Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: IPsec VPN with Fortitoken and iPad/iPhone
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPsec VPN with Fortitoken and iPad/iPhone
I was wondering if anyone has any experience with using IPsec VPNs in combination with Fortitokens on iPads or iPhones? (I can successfully connect using a simple username+password combo via the builtin Cisco client on iOS.)
This paragraph from the MR3 " what' s new" section seems relevant:
When FortiToken is used in a third-party IPsec client configuration, each user that has two-factor authentication enabled and configured must use the token password code when only a password is supported to gain access. This authentication using only a password is not supported when the password and token password code are sent in CHAP or MS-CHAP form, and the local user is authenticated using a remote server. This is because FortiOS is unable to extract back both the password and the token password code.Based on the quoted paragraph, I' m not sure if users' passwords+OTP is used in the password field or if the OTP is used exclusively instead of the users' regular passwords. In my case, the users' passwords are verified using LDAP. I' m also potentially interested in using certificates in lieu of passwords but still require the Fortitoken, if that' s possible. Thanks!
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to update everyone--
Fortitokens work just fine from an iPad. The user must supply his/her password with the token immediately after the password. The user' s password can be verified against a LDAP server.
I only wish the iPad would remember the user' s password but bring up the prompt anyway so that only the code needed to be added. Nonetheless, I' m overall pleased with the experience.
I haven' t tested certificates on the iPad at all yet.
I also hope that Fortinet will one day supply a SSL VPN app. Some vendors apparently already do.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this still correct?
I tried it and couldn' t connect with password+FortiToken. I can connect just with password though.
So, if my password is " apple" and my FortiToken code is " 123 456" I have to enter the password " apple123456" without quotation marks?
Edit: I only use local users...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you have the right format. I' m not sure why it' s not working for you. My setup on 4.3.5 is still working great.
You do have an actual hardware token, right? It doesn' t work if you' re trying to send the code via e-mail (although this works fine for the SSL VPN).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it' s a hardware token. I press the button before trying to log-in so I can see, if I have enough time to enter the code though. If the token nearly expired I wait for the next one and then switch the IPSec connection on the iPod on.
I also tried to change the password from just numbers to just letters, didn' t help.
By 4.3.5 you mean v4.0,build 0513,120130 (MR3 Patch 5)?
My router is the FortiGate 51B. Is this relevant? There is the FW Version FG50BH-4.00-FW-build513-120130 active though...
It seems it' s the firmware for a FortiGate 50B? I don' t do the updates so I will also ask the admin for details.
EDIT: Just some errors...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you have the right format. I' m not sure why it' s not working for you. My setup on 4.3.5 is still working great. You do have an actual hardware token, right? It doesn' t work if you' re trying to send the code via e-mail (although this works fine for the SSL VPN).Hi nothingel, i have the same problem as kogan... Can you confirm that you can build up an IPSec tunnel between a FG and an iPad with the build-in VPN client? If so, can you send us an configuration example? Fortinet Support told me that this is not possible... Many thanks, Sylvia
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do the tokens work with " admin" accounts? Or perhaps SSL VPN? I suggest trying these since they' re more straight-forward than the IPsec VPN setup, IMHO.
The outcome should help determine if the token setup is at fault or not.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am surprised (or not) that Fortinet says it' s not possible. Have you checked the Knowledgebase? There' s a couple of entries about iPhone IPsec configuration. Just search for " iphone" .
Yes, my setup definitely works using the native " Cisco" IPsec client on iOS and a Fortigate. Fortinet' s hardware token also works.
Here' s a phase1 config:
edit " tun-dialup"
set type dynamic
set interface " wan1"
set dhgrp 2
set keylife 3600
set peertype dialup
set xauthtype auto
set mode aggressive
set mode-cfg enable
set proposal aes256-sha1
set negotiate-timeout 15
set authusrgrp " IPsec-Xauth"
set usrgrp " IPsec-PSKs"
set ipv4-start-ip 10.0.0.1
set ipv4-end-ip 10.0.0.15
set dns-mode auto
set domain " domain.com"
set banner " This is the optional banner"
set keepalive 60
set dpd-retryinterval 30
next
And here' s phase2 (yes, the names are the same, but it doesn' t matter)
edit " tun-dialup"
set keepalive enable
set phase1name " tun-dialup"
set proposal aes256-sha1
set route-overlap allow
set dhgrp 2
next
With the config above, you' ll need two sets of users, one in the " IPsec-PSKs" group and another in the " IPsec-Xauth" group. The IPsec-PSKs group contains the individual keys used by each device. You could share a single key among all devices but I don' t recommend it beyond testing. The IPsec-Xauth group is the standard username/password which could be local users/passwords or a server-based backend like LDAP.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,706 -
FortiClient
1,766 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
473 -
FortiClient EMS
434 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.