Fortinet Document Library

Version:


Table of Contents

5.2.0
Download PDF
Copy Link

IPsec VPN with two-factor authentication

In this recipe, two-factor authentication is added to a user account to provide extra security when connecting to an IPsec VPN using FortiClient (macOS).

Two-factor authentication requires a user to authenticate twice before being allowed to access the IPsec VPN. In this recipe the FortiToken Mobile app for iOS provides a one-time password (OTP) (a six-digit number) that you must enter at a second authentication prompt.

This recipe assumes that you have already activated FortiToken Mobile.

This recipe consists of the following steps:

  1. Create a user and user group.
  2. Add a firewall address for the LAN.
  3. Configure the IPsec VPN connection.
  4. Create a security policy for VPN access to the Internet.
  5. Send the FortiToken activation code to the user.
  6. Set up FortiToken Mobile on an iOS device.
  7. Configure FortiClient (macOS).
To create a user and user group:
  1. In FortiOS, go to User & Device > User > User Definition. Create a new local user using the user creation wizard.
  2. On the Login Credentials tab, enter the user's login credentials. This example simply creates a local user.

  3. On the Contact Info tab, select SMS. In the Phone Number field, enter a phone number without dashes or spaces. This example uses SMS to send an activation code to the user. Even if your FortiGate cannot send SMS messages, you must include a phone number. Do not add an email address.

  4. On the Extra Info tab, select the FortiToken assigned to this user. Click Create. The user list shows the FortiToken in the Two-factor Authentication column for the new user account.

  5. Go to User & Device > User > User Groups.
  6. Create a user group for the remote users and add the user that you just created.
To add a firewall address for the LAN:
  1. In FortiOS, go to Policy & Objects > Objects > Addresses.
  2. Create a firewall address for your LAN's subnet.
To configure the IPsec VPN connection:
  1. In FortiOS, go to VPN > IPsec > Wizard.
  2. Enter the VPN connection name.
  3. From the Local Interface dropdown list, select the internal interface. In the example, this is port1. From the Local Address dropdown list, select the LAN address.
  4. In the Client Address Range field, enter an IP range for VPN users. Click Next.

  5. Configure client options as desired. Click Create.
To create a security policy for VPN access to the Internet:
  1. In FortiOS, go to Policy & Objects > Policy > IPv4.
  2. Create a security policy that allows remote users to access the Internet securely through the FortiGate unit. Configure the policies as follows:
    1. From the Incoming Interface dropdown list, select the tunnel interface. From the Source Address dropdown list, select all. From the Source User(s) dropdown list, select the new user group.
    2. From the Outgoing Interface dropdown list, select your Internet-facing interface. From the Destination Address dropdown list, select all.
    3. Ensure that NAT is enabled.
To send the FortiToken activation code to the user:

Do one of the following:

  1. If your FortiGate can send SMS messages, go to User & Device > User > User Definition. Edit the new user account. Select Send Activation Code and send the code by SMS.
  2. If your FortiGate cannot send SMS messages, go to System > Dashboard > Status. Enter the following commands in the CLI console, using your FortiToken serial number:

    config user fortitoken

    edit <serial_number>

    show

    The output displays the activation code. You must give this code to a user.

To set up FortiToken Mobile on an iOS device:
  1. On an iOS device, download and install FortiToken Mobile.
  2. Open the app and add a new account. Select Enter Manually, then select Fortinet under FORTINET ACCT.
  3. In the Key field, enter the activation code. FortiToken Mobile can now generate a token for use with the FortiGate.
  4. (Optional) For additional security, set a PIN for FortiToken Mobile using the app's Settings options.
To configure FortiClient (macOS):
  1. On a macOS device, download and install FortiClient (macOS).
  2. In FortiClient, on the Remote Access tab, select Add a new connection.
  3. Enter the desired connection name, and set Type to IPsec VPN.
  4. In the Remote Gateway field, enter the FortiGate IP address.
  5. Select Pre-Shared Key from the Authentication Method dropdown list. In the Pre-Shared Key field, enter the key.
  6. Select the newly created tunnel, enter the username and password, and click Connect.
  7. FortiClient prompts you to enter your code from FortiToken Mobile. In the Answer field, enter the code. Once your code has been verified, the IPsec VPN connection is established.

IPsec VPN with two-factor authentication

In this recipe, two-factor authentication is added to a user account to provide extra security when connecting to an IPsec VPN using FortiClient (macOS).

Two-factor authentication requires a user to authenticate twice before being allowed to access the IPsec VPN. In this recipe the FortiToken Mobile app for iOS provides a one-time password (OTP) (a six-digit number) that you must enter at a second authentication prompt.

This recipe assumes that you have already activated FortiToken Mobile.

This recipe consists of the following steps:

  1. Create a user and user group.
  2. Add a firewall address for the LAN.
  3. Configure the IPsec VPN connection.
  4. Create a security policy for VPN access to the Internet.
  5. Send the FortiToken activation code to the user.
  6. Set up FortiToken Mobile on an iOS device.
  7. Configure FortiClient (macOS).
To create a user and user group:
  1. In FortiOS, go to User & Device > User > User Definition. Create a new local user using the user creation wizard.
  2. On the Login Credentials tab, enter the user's login credentials. This example simply creates a local user.

  3. On the Contact Info tab, select SMS. In the Phone Number field, enter a phone number without dashes or spaces. This example uses SMS to send an activation code to the user. Even if your FortiGate cannot send SMS messages, you must include a phone number. Do not add an email address.

  4. On the Extra Info tab, select the FortiToken assigned to this user. Click Create. The user list shows the FortiToken in the Two-factor Authentication column for the new user account.

  5. Go to User & Device > User > User Groups.
  6. Create a user group for the remote users and add the user that you just created.
To add a firewall address for the LAN:
  1. In FortiOS, go to Policy & Objects > Objects > Addresses.
  2. Create a firewall address for your LAN's subnet.
To configure the IPsec VPN connection:
  1. In FortiOS, go to VPN > IPsec > Wizard.
  2. Enter the VPN connection name.
  3. From the Local Interface dropdown list, select the internal interface. In the example, this is port1. From the Local Address dropdown list, select the LAN address.
  4. In the Client Address Range field, enter an IP range for VPN users. Click Next.

  5. Configure client options as desired. Click Create.
To create a security policy for VPN access to the Internet:
  1. In FortiOS, go to Policy & Objects > Policy > IPv4.
  2. Create a security policy that allows remote users to access the Internet securely through the FortiGate unit. Configure the policies as follows:
    1. From the Incoming Interface dropdown list, select the tunnel interface. From the Source Address dropdown list, select all. From the Source User(s) dropdown list, select the new user group.
    2. From the Outgoing Interface dropdown list, select your Internet-facing interface. From the Destination Address dropdown list, select all.
    3. Ensure that NAT is enabled.
To send the FortiToken activation code to the user:

Do one of the following:

  1. If your FortiGate can send SMS messages, go to User & Device > User > User Definition. Edit the new user account. Select Send Activation Code and send the code by SMS.
  2. If your FortiGate cannot send SMS messages, go to System > Dashboard > Status. Enter the following commands in the CLI console, using your FortiToken serial number:

    config user fortitoken

    edit <serial_number>

    show

    The output displays the activation code. You must give this code to a user.

To set up FortiToken Mobile on an iOS device:
  1. On an iOS device, download and install FortiToken Mobile.
  2. Open the app and add a new account. Select Enter Manually, then select Fortinet under FORTINET ACCT.
  3. In the Key field, enter the activation code. FortiToken Mobile can now generate a token for use with the FortiGate.
  4. (Optional) For additional security, set a PIN for FortiToken Mobile using the app's Settings options.
To configure FortiClient (macOS):
  1. On a macOS device, download and install FortiClient (macOS).
  2. In FortiClient, on the Remote Access tab, select Add a new connection.
  3. Enter the desired connection name, and set Type to IPsec VPN.
  4. In the Remote Gateway field, enter the FortiGate IP address.
  5. Select Pre-Shared Key from the Authentication Method dropdown list. In the Pre-Shared Key field, enter the key.
  6. Select the newly created tunnel, enter the username and password, and click Connect.
  7. FortiClient prompts you to enter your code from FortiToken Mobile. In the Answer field, enter the code. Once your code has been verified, the IPsec VPN connection is established.