Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JordAnge
Staff
Staff

Created on ‎08-12-2025 08:31 AM Edited on ‎08-13-2025 03:21 AM By Staff

Article Id 405217

Troubleshooting Tip: 2FA (FortiToken) does not work in MultiVDOM

Description

This article describes how to resolve an error that occurs when 2FA with FortiToken-Cloud has been enabled to connect in IPSecTunnel using IKEv2 with a FortiGate working with multiVDOM.
Scope FortiGate.
Solution

Configuration example:

 

config vdom

    edit root

    next

    edit Teletrabajo

    next

end

 

config system interface

    edit "IPSec-Tele"

        set vdom "Teletrabajo"

        set type tunnel

        set interface "port1"

    next

end

config user local

    edit "rherreragg"

        set type password

        set two-factor fortitoken-cloud

        set email-to "******@******"

        set passwd ENC

    next

end

config user group

    edit "GG_IPSEC_Pruebas"

        set member "rherreragg"

    next

end

config vpn ipsec phase1-interface

    edit "IPSec-Tele"

        set type dynamic

        set interface "port1"

        set ike-version 2

        set local-gw x.x.x.x

        set peertype any

        set net-device disable

        set mode-cfg enable

        set proposal aes256-sha256 aes256-sha512

        set dhgrp 15

        set eap enable

        set eap-identity send-request

        set ipv4-start-ip 172.26.144.1

        set ipv4-end-ip 172.26.159.254

        set dns-mode auto

        set ipv4-split-include "REDES_IPSEC"

        set save-password enable

        set psksecret ENC

    next

end

config firewall policy

    edit <id>

        set name "IPSEC_Tele"

        set srcintf "IPSec-Tele"

        set dstintf "mgmt2"

        set action accept

        set srcaddr "all"

        set dstaddr "Redes"

        set schedule "always"

        set service "ALL"

        set groups "GG_IPSEC_Pruebas"

    next

end

 

Authentication fails due to FCT-Push being sent by FortiGate through the wrong VDOM.

1753117595.629875:

 eap_comm_session_add 818 -- comm session added, ses_id=9

 1753117595.629998: ep_fnbam_auth_wpa_user 464 -- svc_type='vpn-ikev2-tfa', user='rherreragg', vdom='Teletrabajo', intf='PJHA'

 fnbam_add_groups 324 -- Adding user usergroup GG_IPSEC_Pruebas

 ep_fnbam_auth_wpa_user 572 -- auth_res=4.

 ep_fnbam_auth_wpa_user 592 --auth sess added, ses_id=153940396933126

 [1993] handle_req-Rcvd auth_token push req 153940396933126 for eap_proxy

 [2000] handle_req-Session to update timeout for ftm push is 1752433496105

 [787] __rad_del_job_timer-

 [1394] fnbamd_rads_eap_ftk_chal-Extend timer of EAP_PROXY to 60.

 [2032] handle_req-Sending autopush msg to FAS, id:153940396933126 user:rherreragg, vdom:root

 

The debug log shows vd_name of auth request in fnbamd has been 'root', before FortiToken Mobile push is sent to fortitoken-cloud.

 

Workaround: Switch IPsec tunnel configuration to IKEv1

Fix: Upgrade to v7.6.4, v8.0.0 or above.

 

Related article:
Technical Tip: Using group based firewall policy for Dial-Up VPN to restrict network access
Technical Tip: Procedure to add multiple user group in XAUTH in dial-up IPsec VPN configuration
175
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.