Description
This article describes how to configure a dialup IPsec VPN using IKEv2 and Multifactor authentication with FortiToken .
Scope
FortiGate, FortiToken, Radius, and Active Directory
Solution
When configuring Dialup tunnel with IKE version 2, the Authentication section with XAUTH is not present.
In order to select a user group, EAP must be enabled, which requires a RADIUS server.
Considering Microsoft NPS is popular, the configuration example below is performed with NPS as RADIUS server.
Note: The remote RADIUS server must support EAP-MSCHAPv2.
Considering DUO is widely used as remote authentication and MFA solutions, keep in mind the limitations highlighted in this DUO KB article.
Configuration Steps for Microsoft NPS
Note: This configuration assumes NPS server role has been installed and registered to Active Directory.
1. Create Radius Client for FortiGate IP address and Shared Secret to be configured in FortiGate:
2. Create a Connection Request Policy with condition for FortiGate's IP Address and keep other settings as default:
3. Create a Network Policy. Make sure it is enabled and 'Grant access' is selected.
4. Add a condition to match specific Active Directory group:
5. Configure constraints tab as below. Make sure MSCHAPv2 is also selected for FortiToken to work, and add 'Microsoft: Secured password (EAP-MSCHAP v2)'.
6. Keep 'Settings' tab with default options, and select 'OK':
Configuration Steps for FortiGate:
1. Create a RADIUS server entry if there is not one already. This is the IP address of the NPS:
2. Create a remote RADIUS user or modify existing one as per below:
3. Create or modify a firewall group and add the user to it:
4. Create the Dialup IPsec tunnel as per below. This can be done from the 'VPN Creation Wizard' to simplify firewall policy and objects creation. EAP options must be configured from CLI.
config vpn ipsec phase1-interface
edit "IKEv2"
set type dynamic
set interface "port2"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 172.16.1.10
set proposal aes256-sha256
set comments "VPN: IKEv2 (Created by VPN wizard)"
set dhgrp 21
set eap enable
set eap-identity send-request
set authusrgrp "Escalations-Radius-DC1"
set ipv4-start-ip 172.16.242.50
set ipv4-end-ip 172.16.242.60
set ipv4-split-include "LAN1"
set psksecret ENC
next
end
config vpn ipsec phase2-interface
edit "IKEv2"
set phase1name "IKEv2"
set proposal aes256-sha256
set dhgrp 21
set comments "VPN: IKEv2 (Created by VPN wizard)"
next
end
Note: EAP configuration can only be done from the CLI.
config vpn ipsec phase1-interface
edit "IKEv2"
set eap enable
set eap-identity send-request
set authusrgrp "Escalations-Radius-DC1"
next
end
Note: FortiToken Mobile Push Notifications (FTM-Push) are currently not supported for IKEv2.
Troubleshooting
The following debugs are useful when troubleshooting issues with configuration above.
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug application fnbamd -1
diagnose debug application eap_proxy -1
diagnose debug enable
Related articles:
Technical Tip: How to configure IPsec VPN Tunnel using IKE v2.
