Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff & Editor
Staff & Editor

Created on ‎11-27-2025 03:24 AM Edited on ‎01-05-2026 09:58 PM By Community Manager

Article Id 420733

Technical Tip: Overview of compatible IKE versions, user authentication methods, and FortiGate/FortiClient firmware versions

Description

 

This article describes a simple overview of IPSec configuration. It aims to show at a glance if a particular combination of IKE version, user authentication method, and two-factor options, and FortiGate/FortiClient firmware version is functional.

 

Scope

 

FortiGate, FortiClient.

 

Solution

 

IPSec VPN is one of two options FortiGate offers for a tunnel-mode VPN. With tunnel-mode SSLVPN being phased out in v7.6, transitioning to IPSec VPN may seem daunting, especially since there are many different configuration options, and not all work with all FortiGate and/or FortiClient firmware versions.

 

The table below provides a brief overview of working configurations, along with relevant caveats.

 

IKE version &
User Authentication		 FortiClient version FortiGate version Two-factor Authentication Notes
IKEv1
local (FortiGate)/LDAP/RADIUS user		 Up to v7.4.3 Any supported firmware Any method on FortiGate or remote RADIUS

IKEv1 is no longer available starting FortiClient v7.4.4.

IKEv1 does not support FortiToken Mobile push
IKEv1
SAML user		 No No No SAML requires IKEv2 in FortiGate/FortiClient setup
IKEv2
local (FortiGate)		 Any supported firmware Any supported firmware

Any method on FortiGate

 IKEv2 supports FortiToken Mobile push starting v7.2.8

IKEv2

RADIUS user

 Any supported firmware Any supported firmware

Any method on FortiGate or FortiAuthenticator, see notes for required FortiAuthenticator versions.

Third-party RADIUS servers triggering one-time passcode as a second factor is not supported*

 RADIUS server must support EAP-MSCHAPv2 or EAP-TTLS. EAP-TTLS required if acting as a proxy to remote LDAP server**
IKEv2
LDAP user		 Starting v7.4.2 Any supported firmware Supported starting FortiClient v7.4.4 and FortiGate v7.4.9/v7.6.1 FortiClient must use EAP-TTLS, may impose 2FA limits***
IKEv2
SAML user		 Starting v7.2.4 Starting v7.2.0 Any method provided by the SAML IdP or IdP Proxy Below FortiGate v7.4.9, only the internal browser on FortiClient

 

Notes:

 

  • Depending on how FortiAuthenticator validates the user credentials (locally, or against a different remote server), it may require a specific EAP method, which may in turn impose limits on two-factor authentication.

As an example, if a non-domain-joined FortiAuthenticator needs to verify the VPN user credentials against a remote LDAP server, EAP-TTLS must be used, and a token prompt is not supported. In this scenario, appending the token code to the user password can be used as a workaround, as outlined here: Technical Tip: How to resolve the 'EAP authentication failed due to missing token' error when using ....

 

To enable token prompt support for Windows Active Directory users, see Technical Tip: Authenticating Active Directory users to FortiGate IKEv2 VPN with FortiToken MFA on F....

 

 

Related articles:

Technical Tip: FortiOS IKEv2 EAP user authentication operation

Technical Tip: A guide to Dial-Up IPSec VPN Authentication and Policy Matching

Technical Tip: FortiOS IKEv2 Dialup VPN User and Multi-factor authentication resources

1310
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.