IPsec VPN with FortiToken Mobile push MFA
IPsec VPN now supports FortiToken Mobile push for multifactor authentication (MFA), which significantly improves security and user experience by providing a seamless, convenient, and robust authentication mechanism. Previously, IPsec VPN connection security relied on single factor authentication or cumbersome manual MFA methods.
To configure IPsec VPN with FortiToken Mobile push MFA in FortiOS:
config user local edit "TokenUser" set type password set two-factor fortitoken-cloud set email-to "example123@gmail.com" set passwd-time 2024-07-18 06:20:44 set passwd ENC +SkUbc+PGjQ8kLsVczQpnsnyknoAHxL6HRcNq9StK4ByvzQsFyL7TGLebxIxVj2YjfsNdPZFD4Buu4DfmEjvLsQAjePiwynhc4kWzLosEsbPVdEk5fxAqw/guv1eqijIcaNiL4bz6sgMFSlJiotI4bTYGuOzYfBPoLp82VppZz1YYCQ+wZkaPailJAaAiYvaARN7dQ== next end
config user group edit "IPSEC" set member "TokenUser" next end
config vpn ipsec phase1-interface edit "Azure" set type dynamic set interface "port1" set ike-version 2 set peertype any set net-device disable set mode-cfg enable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set comments "VPN: Azure (Created by VPN wizard)" set dhgrp 14 set authusrgrp "IPSEC" set eap enable set eap-identity send-request set ipv4-start-ip 192.168.1.1 set ipv4-end-ip 192.168.1.255 set dns-mode auto set save-password enable set client-auto-negotiate enable set client-keep-alive enable set psksecret ENC IdtpOOstic/GXm0KwTMjMVlhWoZIcHWPCM5RMfvk9Q7jLbgSwhHhkdyo35bMrNzdUglsq8saXNGM5fcnczNC1X9Yn1E3F3THUE5U+g1XoIgXJt98VoEs4ROYGZaCOQTBusqMgBmtmRGSY3kZVzgk+Ym+lCpEPaPvTLxmzXT5h7xl4MFMuOT+6v3cmb6Rz/xoq1zXFg== next end
To configure IPsec VPN with FortiToken Mobile push MFA in EMS:
- In EMS, go to Endpoint Profiles > Remote Access.
- Select the desired profile.
- Click XML.
- Enter the following:
<ipsecvpn> <connection> <name>IPsecVPN_IKEv2</name> <uid>394B0149-2802-45FA-B50F-4A913F1DFA60</uid> <machine>0</machine> <keep_running>0</keep_running> <disclaimer_msg/> <single_user_mode>0</single_user_mode> <type>manual</type> <ui> <show_remember_password>1</show_remember_password> <show_alwaysup>1</show_alwaysup> <show_autoconnect>1</show_autoconnect> <show_passcode>0</show_passcode> <save_username>0</save_username> </ui> <redundant_sort_method>0</redundant_sort_method> <tags> <allowed/> <prohibited/> </tags> <host_check_fail_warning/> <ike_settings> <server>10.152.35.150</server> <authentication_method>Preshared Key</authentication_method> <fgt>1</fgt> <prompt_certificate>0</prompt_certificate> <xauth> <use_otp>0</use_otp> <enabled>1</enabled> <prompt_username>1</prompt_username> </xauth> <version>2</version> <mode>aggressive</mode> <key_life>86400</key_life> <localid>666</localid> <implied_SPDO>0</implied_SPDO> <implied_SPDO_timeout>0</implied_SPDO_timeout> <nat_traversal>1</nat_traversal> <nat_alive_freq>5</nat_alive_freq> <enable_local_lan>1</enable_local_lan> <enable_ike_fragmentation>1</enable_ike_fragmentation> <mode_config>1</mode_config> <dpd>1</dpd> <run_fcauth_system>1</run_fcauth_system> <sso_enabled>0</sso_enabled> <ike_saml_port>443</ike_saml_port> <dpd_retry_count>3</dpd_retry_count> <dpd_retry_interval>5</dpd_retry_interval> <auth_data> <preshared_key>Enc 7a13f86261e1942ef978d6ba263d88e96e69f69e26f832f0c9c53d08f584</preshared_key> </auth_data> <xauth_timeout>120</xauth_timeout> <dhgroup>14</dhgroup> <proposals> <proposal>AES128|SHA1</proposal> <proposal>AES256|SHA256</proposal> </proposals> </ike_settings> <ipsec_settings> <remote_networks> <network> <addr>0.0.0.0</addr> <mask>0.0.0.0</mask> </network> <network> <addr>::/0</addr> <mask>::/0</mask> </network> </remote_networks> <dhgroup>14</dhgroup> <key_life_type>seconds</key_life_type> <key_life_seconds>43200</key_life_seconds> <key_life_Kbytes>5200</key_life_Kbytes> <replay_detection>1</replay_detection> <pfs>1</pfs> <use_vip>1</use_vip> <virtualip> <type>modeconfig</type> <ip>0.0.0.0</ip> <mask>0.0.0.0</mask> <dnsserver>0.0.0.0</dnsserver> <winserver>0.0.0.0</winserver> </virtualip> <proposals> <proposal>AES128|SHA1</proposal> <proposal>AES256|SHA256</proposal> </proposals> </ipsec_settings> <android_cert_path/> <warn_invalid_server_certificate>1</warn_invalid_server_certificate> <on_connect> <script> <os>windows</os> <script/> </script> <script> <os>MacOSX</os> <script/> </script> <script> <os>linux</os> <script/> </script> </on_connect> <on_disconnect> <script> <os>windows</os> <script/> </script> <script> <os>MacOSX</os> <script/> </script> <script> <os>linux</os> <script/> </script> </on_disconnect> <traffic_control> <enabled>0</enabled> <mode>1</mode> </traffic_control> </connection> </connections> <options> <enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory> <enabled>1</enabled> <no_dns_registration>0</no_dns_registration> <show_auth_cert_only>1</show_auth_cert_only> <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate> <disable_default_route>0</disable_default_route> <use_win_local_computer_cert>1</use_win_local_computer_cert> <block_ipv6>0</block_ipv6> <use_win_current_user_cert>1</use_win_current_user_cert> <usesmcardcert>1</usesmcardcert> <check_for_cert_private_key>0</check_for_cert_private_key> <enable_udp_checksum>0</enable_udp_checksum> <uselocalcert>0</uselocalcert> <beep_if_error>0</beep_if_error> <usewincert>1</usewincert> </options> </ipsecvpn>
- Save.
To test the configuration:
- On an endpoint that received the Remote Access profile configuration, on the Remote Access tab, connect to the IPsec VPN tunnel using the VPN user that has MFA enabled.
- The user receives an activation code for FortiToken Mobile. After installing FortiToken Mobile, approve the connection request.
FortiGate establishes the VPN connection and the user gains secure access to the corporate network. FortiClient displays that the connection succeeded. You can test the connection by pinging internal resources located behind the edge FortiGate.