IPsec VPN with FortiToken Mobile push MFA 7.2.5
IPsec VPN now supports FortiToken Mobile push for multifactor authentication (MFA), which significantly improves security and user experience by providing a seamless, convenient, and robust authentication mechanism. Previously, IPsec VPN connection security relied on single factor authentication or cumbersome manual MFA methods.
To configure IPsec VPN with FortiToken Mobile push MFA in FortiOS:
config user local edit "TokenUser" set type password set two-factor fortitoken-cloud set email-to "example123@gmail.com" set passwd-time 2024-07-18 06:20:44 set passwd ENC +SkUbc+PGjQ8kLsVczQpnsnyknoAHxL6HRcNq9StK4ByvzQsFyL7TGLebxIxVj2YjfsNdPZFD4Buu4DfmEjvLsQAjePiwynhc4kWzLosEsbPVdEk5fxAqw/guv1eqijIcaNiL4bz6sgMFSlJiotI4bTYGuOzYfBPoLp82VppZz1YYCQ+wZkaPailJAaAiYvaARN7dQ== next end
config user group
edit "IPSEC"
set member "TokenUser"
next
endconfig vpn ipsec phase1-interface
edit "Azure"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set comments "VPN: Azure (Created by VPN wizard)"
set dhgrp 14
set authusrgrp "IPSEC"
set eap enable
set eap-identity send-request
set ipv4-start-ip 192.168.1.1
set ipv4-end-ip 192.168.1.255
set dns-mode auto
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC IdtpOOstic/GXm0KwTMjMVlhWoZIcHWPCM5RMfvk9Q7jLbgSwhHhkdyo35bMrNzdUglsq8saXNGM5fcnczNC1X9Yn1E3F3THUE5U+g1XoIgXJt98VoEs4ROYGZaCOQTBusqMgBmtmRGSY3kZVzgk+Ym+lCpEPaPvTLxmzXT5h7xl4MFMuOT+6v3cmb6Rz/xoq1zXFg==
next
end
To configure IPsec VPN with FortiToken Mobile push MFA in EMS:
- In EMS, go to Endpoint Profiles > Remote Access.
- Select the desired profile.
- Click XML.
- Enter the following:
<ipsecvpn> <connection> <name>IPsecVPN_IKEv2</name> <uid>394B0149-2802-45FA-B50F-4A913F1DFA60</uid> <machine>0</machine> <keep_running>0</keep_running> <disclaimer_msg/> <single_user_mode>0</single_user_mode> <type>manual</type> <ui> <show_remember_password>1</show_remember_password> <show_alwaysup>1</show_alwaysup> <show_autoconnect>1</show_autoconnect> <show_passcode>0</show_passcode> <save_username>0</save_username> </ui> <redundant_sort_method>0</redundant_sort_method> <tags> <allowed/> <prohibited/> </tags> <host_check_fail_warning/> <ike_settings> <server>10.152.35.150</server> <authentication_method>Preshared Key</authentication_method> <fgt>1</fgt> <prompt_certificate>0</prompt_certificate> <xauth> <use_otp>0</use_otp> <enabled>1</enabled> <prompt_username>1</prompt_username> </xauth> <version>2</version> <mode>aggressive</mode> <key_life>86400</key_life> <localid>666</localid> <implied_SPDO>0</implied_SPDO> <implied_SPDO_timeout>0</implied_SPDO_timeout> <nat_traversal>1</nat_traversal> <nat_alive_freq>5</nat_alive_freq> <enable_local_lan>1</enable_local_lan> <enable_ike_fragmentation>1</enable_ike_fragmentation> <mode_config>1</mode_config> <dpd>1</dpd> <run_fcauth_system>1</run_fcauth_system> <sso_enabled>0</sso_enabled> <ike_saml_port>443</ike_saml_port> <dpd_retry_count>3</dpd_retry_count> <dpd_retry_interval>5</dpd_retry_interval> <auth_data> <preshared_key>Enc 7a13f86261e1942ef978d6ba263d88e96e69f69e26f832f0c9c53d08f584</preshared_key> </auth_data> <xauth_timeout>120</xauth_timeout> <dhgroup>14</dhgroup> <proposals> <proposal>AES128|SHA1</proposal> <proposal>AES256|SHA256</proposal> </proposals> </ike_settings> <ipsec_settings> <remote_networks> <network> <addr>0.0.0.0</addr> <mask>0.0.0.0</mask> </network> <network> <addr>::/0</addr> <mask>::/0</mask> </network> </remote_networks> <dhgroup>14</dhgroup> <key_life_type>seconds</key_life_type> <key_life_seconds>43200</key_life_seconds> <key_life_Kbytes>5200</key_life_Kbytes> <replay_detection>1</replay_detection> <pfs>1</pfs> <use_vip>1</use_vip> <virtualip> <type>modeconfig</type> <ip>0.0.0.0</ip> <mask>0.0.0.0</mask> <dnsserver>0.0.0.0</dnsserver> <winserver>0.0.0.0</winserver> </virtualip> <proposals> <proposal>AES128|SHA1</proposal> <proposal>AES256|SHA256</proposal> </proposals> </ipsec_settings> <android_cert_path/> <warn_invalid_server_certificate>1</warn_invalid_server_certificate> <on_connect> <script> <os>windows</os> <script/> </script> <script> <os>MacOSX</os> <script/> </script> <script> <os>linux</os> <script/> </script> </on_connect> <on_disconnect> <script> <os>windows</os> <script/> </script> <script> <os>MacOSX</os> <script/> </script> <script> <os>linux</os> <script/> </script> </on_disconnect> <traffic_control> <enabled>0</enabled> <mode>1</mode> </traffic_control> </connection> </connections> <options> <enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory> <enabled>1</enabled> <no_dns_registration>0</no_dns_registration> <show_auth_cert_only>1</show_auth_cert_only> <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate> <disable_default_route>0</disable_default_route> <use_win_local_computer_cert>1</use_win_local_computer_cert> <block_ipv6>0</block_ipv6> <use_win_current_user_cert>1</use_win_current_user_cert> <usesmcardcert>1</usesmcardcert> <check_for_cert_private_key>0</check_for_cert_private_key> <enable_udp_checksum>0</enable_udp_checksum> <uselocalcert>0</uselocalcert> <beep_if_error>0</beep_if_error> <usewincert>1</usewincert> </options> </ipsecvpn>
- Save.
To test the configuration:
- On an endpoint that received the Remote Access profile configuration, on the Remote Access tab, connect to the IPsec VPN tunnel using the VPN user that has MFA enabled.
- The user receives an activation code for FortiToken Mobile. After installing FortiToken Mobile, approve the connection request.
FortiGate establishes the VPN connection and the user gains secure access to the corporate network. FortiClient displays that the connection succeeded. You can test the connection by pinging internal resources located behind the edge FortiGate.