Fortinet white logo
Fortinet white logo

EMS Administration Guide

IPsec VPN with FortiToken Mobile push MFA

IPsec VPN with FortiToken Mobile push MFA

IPsec VPN now supports FortiToken Mobile push for multifactor authentication (MFA), which significantly improves security and user experience by providing a seamless, convenient, and robust authentication mechanism. Previously, IPsec VPN connection security relied on single factor authentication or cumbersome manual MFA methods.

To configure IPsec VPN with FortiToken Mobile push MFA in FortiOS:
config user local
    edit "TokenUser"
        set type password
        set two-factor fortitoken-cloud
        set email-to "example123@gmail.com"
        set passwd-time 2024-07-18 06:20:44
        set passwd ENC +SkUbc+PGjQ8kLsVczQpnsnyknoAHxL6HRcNq9StK4ByvzQsFyL7TGLebxIxVj2YjfsNdPZFD4Buu4DfmEjvLsQAjePiwynhc4kWzLosEsbPVdEk5fxAqw/guv1eqijIcaNiL4bz6sgMFSlJiotI4bTYGuOzYfBPoLp82VppZz1YYCQ+wZkaPailJAaAiYvaARN7dQ==
    next
end
config user group
    edit "IPSEC"
        set member "TokenUser"
    next
end
config vpn ipsec phase1-interface
    edit "Azure"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set comments "VPN: Azure (Created by VPN wizard)"
        set dhgrp 14
        set authusrgrp "IPSEC"
        set eap enable
        set eap-identity send-request
        set ipv4-start-ip 192.168.1.1
        set ipv4-end-ip 192.168.1.255
        set dns-mode auto
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret ENC IdtpOOstic/GXm0KwTMjMVlhWoZIcHWPCM5RMfvk9Q7jLbgSwhHhkdyo35bMrNzdUglsq8saXNGM5fcnczNC1X9Yn1E3F3THUE5U+g1XoIgXJt98VoEs4ROYGZaCOQTBusqMgBmtmRGSY3kZVzgk+Ym+lCpEPaPvTLxmzXT5h7xl4MFMuOT+6v3cmb6Rz/xoq1zXFg==
    next
end
To configure IPsec VPN with FortiToken Mobile push MFA in EMS:
  1. In EMS, go to Endpoint Profiles > Remote Access.
  2. Select the desired profile.
  3. Click XML.
  4. Enter the following:

    <ipsecvpn> <connection> <name>IPsecVPN_IKEv2</name> <uid>394B0149-2802-45FA-B50F-4A913F1DFA60</uid> <machine>0</machine> <keep_running>0</keep_running> <disclaimer_msg/> <single_user_mode>0</single_user_mode> <type>manual</type> <ui> <show_remember_password>1</show_remember_password> <show_alwaysup>1</show_alwaysup> <show_autoconnect>1</show_autoconnect> <show_passcode>0</show_passcode> <save_username>0</save_username> </ui> <redundant_sort_method>0</redundant_sort_method> <tags> <allowed/> <prohibited/> </tags> <host_check_fail_warning/> <ike_settings> <server>10.152.35.150</server> <authentication_method>Preshared Key</authentication_method> <fgt>1</fgt> <prompt_certificate>0</prompt_certificate> <xauth> <use_otp>0</use_otp> <enabled>1</enabled> <prompt_username>1</prompt_username> </xauth> <version>2</version> <mode>aggressive</mode> <key_life>86400</key_life> <localid>666</localid> <implied_SPDO>0</implied_SPDO> <implied_SPDO_timeout>0</implied_SPDO_timeout> <nat_traversal>1</nat_traversal> <nat_alive_freq>5</nat_alive_freq> <enable_local_lan>1</enable_local_lan> <enable_ike_fragmentation>1</enable_ike_fragmentation> <mode_config>1</mode_config> <dpd>1</dpd> <run_fcauth_system>1</run_fcauth_system> <sso_enabled>0</sso_enabled> <ike_saml_port>443</ike_saml_port> <dpd_retry_count>3</dpd_retry_count> <dpd_retry_interval>5</dpd_retry_interval> <auth_data> <preshared_key>Enc 7a13f86261e1942ef978d6ba263d88e96e69f69e26f832f0c9c53d08f584</preshared_key> </auth_data> <xauth_timeout>120</xauth_timeout> <dhgroup>14</dhgroup> <proposals> <proposal>AES128|SHA1</proposal> <proposal>AES256|SHA256</proposal> </proposals> </ike_settings> <ipsec_settings> <remote_networks> <network> <addr>0.0.0.0</addr> <mask>0.0.0.0</mask> </network> <network> <addr>::/0</addr> <mask>::/0</mask> </network> </remote_networks> <dhgroup>14</dhgroup> <key_life_type>seconds</key_life_type> <key_life_seconds>43200</key_life_seconds> <key_life_Kbytes>5200</key_life_Kbytes> <replay_detection>1</replay_detection> <pfs>1</pfs> <use_vip>1</use_vip> <virtualip> <type>modeconfig</type> <ip>0.0.0.0</ip> <mask>0.0.0.0</mask> <dnsserver>0.0.0.0</dnsserver> <winserver>0.0.0.0</winserver> </virtualip> <proposals> <proposal>AES128|SHA1</proposal> <proposal>AES256|SHA256</proposal> </proposals> </ipsec_settings> <android_cert_path/> <warn_invalid_server_certificate>1</warn_invalid_server_certificate> <on_connect> <script> <os>windows</os> <script/> </script> <script> <os>MacOSX</os> <script/> </script> <script> <os>linux</os> <script/> </script> </on_connect> <on_disconnect> <script> <os>windows</os> <script/> </script> <script> <os>MacOSX</os> <script/> </script> <script> <os>linux</os> <script/> </script> </on_disconnect> <traffic_control> <enabled>0</enabled> <mode>1</mode> </traffic_control> </connection> </connections> <options> <enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory> <enabled>1</enabled> <no_dns_registration>0</no_dns_registration> <show_auth_cert_only>1</show_auth_cert_only> <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate> <disable_default_route>0</disable_default_route> <use_win_local_computer_cert>1</use_win_local_computer_cert> <block_ipv6>0</block_ipv6> <use_win_current_user_cert>1</use_win_current_user_cert> <usesmcardcert>1</usesmcardcert> <check_for_cert_private_key>0</check_for_cert_private_key> <enable_udp_checksum>0</enable_udp_checksum> <uselocalcert>0</uselocalcert> <beep_if_error>0</beep_if_error> <usewincert>1</usewincert> </options> </ipsecvpn>

  5. Save.
To test the configuration:
  1. On an endpoint that received the Remote Access profile configuration, on the Remote Access tab, connect to the IPsec VPN tunnel using the VPN user that has MFA enabled.

  2. The user receives an activation code for FortiToken Mobile. After installing FortiToken Mobile, approve the connection request.

    FortiGate establishes the VPN connection and the user gains secure access to the corporate network. FortiClient displays that the connection succeeded. You can test the connection by pinging internal resources located behind the edge FortiGate.

IPsec VPN with FortiToken Mobile push MFA

IPsec VPN with FortiToken Mobile push MFA

IPsec VPN now supports FortiToken Mobile push for multifactor authentication (MFA), which significantly improves security and user experience by providing a seamless, convenient, and robust authentication mechanism. Previously, IPsec VPN connection security relied on single factor authentication or cumbersome manual MFA methods.

To configure IPsec VPN with FortiToken Mobile push MFA in FortiOS:
config user local
    edit "TokenUser"
        set type password
        set two-factor fortitoken-cloud
        set email-to "example123@gmail.com"
        set passwd-time 2024-07-18 06:20:44
        set passwd ENC +SkUbc+PGjQ8kLsVczQpnsnyknoAHxL6HRcNq9StK4ByvzQsFyL7TGLebxIxVj2YjfsNdPZFD4Buu4DfmEjvLsQAjePiwynhc4kWzLosEsbPVdEk5fxAqw/guv1eqijIcaNiL4bz6sgMFSlJiotI4bTYGuOzYfBPoLp82VppZz1YYCQ+wZkaPailJAaAiYvaARN7dQ==
    next
end
config user group
    edit "IPSEC"
        set member "TokenUser"
    next
end
config vpn ipsec phase1-interface
    edit "Azure"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set comments "VPN: Azure (Created by VPN wizard)"
        set dhgrp 14
        set authusrgrp "IPSEC"
        set eap enable
        set eap-identity send-request
        set ipv4-start-ip 192.168.1.1
        set ipv4-end-ip 192.168.1.255
        set dns-mode auto
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret ENC IdtpOOstic/GXm0KwTMjMVlhWoZIcHWPCM5RMfvk9Q7jLbgSwhHhkdyo35bMrNzdUglsq8saXNGM5fcnczNC1X9Yn1E3F3THUE5U+g1XoIgXJt98VoEs4ROYGZaCOQTBusqMgBmtmRGSY3kZVzgk+Ym+lCpEPaPvTLxmzXT5h7xl4MFMuOT+6v3cmb6Rz/xoq1zXFg==
    next
end
To configure IPsec VPN with FortiToken Mobile push MFA in EMS:
  1. In EMS, go to Endpoint Profiles > Remote Access.
  2. Select the desired profile.
  3. Click XML.
  4. Enter the following:

    <ipsecvpn> <connection> <name>IPsecVPN_IKEv2</name> <uid>394B0149-2802-45FA-B50F-4A913F1DFA60</uid> <machine>0</machine> <keep_running>0</keep_running> <disclaimer_msg/> <single_user_mode>0</single_user_mode> <type>manual</type> <ui> <show_remember_password>1</show_remember_password> <show_alwaysup>1</show_alwaysup> <show_autoconnect>1</show_autoconnect> <show_passcode>0</show_passcode> <save_username>0</save_username> </ui> <redundant_sort_method>0</redundant_sort_method> <tags> <allowed/> <prohibited/> </tags> <host_check_fail_warning/> <ike_settings> <server>10.152.35.150</server> <authentication_method>Preshared Key</authentication_method> <fgt>1</fgt> <prompt_certificate>0</prompt_certificate> <xauth> <use_otp>0</use_otp> <enabled>1</enabled> <prompt_username>1</prompt_username> </xauth> <version>2</version> <mode>aggressive</mode> <key_life>86400</key_life> <localid>666</localid> <implied_SPDO>0</implied_SPDO> <implied_SPDO_timeout>0</implied_SPDO_timeout> <nat_traversal>1</nat_traversal> <nat_alive_freq>5</nat_alive_freq> <enable_local_lan>1</enable_local_lan> <enable_ike_fragmentation>1</enable_ike_fragmentation> <mode_config>1</mode_config> <dpd>1</dpd> <run_fcauth_system>1</run_fcauth_system> <sso_enabled>0</sso_enabled> <ike_saml_port>443</ike_saml_port> <dpd_retry_count>3</dpd_retry_count> <dpd_retry_interval>5</dpd_retry_interval> <auth_data> <preshared_key>Enc 7a13f86261e1942ef978d6ba263d88e96e69f69e26f832f0c9c53d08f584</preshared_key> </auth_data> <xauth_timeout>120</xauth_timeout> <dhgroup>14</dhgroup> <proposals> <proposal>AES128|SHA1</proposal> <proposal>AES256|SHA256</proposal> </proposals> </ike_settings> <ipsec_settings> <remote_networks> <network> <addr>0.0.0.0</addr> <mask>0.0.0.0</mask> </network> <network> <addr>::/0</addr> <mask>::/0</mask> </network> </remote_networks> <dhgroup>14</dhgroup> <key_life_type>seconds</key_life_type> <key_life_seconds>43200</key_life_seconds> <key_life_Kbytes>5200</key_life_Kbytes> <replay_detection>1</replay_detection> <pfs>1</pfs> <use_vip>1</use_vip> <virtualip> <type>modeconfig</type> <ip>0.0.0.0</ip> <mask>0.0.0.0</mask> <dnsserver>0.0.0.0</dnsserver> <winserver>0.0.0.0</winserver> </virtualip> <proposals> <proposal>AES128|SHA1</proposal> <proposal>AES256|SHA256</proposal> </proposals> </ipsec_settings> <android_cert_path/> <warn_invalid_server_certificate>1</warn_invalid_server_certificate> <on_connect> <script> <os>windows</os> <script/> </script> <script> <os>MacOSX</os> <script/> </script> <script> <os>linux</os> <script/> </script> </on_connect> <on_disconnect> <script> <os>windows</os> <script/> </script> <script> <os>MacOSX</os> <script/> </script> <script> <os>linux</os> <script/> </script> </on_disconnect> <traffic_control> <enabled>0</enabled> <mode>1</mode> </traffic_control> </connection> </connections> <options> <enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory> <enabled>1</enabled> <no_dns_registration>0</no_dns_registration> <show_auth_cert_only>1</show_auth_cert_only> <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate> <disable_default_route>0</disable_default_route> <use_win_local_computer_cert>1</use_win_local_computer_cert> <block_ipv6>0</block_ipv6> <use_win_current_user_cert>1</use_win_current_user_cert> <usesmcardcert>1</usesmcardcert> <check_for_cert_private_key>0</check_for_cert_private_key> <enable_udp_checksum>0</enable_udp_checksum> <uselocalcert>0</uselocalcert> <beep_if_error>0</beep_if_error> <usewincert>1</usewincert> </options> </ipsecvpn>

  5. Save.
To test the configuration:
  1. On an endpoint that received the Remote Access profile configuration, on the Remote Access tab, connect to the IPsec VPN tunnel using the VPN user that has MFA enabled.

  2. The user receives an activation code for FortiToken Mobile. After installing FortiToken Mobile, approve the connection request.

    FortiGate establishes the VPN connection and the user gains secure access to the corporate network. FortiClient displays that the connection succeeded. You can test the connection by pinging internal resources located behind the edge FortiGate.