After a bit of research I managed to find a way to connect to my IPSEC fortigate with fortitoken, this is how I do it:
First, install libreswan

then edit /etc/ipsec.conf and adapt this config with your info:

config setup
    uniqueids=no
    ikev1-policy=accept

conn fortigate
    ikev2=no
    ike=aes256-sha256;modp1536
    esp=aes256-sha1;modp1536
    authby=secret
    pfs=yes
    auto=add
    left=%defaultroute
    leftid=LOCAL_REMOTE_IP
    leftxauthusername=FORTINET_USERNAME
    rightsubnet=0.0.0.0/0
    right=FORTIGATE_PUBLIC_IP
    rightid=FORTIGATE_LOCAL_IP
    rightxauthserver=yes
    leftxauthclient=yes
    rightmodecfgserver=yes
    leftmodecfgclient=yes
    modecfgpull=yes
    nm-configured=yes
    aggrmode=yes
    ikelifetime=86400s
    salifetime=43200s
    dpddelay=20s
    dpdtimeout=60s
    nat-ikev1-method=rfc
    esn=either
    nopmtudisc=yes
    remote-peer-type=cisco
    nat-keepalive=no

If you don't know your FORTIGATE_LOCAL_IP, comment out the line, the ip will be shown in the log (the rightid has to be the same on both sides).
If you don't know your LOCAL_REMOTE_IP, don't specify it and then use `ip xfrm state` to find it.


Then you have to edit the /etc/ipsec.secrets file like this :

%any : PSK "YOUR_PSK"
@VPN_USERNAME : XAUTH "YOUR_PASSWORD_FORTITOKEN"

So if your password is toto_123 and the fortitoken is currently 234789, then the password is toto_123234789
You will have to modify it each time you want to connect to your VPN since the fortitoken is dynamic.

Then run `sudo systemctl restart ipsec`
if there are errors, check journalctl -xeu ipsec.service, logs are pretty clear.

then run `sudo ipsec up fortigate` since the conn is named as fortigate in our conf.

It seems that Fortinet--currently--does NOT support any way of using Multi-Factor Authentication (MFA or 2FA) to establish an IPsec VPN connection between a Linux client and FortiGate firewall.

On Windows, Fortinet does support this, via the IPsec tab in FortiClient VPN. This tab however, is NOT shown on Linux clients.

Though one can use strongSwan to establish a VPN connection with FortiGate firewall, it's more difficult if one wishes to use SAML. To sidestep that issue, one might use other forms of authentication for network administrators which use Linux, like using a certificate. But if one has strict MFA/2FA security requirements (which might be provided via SAML), it's more difficult to satisfy this requirement for network administrators who use strongSwan on Linux to establish the VPN connection.

Possible solution to use MFA/2FA with IPsec VPN on Linux:

One could use a hardware authentication device (like YubiKey) to store a certificate, and use it to supply the client certificate during VPN authentication, for example using strongSwan with the pkcs11 plugin.

But strictly speaking, it's not MFA/2FA, as it's still just one factor (a certificate on the hardware device).

But this can be solved:

To make this strict MFA/2FA, we can protect the certificate with a passphrase. You can set the passphrase in FortiGate when adding a PKI user. Also, when using strongSwan on Linux, you can configure the daemon to prompt for a passphrase. This passphrase is used by strongSwan to decrypt the RSA private key from the hardware device (like YubiKey). The RSA private key is then used to establish the VPN connection. (This also works for ECDSA private keys.)

Then we can truly say that we are adhering to strict MFA/2FA requirements, meaning we authenticate using both 'something we know' (password) and 'something we have' (client certificate on the hardware security device).

Screenshot:

Here's where we can enable 2FA (two-factor authentication) for a PKI user (which authenticates using a client certificate that was signed by the chosen CA certificate).