Description | This article describes a dial-up IPsec tunnel configuration using IKEv2 in which the user authenticates using user credentials and 2FA using FortiToken Mobile. |
Scope | FortiGate. |
Solution |
From CLI:
config user local edit "Test" set type password set two-factor fortitoken set fortitoken "FTKMxxxx" set email-to "xxxx@example.com" set next end
config user group edit "VPN_Users" set member "Test" next end
config vpn ipsec phase1-interface set type dynamic XnewPHTN66Y27Rw0dNH7zphxj1ZIhIEH05OVG6qHOZe9Jo2ZOnuOEWOKs0HuKbGMyYJ4bC0xd7NXG9Tn7bwOk1wYg==
config vpn ipsec phase2-interface
config firewall policy
Note: IPSec dialup connection with an IOS device will fail to connect if using the Fortitoken MFA, as it will not receive the Token push. As a workaround include the Token in the password field while connecting.
The user will enter p@ssw0rd345678 when prompted for the password.
Related documents: Technical Tip: IKEv2 Dialup IPsec tunnel with Radius and FortiToken MFA |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.