Technical Tip: Limitations of Two-Factor Authentication with IPSec VPN on iOS FortiClient

sgursimran · ‎05-11-2025

Description

This article describes why FortiClient two-factor authentication is not supported for IPSec dial-up VPN connections on iOS devices.

Scope

FortiClient iOS.

Solution

When connecting to an IPSec dial-up VPN using FortiClient on iOS, the two-factor authentication prompt does not appear. This is expected behavior due to iOS restrictions, as the built-in IPSec framework limits application-level interaction.

Debug logs confirm that the FortiGate sends an XAUTH token request. However, on iOS devices, the 2FA prompt is not triggered as the system does not allow FortiClient to display the authentication window:

2025-03-08 20:45:14.872291 ike 0:iphonevvpn_0:43: received XAUTH_USER_NAME 'iphone' length 6

2025-03-08 20:45:14.872495 ike 0:iphonevvpn_0:43: received XAUTH_USER_PASSWORD length 8

2025-03-08 20:45:14.872678 ike 0:iphonevvpn_0: XAUTH user "iphone"

2025-03-08 20:45:14.872853 ike 0:iphonevvpn: auth group iphone

2025-03-08 20:45:14.874810 ike 0:iphonevvpn_0: XAUTH requires token for user "iphone"

2025-03-08 20:45:14.875237 ike 0:iphonevvpn_0:43: sending XAUTH token request

If multi-factor authentication is required for IPSec VPN on iOS, users are advised to migrate to a dial-up IPSec VPN configuration using SAML authentication.

Technical Tip: Limitations of Two-Factor Authentication with IPSec VPN on iOS FortiClient

You are leaving our website