- Create a local user on the FortiGate and assign an available FortiToken to the user. Go to User & Authentication -> User Definition and select 'Create New'.

From CLI:
config user local
edit "Test"
set type password
set two-factor fortitoken
set fortitoken "FTKMxxxx"
set email-to "xxxx@example.com"
set
next
end
- Create a user group and add the above user to it.

config user group
edit "VPN_Users"
set member "Test"
next
end
- Create an IPsec tunnel using the above user group 'VPN_Users' for authentication.
config vpn ipsec phase1-interface edit "Test-Dialup"
set type dynamic set interface "Wan" set ike-version 2 set peertype any set net-device disable set mode-cfg enable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set eap enable set eap-identity send-request set wizard-type dialup-forticlient set authusrgrp "VPN_Users" set ipv4-start-ip 10.40.40.2 set ipv4-end-ip 10.40.40.20 set dns-mode auto set ipv4-split-include "VPN-v2_split" set save-password enable set psksecret ENC s0I3cSRvAeypQSHwIXZEOoj8Sln1xCG+CbFU/oC75IVGn+nbAdZTUIamZcqhohoFuCcvLHF2KT3htvcEOugblCZnPs/
XnewPHTN66Y27Rw0dNH7zphxj1ZIhIEH05OVG6qHOZe9Jo2ZOnuOEWOKs0HuKbGMyYJ4bC0xd7NXG9Tn7bwOk1wYg== next end
Note: The user group can be specified in the Phase1 IPsec interface or in the firewall policy. If the user group is being referenced in the firewall policy instead, the 'set authusrgrp' should not be configured in the CLI settings to avoid conflicts.
config vpn ipsec phase2-interface edit "Test-Dialup" set phase1name "Test-Dialup" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next end
-
Create policies for the Internal LAN:
config firewall policy edit 1 set name "vpn_VPN-v2_remote_0" set srcintf "Test-Dialup" set dstintf "Internal" set srcaddr "all" set dstaddr ""VPN-v2_split" set action accept set schedule "always" set service "ALL" set nat enable next end
-
Configuration on FortiClient is basically as per phase1 and phase2 settings on the FortiGate.
Note:
A dial-up IPsec connection with an IOS device will fail to connect when using FortiToken Multi-Factor Authentication, as it will not receive the Token push. As a workaround, include the Token in the password field while connecting.
- Password: p@ssw0rd
- Token Code: 345678
The user will enter p@ssw0rd345678 when prompted for the password.
FortiClient Free version 7.4.8 presents the same behavior. To verify the behavior, run the following commands:
diagnose debug reset diagnose vpn ike log-filter clear di vpn ike log filter rem-addr4 x.x.x.x <----- Replace x.x.x.x with the public IP of the user. diagnose debug application ike -1 diagnose debug application fnbamd -1 diagnose debug application eap_proxy -1 diagnose debug console timestamp ena diagnose debug enable
Without the workaround:
[913] update_auth_token_session-Token is needed [923] update_auth_token_session-Token push is skipped, waiting for an auth_token request instead [1898] handle_req-Two-factor token is needed [1902] handle_req-r=7 [239] fnbamd_comm_send_result-Sending result
ike V=root:0:vpn_car:114 EAP 9199965560835 result FNBAM_NEED_TOKEN ike V=root:0:vpn_car: EAP requires token for user "user_name" ike V=root:0:vpn_car:114: responder preparing EAP pass through message
With the workaround:
[880] update_auth_token_session-2fa code has already been verified in concatenated password [1898] handle_req-Two-factor token is not needed [1902] handle_req-r=0 [631] fnbam_user_auth_group_match-req id: 9298749808649, server: user_name, local auth: 1, dn match: 0 [579] __group_match-Group 'user_group' passed group matching
Related documents:
Technical Tip: IKEv2 Dial-up IPsec tunnel with Radius and FortiToken MFA
Registering and provisioning FortiToken Mobile tokens - FortiToken documentation
|