Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff

Created on ‎07-28-2021 11:46 PM Edited on ‎06-21-2025 01:17 PM By Moderator

Article Id 191040

Technical Tip: IKEv2 dialup IPsec tunnel with RADIUS server authentication and FortiClient

Description


This article explains IKEv2 dial-up tunnel setup with a RADIUS server and using FortiClient.

 

Scope

 

FortiGate.

Solution


FortiGate dial-up IPsec tunnels can be configured as IKEv2 with Radius authentication.
Note that EAP will need to be configured even if LDAP is used, as IKEv2 requires EAP.
LDAP will be a result of a 'translation' from RADIUS EAP to LDAP if that is possible.

Note:
Starting from FortiClient v7.4.3, EAP-TTLS is now supported with IKEv2 authentication: EAP-TTLS support for IPsec VPN 7.4.3 | FortiClient 7.4.0.

In earlier versions of FortiClient, EAP-MSCHAPv2 was the method used for username + password authentication and did not work with LDAP. EAP-TTLS now works with LDAP authentication.

Configuration.
Defining the RADIUS user.

 

config user local
    edit "test_user"
        set type radius
        set radius-server "Radius_server"
    next
end

 

user-radius.PNG

 

User group.

 

config user group
    edit "VPN_Users"
        set member "test_user”
    next
end

 

usergroup.PNG

 

IPsec config.

 

config vpn ipsec phase1-interface
    edit "Dialup_IKEv2"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set peertype any
        set mode-cfg enable
        set proposal aes128-sha1 aes256-sha256
        set dpd on-idle
        set comments "FTG IPsec VPN IKEv2 and Radius user auth"
        set dhgrp 5
        set eap enable
        set eap-identity send-request   
        set authusrgrp "VPN_Users"
        set ipv4-start-ip 192.168.88.10
        set ipv4-end-ip 192.168.88.150
        set dns-mode auto
        set psksecret ENC xx
        set dpd-retryinterval 60
    next
end

 

The above highlighted settings can only be available through the CLI. If errors such as  'gw validation failed’ or ‘EAP response is empty' can be observed in the IKE debug output, then refer to the following article:

Troubleshooting Tip: For using Ikev2 for dialup Ipsec tunnel with radius server and Local user

 

IKEv2-1.PNG

 

IKEv2-2.PNG

 

IKEv2-3.PNG


config vpn ipsec phase2-interface
    edit "Dialup_IKEv2"
        set phase1name "Dialup_IKEv2"
        set proposal aes128-sha1 aes256-sha256
        set dhgrp 5
    next
end

 

IKEv2-4.PNG

 

Firewall policy.

 

config firewall policy
    edit 0
        set name "Dialup_IKEv2"
        set srcintf "Dialup_IKEv2"
        set dstintf "lan"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
end

 

policyfirewall.PNG

 

  1. For IKEv2, FortiClient will use EAP-MSCHAPv2.
  2. For this setup to work, the remote RADIUS server must support EAP-MSCHAPv2 authentication (EAP-MS-CHAP) (Microsoft NPS, for example).

 

lcamilo_0-1675280838265.png

 

Related articles:

Technical Tip: How to configure IPsec VPN Tunnel using IKE v2

Technical Tip: IKEv2 Dialup IPsec tunnel with RADIUS and FortiToken MFA

Labels:
21959
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.