IPsec VPN with two-factor authentication


In this recipe, two-factor authentication is added to a user account to provide extra security when connecting to an IPsec VPN using FortiClient for Mac OS x.

Two-factor authentication requires a user to authenticate twice before being allowed to access the IPsec VPN. In this recipe the FortiToken Mobile app for iOS provides a one-time password (OTP) (a 6-digit number) that the you must enter at a second authentication prompt.

This recipe assumes that you have already activated FortiToken Mobile (see Two-factor authentication with FortiToken Mobile for details).

1. Creating a user and user group  

Go to User & Device > User > User Definition and create a new local user.  
Enter the user’s login credentials. This example simply creates a local user.

For Contact Info, select SMS and be sure to include a Phone Number without dashes or spaces.

This example uses SMS to send an activation code to the user so we included the user’s mobile phone number here. Even if your FortiGate cannot send SMS messages you need to include a phone number for the IPsec VPN wizard to work.

Do not add an email address.

Select the FortiToken assigned to this user.
The user list shows the FortiToken in the Two-factor Authentication column for the new user account. 

Go to User & Device > User > User Groups. Create a user group for remote users and add the new user.

2. Adding a firewall address for the LAN


Go to Policy & Objects > Objects > Addresses.

Create a firewall address for your LAN’s subnet.

3. Configuring the IPsec VPN using the IPsec VPN Wizard

Go to VPN > IPSec > Wizard.

Name the VPN connection and select the new user group.

Set Local Interface to an internal interface (in the example, port 1) and set Local Address to the LAN address.

Enter an IP range for VPN users in the Client Address Range field.

Select Client Options as desired.

4. Creating a security policy for access to the Internet

Go to Policy & Objects > Policy > IPv4. Create a security policy allowing remote users to access the Internet securely through the FortiGate unit.

Set Incoming Interface to the tunnel interface and set Source Address to all. Set the Source User(s) to the new user group. Set Outgoing Interface to your Internet-facing interface and Destination Address to all.

Ensure that you enable NAT.

5. Sending the FortiToken activation code to the user

If your FortiGate can send SMS messages, go to User & Device > User > User Definition and edit the new user account. Select Send Activation Code and send the code by SMS.
If your FortiGate cannot send SMS messages, go to System > Dashboard > Status and enter the following into the CLI Console, substituting the correct serial number: config user fortitoken
The activation code will be shown in the output. This code must be given to the user.

6. Setting up FortiToken Mobile on an iOS device

Using your iOS device, download and install FortiToken Mobile.  

Open the app and add a new account. Select Enter Manually, then select Fortinet under FORTINET ACCT.

Enter the activation code into FortiToken Mobile.

FortiToken Mobile can now generate a token for use with the FortiGate.
(Optional) For additional security, set a PIN for FortiToken Mobile using the app’s Settings options.  

7. Configuring FortiClient for Mac OS X

Using your Mac OS X device, download and install FortiClient.
Open FortiClient, go to Remote Access and select Add a new connection.

Provide a Connection Name and set the Type to IPsec VPN.

Set Remote Gateway to the FortiGate’s IP address.

Set Authentication Method to Pre-Shared Key and enter the key for the IPsec VPN.

8. Results

Using FortiClient, select the IPsec VPN connection, enter the password, and click Connect.
You will be prompted to enter your code from FortiToken mobile.
After your code has been verified, a connection to the IPsec VPN is established.


Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

 and select Dial Up – FortiClient (Windows, Mac OS, Android).  

Set the Incoming Interface to the internet-facing interface.

Select Pre-shared Key for the Authentication Method. Enter a pre-shared keyThe pre-shared key is a credential for the VPN and should differ from the user’s password.

The IP range you enter here prompts FortiOS to create a new firewall object for the VPN tunnel using the name of your tunnel followed by the _range suffix (in this case, ipsecvpn_range). 

In addition, FortiOS automatically creates a security policy to allow remote users to access the internal network.