Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssanga
Staff & Editor
Staff & Editor

Created on ‎11-25-2024 09:46 AM Edited on ‎11-12-2025 11:26 PM By Community Manager

Article Id 359665

Troubleshooting Tip: iOS Native IPsec Dialup VPN Connection Fails when Two-Factor Authentication is Enabled

Description This article describes an issue where an iOS Native IPsec VPN user is unable to connect to the VPN when two-factor authentication (2FA) is enabled for the user account.
Scope FortiGate v7.4.4.
Solution

When the iOS Native IPsec VPN is configured on FortiGate and two-factor authentication is enabled for the user account, the authentication fails even though the token code is correctly appended to the password (password+2FA).

The following logs are seen in the IKE and fnbamd debugs, requesting the FortiToken code, despite it already being included in the password.

ike V=root:0:test-ipsec-vpn_0:0: received XAUTH_USER_NAME 'user01' length 6
ike V=root:0:test-ipsec-vpn_0:0: received XAUTH_USER_PASSWORD length 33
ike V=root:0:test-ipsec-vpn_0: XAUTH user "user01"
ike V=root:0:test-ipsec-vpn: auth group test-ios-users
ike V=root:0:test-ipsec-vpn_0: XAUTH 992384675841 pending
[1739] handle_req-Rcvd auth req 992384675841 for user01 in test-ios-users opt=00000000 prot=4 svc=2
[333] __compose_group_list_from_req-Group 'test-ios-users', type 1
[760] fnbamd_saml_auth_cache_lookup-Authneticating 'user01'.
[508] create_auth_session-Session created for req id 992384675841
[353] auth_local-started for user01
[150] fnbamd_local_user_create-vfid=0
[72] fnbamd_local_user_new-guest
[72] fnbamd_local_user_new-user01
[189] fnbamd_local_user_create-local user cache are created, vfid=0, total=2
[397] auth_local-Local password fetched, whatever result will be final
[403] auth_local-Success
[430] auth_local-Concluded: 0
[1833] handle_req-local auth is done with user 'user01', r=0

[895] update_auth_token_session-Token is needed
[775] auth_token_push-
[1878] handle_req-Two-factor token is needed
[1882] handle_req-r=7
[239] fnbamd_comm_send_result-Sending result 7 (nid 0) for req 992384675841, len=2592
ike V=root:0:test-ipsec-vpn_0:0: XAUTH 992384675841 result FNBAM_NEED_TOKEN
ike V=root:0:test-ipsec-vpn_0: XAUTH requires token for user "user01"
ike V=root:0:test-ipsec-vpn_0:0: sending XAUTH token request

 

This is a known issue 1073995 and has been resolved in v7.4.6 and v7.6.1:

Resolved issues 7.4.6
Resolved issues 7.6.1

 

To ensure the prompt appears when connected to VPN, remove the password from IOS VPN client setting (keep the 'Password' blank).

 

2FA-ios.png

 

To confirm if the same issue is matching, open a ticket with Fortinet TAC and provide the output of the following commands.

  1. CLI commands:

diagnose debug application ike -1
diagnose debug application fnbamd -1
diagnose debug console timestamp enable
diagnose debug enable
<reproduce the issue>
diagnose debug reset

 

  1. TAC Report
  1. Backup Configuration
1486
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.