Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Dialup IPSec VPN with IKEv2 using Forticlient, Fortigate and FortiAuthenticatior

Dear All,


Hope you are doing good!


Current Scenario:

We are using forticlient for dialup ipsec vpn using IKEv1 with Two factor authentication.

FortiGate tunnels are authenticated via Radius (PAP) from FAC.

Forticlient ---> FortiGate -->(Radius)-> FortiAuthenticator


Forticlient version:  6.4

Fortigate:                  200E firware 6.4.3

FortiAuthenticator: 300F firware 6.3.2


Required Scenario:

we need to shift IKEv2 and do following changes in existing tunnel but tunnel didn't connect.

  • set ike-version 2
  • set eap enable
  • set eap-identity send-request

Radius B/w FG and FAC.

change authentication method from pap to MSCHAPv2 on FG and PEAP in FAC Radius Policies. (Radius connection Successful)



IKEv2 VPN successfully connect with local user on firewall.

found mismatch authentication method on FAC in debug logs.


If anyone have idea about this please guide.







Hey AD91,

If you're using MSCHAPv2 on FortiGate, you need to ensure FortiAuthenticator is joined to the domain, so it can send the hashed password to AD to cross-check; if FortiAuthenticator is not joined to the domain it can only authenticate local users via MSCHAPv2, remote users via PAP.


I would suggest the following:

- test VPN with a local user on FortiAuthenticator

-> that might require changing the RADIUS policy to use the local realm, not a remote realm

- join FortiAuthenticator to domain (


If you're still getting failures, can you provide the specific error message you get (beyond 'mismatched authentication method)?

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
New Contributor

Dear Debbie,


Good day to you!


Thanks for your quick response.

We have already tested your advised scenario with local user & local realm radius policies on FAC but failed to connect. FAC general logs and debug logs are attached for your reference.





appreciate your quick response.






Hey AD,

do you see that error 'unable to find matching authpolicy' after each VPN connection attempt?

From the way you took the screenshot, I can see that error, and underneath a new authentication attempt, but I don't know what the error belongs to, and what error the new authentication attempt might result in.

If you get that 'unable to find matching authpolicy' error throughout, that means there is no suitable RADIUS policy for that client and the authentication (EAP-TLS? MAB?) it wants to attempt.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
New Contributor

Dear Debbie,


Really appreciate your quick response,


I have checked my Radius policies and found no check on MAB & EAP-TLS, for this it means Forticlient is using EAP-TLS but we use PEAP on FAC.

If we enable certificate based authentication (EAP-TLS) on FAC, how it will work with forticlient dialup IPSec tunnel.





Hey AD,


if you switch to EAP-TLS on FortiAuthenticator (or create a new RADIUS policy with EAP-TLS instead), FortiAuthenticator should then try to confirm the client certificate; this setup is a bit more complex on FortiAuthenticator.

For 802.1x authentication you would have to import remote users (from AD for example) and define certificate bindings:

-> define what certificate subject is expected (the user's CN, or DN, or sAMAccountName, or mail, or whatever)

-> define what CA should have signed the user's certificate

--> you might have to import the CA as remote CA to FortiAuthenticator so that the Authenticator trusts it

More details on EAP-TLS in FortiAuthenticator:
this is a somewhat older article, but aside from RADIUS policy/profile the setup should be identical.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
New Contributor

After struggling with attempting to get this configured myself recently, I was able to finally get it working. Initially we were on FortiAuthenticator 6.4.4 which had an unlisted bug that was noted and resolved in FortiAuthenticator 6.4.6. The bug in question is 846732 with description '2FA support for FortiClient IKEv2 VPN is broken.'.


We now have a working dial-up IKEv2 IPsec VPN using FortiClient/EMS, FortiGate, and FortiAuthenticator.


I just wanted to post this in the event anyone finds this and is on an affected version of code for the bug.

Top Kudoed Authors