IPsec VPN with two-factor authentication
In this recipe, two-factor authentication is added to a user account to provide extra security when connecting to an IPsec VPN using FortiClient (macOS).
Two-factor authentication requires a user to authenticate twice before being allowed to access the IPsec VPN. In this recipe the FortiToken Mobile app for iOS provides a one-time password (OTP) (a six-digit number) that you must enter at a second authentication prompt.
This recipe assumes that you have already activated FortiToken Mobile.
This recipe consists of the following steps:
- Create a user and user group.
- Add a firewall address for the LAN.
- Configure the IPsec VPN connection.
- Create a security policy for VPN access to the Internet.
- Send the FortiToken activation code to the user.
- Set up FortiToken Mobile on an iOS device.
- Configure FortiClient (macOS).
- In FortiOS, go to User & Device > User > User Definition. Create a new local user using the user creation wizard.
- On the Login Credentials tab, enter the user's login credentials. This example simply creates a local user.
- On the Contact Info tab, select SMS. In the Phone Number field, enter a phone number without dashes or spaces. This example uses SMS to send an activation code to the user. Even if your FortiGate cannot send SMS messages, you must include a phone number. Do not add an email address.
- On the Extra Info tab, select the FortiToken assigned to this user. Click Create. The user list shows the FortiToken in the Two-factor Authentication column for the new user account.
- Go to User & Device > User > User Groups.
- Create a user group for the remote users and add the user that you just created.
- In FortiOS, go to Policy & Objects > Objects > Addresses.
- Create a firewall address for your LAN's subnet.
- In FortiOS, go to VPN > IPsec > Wizard.
- Enter the VPN connection name.
- From the Local Interface dropdown list, select the internal interface. In the example, this is port1. From the Local Address dropdown list, select the LAN address.
- In the Client Address Range field, enter an IP range for VPN users. Click Next.
- Configure client options as desired. Click Create.
- In FortiOS, go to Policy & Objects > Policy > IPv4.
- Create a security policy that allows remote users to access the Internet securely through the FortiGate unit. Configure the policies as follows:
- From the Incoming Interface dropdown list, select the tunnel interface. From the Source Address dropdown list, select all. From the Source User(s) dropdown list, select the new user group.
- From the Outgoing Interface dropdown list, select your Internet-facing interface. From the Destination Address dropdown list, select all.
- Ensure that NAT is enabled.
Do one of the following:
- If your FortiGate can send SMS messages, go to User & Device > User > User Definition. Edit the new user account. Select Send Activation Code and send the code by SMS.
If your FortiGate cannot send SMS messages, go to System > Dashboard > Status. Enter the following commands in the CLI console, using your FortiToken serial number:
config user fortitoken
The output displays the activation code. You must give this code to a user.
- On an iOS device, download and install FortiToken Mobile.
- Open the app and add a new account. Select Enter Manually, then select Fortinet under FORTINET ACCT.
- In the Key field, enter the activation code. FortiToken Mobile can now generate a token for use with the FortiGate.
- (Optional) For additional security, set a PIN for FortiToken Mobile using the app's Settings options.
- On a macOS device, download and install FortiClient (macOS).
- In FortiClient, on the Remote Access tab, select Add a new connection.
- Enter the desired connection name, and set Type to IPsec VPN.
- In the Remote Gateway field, enter the FortiGate IP address.
- Select Pre-Shared Key from the Authentication Method dropdown list. In the Pre-Shared Key field, enter the key.
- Select the newly created tunnel, enter the username and password, and click Connect.
- FortiClient prompts you to enter your code from FortiToken Mobile. In the Answer field, enter the code. Once your code has been verified, the IPsec VPN connection is established.