Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pmeet
Staff
Staff

Created on ‎03-17-2025 08:43 AM Edited on ‎05-26-2025 09:06 PM By Community Manager

Article Id 382760

Technical Tip: IPsec Dialup tunnel using IKEv2 with FortiToken 2FA for local users

Description This article describes a dial-up IPsec tunnel configuration using IKEv2 in which the user authenticates using user credentials and 2FA using FortiToken Mobile.
Scope FortiGate.
Solution
  1. Create a local user on the FortiGate and assign an available FortiToken to the user. Go to User & Authentication -> User Definition and select 'Create New'.

 

new group.PNG

 

From CLI:

 

config user local

    edit "Test"

        set type password

        set two-factor fortitoken

        set fortitoken "FTKMxxxx"

        set email-to "xxxx@example.com"

        set 

    next

end

 

  1. Create a user group and add the above user to it.

 

VPN user 1.PNG

 

config user group

    edit "VPN_Users"

        set member  "Test"

    next

end

 

  1. Create an IPsec tunnel using the above user group 'VPN_Users' for authentication.

 

config vpn ipsec phase1-interface
    edit "Test-Dialup"

        set type dynamic
        set interface "Wan"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set eap enable
        set eap-identity send-request
        set wizard-type dialup-forticlient
        set authusrgrp "VPN_Users"
        set ipv4-start-ip 10.40.40.2
        set ipv4-end-ip 10.40.40.20
        set dns-mode auto
        set ipv4-split-include "VPN-v2_split"
        set save-password enable
        set psksecret ENC s0I3cSRvAeypQSHwIXZEOoj8Sln1xCG+CbFU/oC75IVGn+nbAdZTUIamZcqhohoFuCcvLHF2KT3htvcEOugblCZnPs/

XnewPHTN66Y27Rw0dNH7zphxj1ZIhIEH05OVG6qHOZe9Jo2ZOnuOEWOKs0HuKbGMyYJ4bC0xd7NXG9Tn7bwOk1wYg==
    next
end

 

config vpn ipsec phase2-interface
    edit "Test-Dialup"
        set phase1name "Test-Dialup"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end

 

  1. Create policies for the Internal LAN:

 

config firewall policy
    edit 1
        set name "vpn_VPN-v2_remote_0"
        set srcintf "Test-Dialup"
        set dstintf "Internal"
        set srcaddr "all"
        set dstaddr ""VPN-v2_split"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

 

  1. Configuration on FortiClient is basically as per phase1 and phase2 settings on the FortiGate.

     

Note: 

IPSec dialup connection with an IOS device will fail to connect if using the Fortitoken MFA, as it will not receive the Token push. As a workaround include the Token in the password field while connecting.

  • Password: p@ssw0rd
  • Token Code: 345678

The user will enter p@ssw0rd345678 when prompted for the password.

 

Related documents:

Technical Tip: IKEv2 Dialup IPsec tunnel with Radius and FortiToken MFA

Registering and provisioning FortiToken Mobile tokens 
2771
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.