Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pginete
Staff
Staff

Created on ‎10-09-2025 12:09 AM Edited on ‎11-04-2025 10:04 PM By Community Manager

Article Id 414466

Troubleshooting Tip: Dialup IPsec VPN with FortiToken fails to connect

Description

This article describes how to fix a dial-up IPsec VPN with FortiToken fails to connect.
Scope

FortiGate, FortiAuthenticator.
Solution

 

eap failed connecting.png

 

The user cannot connect to dial-up IPsec VPN with FortiToken and encountered ‘FortiClient Wrong Credentials EAP failed connecting’ error. While successful when connecting without FortiToken. Another error that commonly appear is 'EAPPasswordError':

 

04.png

 

05.png

 

The setup is a dial-up IPsec VPN IKEv2 using RADIUS authentication, where FortiGate is the RADIUS client while the FortiAuthenticator is the RADIUS server.

 

Enable ‘Allow OTP for EAP-MSCHAPv2 Authentication with FortiClient’ on the RADIUS Service policy of FortiGate on the FortiAuthenticator to fix these errors.

 

Allow OTP for EAP-MSCHAPv2 Authentication with FortiClient.png

 

MSCHAP2 is a prerequisite of this setup. 

 

Related articles:

Technical Tip: Authenticating users using MSCHAP2 PEAP
Technical Tip: Joining FortiAuthenticator in the active directory as a machine entity

 

318
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.