Dialup IPsec tunnel as shown below. This can be done from the 'VPN Creation Wizard' to simplify firewall policy and object creation. EAP options must be configured from the CLI.

     

CarlosColombini_3-1660413030664.png

 

config vpn ipsec phase1-interface

    edit "IKEv2"

        set type dynamic

        set interface "port2"

        set ike-version 2

        set peertype any

        set net-device disable

        set mode-cfg enable

        set ipv4-dns-server1 172.16.1.10

        set proposal aes256-sha256

        set comments "VPN: IKEv2 (Created by VPN wizard)"

        set dhgrp 21

        set eap enable

        set eap-identity send-request

        set authusrgrp "Escalations-Radius-DC1"

        set ipv4-start-ip 172.16.242.50

        set ipv4-end-ip 172.16.242.60

        set ipv4-split-include "LAN1"

        set psksecret ENC

    next

end

 

config vpn ipsec phase2-interface

    edit "IKEv2"

        set phase1name "IKEv2"

        set proposal aes256-sha256

        set dhgrp 21

        set comments "VPN: IKEv2 (Created by VPN wizard)"

    next

    end

 

Note:

EAP configuration can only be done from the CLI.

 

config vpn ipsec phase1-interface

    edit "IKEv2"

        set eap enable

        set eap-identity send-request

        set authusrgrp "Escalations-Radius-DC1"

    next

end

 

Troubleshooting.

 

The following debugs are useful when troubleshooting issues with the configuration above.

   diagnose debug console timestamp enable

diagnose debug application ike -1

diagnose debug application fnbamd -1

diagnose debug application eap_proxy -1
diagnose debug enable
 

Third-Party MFA:

 

If the MFA solution is provided by the remote RADIUS server, a longer RADIUS timeout should be set to allow the user sufficient time to complete MFA.

 

config system global

set remoteauthtimeout <seconds>

end

 

config user radius

edit <server name>

set timeout <seconds>

next

end


Considering DUO is widely used as a remote authentication and MFA solution, keep in mind the limitations highlighted in: Does the Duo Authentication Proxy support MS-CHAPv2 or EAP-MSCHAPv2?

 

Notes:

  • FortiToken push notification over dial-up is supported starting with the following minimum versions:

  • If FortiGate must authenticate users against an LDAP server rather than a RADIUS server, EAP-TTLS and supported versions must be used, and EAP-TTLS see Technical Tip: Multi-Factor Authentication support for Windows FortiClient with LDAP (EAP-TTLS). EAP-TTLS 2FA support is more limited but does support

  • IPSec dial-up connection with an IOS device will fail to connect if using RADIUS and FortiToken MFA, as it will not receive the token push. As a workaround, include the token in the password field while connecting:

    Password: p@ssw0rd
    Token Code: 345678
    The user will enter p@ssw0rd345678 when prompted for the password.

 

Related documents:

Technical Tip: How to configure IPsec VPN Tunnel using IKE v2

FortiClient supported EAP methods <eap_method> for IKE

30191
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.