FortiOS 5.2 Authentication: IPsec VPN with two-factor authentication

Two-factor authentication requires a user to authenticate twice before being allowed to access the IPsec VPN. In this recipe the FortiToken Mobile app for iOS provides a one-time password (OTP) (a 6-digit number) that the you must enter at a second authentication prompt.

This recipe assumes that you have already activated FortiToken Mobile (see Two-factor authentication with FortiToken Mobile for details).

1. Creating a user and user group

Go to User & Device > User > User Definition and create a new local user.  

Enter the user’s login credentials. This example simply creates a local user.

For Contact Info, select SMS and be sure to include a Phone Number without dashes or spaces.

This example uses SMS to send an activation code to the user so we included the user’s mobile phone number here. Even if your FortiGate cannot send SMS messages you need to include a phone number for the IPsec VPN wizard to work.

Do not add an email address.

Select the FortiToken assigned to this user.

The user list shows the FortiToken in the Two-factor Authentication column for the new user account.

Go to User & Device > User > User Groups. Create a user group for remote users and add the new user.

2. Adding a firewall address for the LAN

Go to Policy & Objects > Objects > Addresses.

Create a firewall address for your LAN’s subnet.

3. Configuring the IPsec VPN using the IPsec VPN Wizard

Go to VPN > IPSec > Wizard.

Name the VPN connection and select the new user group.

Set Local Interface to an internal interface (in the example, port 1) and set Local Address to the LAN address.

Enter an IP range for VPN users in the Client Address Range field.*

Select Client Options as desired.

4. Creating a security policy for access to the Internet

Go to Policy & Objects > Policy > IPv4. Create a security policy allowing remote users to access the Internet securely through the FortiGate unit.

Set Incoming Interface to the tunnel interface and set Source Address to all. Set the Source User(s) to the new user group. Set Outgoing Interface to your Internet-facing interface and Destination Address to all.

Ensure that you enable NAT.

5. Sending the FortiToken activation code to the user

If your FortiGate can send SMS messages, go to User & Device > User > User Definition and edit the new user account. Select Send Activation Code and send the code by SMS.

If your FortiGate cannot send SMS messages, go to System > Dashboard > Status and enter the following into the CLI Console, substituting the correct serial number:

config user fortitoken
  edit 
  show

The activation code will be shown in the output. This code must be given to the user.

6. Setting up FortiToken Mobile on an iOS device

Using your iOS device, download and install FortiToken Mobile.

Open the app and add a new account. Select Enter Manually, then select Fortinet under FORTINET ACCT.

Enter the activation code into FortiToken Mobile.

FortiToken Mobile can now generate a token for use with the FortiGate.

(Optional) For additional security, set a PIN for FortiToken Mobile using the app’s Settings options.

7. Configuring FortiClient for Mac OS X

Using your Mac OS X device, download and install FortiClient.

Open FortiClient, go to Remote Access and select Add a new connection.

Provide a Connection Name and set the Type to IPsec VPN.

Set Remote Gateway to the FortiGate’s IP address.

Set Authentication Method to Pre-Shared Key and enter the key for the IPsec VPN.

8. Results

Using FortiClient, select the IPsec VPN connection, enter the password, and click Connect.

You will be prompted to enter your code from FortiToken mobile.

After your code has been verified, a connection to the IPsec VPN is established.