Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff & Editor
Staff & Editor

Created on ‎11-27-2025 03:24 AM

Article Id 420733

Technical Tip: Overview of compatible IKE versions, user authentication methods, and FortiGate/FortiClient firmware versions

Description

 

This article describes a simple overview of IPSec configuration. It aims to show at a glance if a particular combination of IKE version, user authentication method, and two-factor options, and FortiGate/FortiClient firmware version is functional.

 

Scope

 

FortiGate, FortiClient.

 

Solution

 

IPSec VPN is one of two options FortiGate offers for a tunnel-mode VPN. With tunnel-mode SSLVPN being phased out in v7.6, a transition to IPSec VPN may seem a bit daunting, especially as there are many different configuration options, and not all work with all FortiGate and/or FortiClient firmware versions.

 

The table below provides a short overview of working configurations, as well as caveats.

 

IKE version &
User Authentication		 FortiClient version FortiGate version Two-factor Authentication Notes
IKEv1
local (FortiGate)/LDAP/RADIUS user		 Up to v7.4.3 Any supported firmware Any method on FortiGate or remote RADIUS IKEv1 is no longer available starting FortiClient v7.4.4
IKEv1
SAML user		 No No No SAML requires IKEv2 in FortiGate/FortiClient setup
IKEv2
local (FortiGate)/RADIUS user		 Any supported firmware Any supported firmware Any method on FortiGate or remote RADIUS Remote RADIUS may require a specific EAP method*
IKEv2
LDAP user		 Starting v7.4.2 Any supported firmware Supported starting FortiClient v7.4.4 and FortiGate v7.4.9/v7.6.1 FortiClient must use EAP-TTLS, may impose 2FA limits **
IKEv2
SAML user		 Starting v7.2.4 Starting v7.2.0 Any method provided by the SAML IdP or IdP Proxy Below FortiGate v7.4.9, only the internal browser on FortiClient

 

Notes:

* Depending on how the remote RADIUS validates the user credentials (locally, or against a different remote server), it may require a specific EAP method, which may in turn impose limits on two-factor authentication.

As an example, if FortiAuthenticator acts as RADIUS server, and needs to verify the VPN user credentials against a remote LDAP in turn, it also requires the use of EAP-TTLS, and does not support token prompt, but DOES allow appending the token code to the password, as outlined here: Technical Tip: How to resolve the 'EAP authentication failed due to missing token' error when using ...


** More information may be found here: Technical Tip: Multi-Factor Authentication support for Windows FortiClient with LDAP (EAP-TTLS).

 

Related articles:

Technical Tip: FortiOS IKEv2 EAP user authentication operation

Technical Tip: A guide to Dial-Up IPSec VPN Authentication and Policy Matching 

127
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.