FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pmeet
Staff
Staff
Article Id 382760
Description This article describes a dial-up IPsec tunnel configuration using IKEv2 in which the user authenticates using user credentials and 2FA using FortiToken Mobile.
Scope FortiGate.
Solution
  1. Create a local user on the FortiGate and assign an available FortiToken to the user. Go to User & Authentication -> User Definition and select 'Create New'.

 

new group.PNG

 

From CLI:

 

config user local

    edit "Test"

        set type password

        set two-factor fortitoken

        set fortitoken "FTKMxxxx"

        set email-to "xxxx@example.com"

        set 

    next

end

 

  1. Create a user group and add the above user to it.

 

VPN user 1.PNG

 

config user group

    edit "VPN_Users"

        set member  "Test"

    next

end

 

  1. Create an IPsec tunnel using the above user group 'VPN_Users' for authentication.

 

config vpn ipsec phase1-interface
    edit "Test-Dialup"

        set type dynamic
        set interface "Wan"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set eap enable
        set eap-identity send-request
        set wizard-type dialup-forticlient
        set authusrgrp "VPN_Users"
        set ipv4-start-ip 10.40.40.2
        set ipv4-end-ip 10.40.40.20
        set dns-mode auto
        set ipv4-split-include "VPN-v2_split"
        set save-password enable
        set psksecret ENC s0I3cSRvAeypQSHwIXZEOoj8Sln1xCG+CbFU/oC75IVGn+nbAdZTUIamZcqhohoFuCcvLHF2KT3htvcEOugblCZnPs/

XnewPHTN66Y27Rw0dNH7zphxj1ZIhIEH05OVG6qHOZe9Jo2ZOnuOEWOKs0HuKbGMyYJ4bC0xd7NXG9Tn7bwOk1wYg==
    next
end

 

config vpn ipsec phase2-interface
    edit "Test-Dialup"
        set phase1name "Test-Dialup"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end

 

  1. Create policies for the Internal LAN:

 

config firewall policy
    edit 1
        set name "vpn_VPN-v2_remote_0"
        set srcintf "Test-Dialup"
        set dstintf "Internal"
        set srcaddr "all"
        set dstaddr ""VPN-v2_split"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

 

  1. Configuration on FortiClient is basically as per phase1 and phase2 settings on the FortiGate.

     

Note: 

IPSec dialup connection with an IOS device will fail to connect if using the Fortitoken MFA, as it will not receive the Token push. As a workaround include the Token in the password field while connecting.

  • Password: p@ssw0rd
  • Token Code: 345678

The user will enter p@ssw0rd345678 when prompted for the password.

 

Related documents:

Technical Tip: IKEv2 Dialup IPsec tunnel with Radius and FortiToken MFA

Registering and provisioning FortiToken Mobile tokens