COMTECH SYSTEMS Watch on YouTube

Setting up IPsec VPN with MFA using FortiToken in FortiOS 7.2

3 min read 5 days ago
Published on Feb 17, 2026 This response is partially generated with the help of AI. It may contain inaccuracies.

Table of Contents

Introduction

This tutorial provides a step-by-step guide to setting up an IPsec VPN with Multi-Factor Authentication (MFA) using FortiToken in FortiOS 7.2. By following these instructions, you will enhance your network security and allow secure remote access for users.

Step 1: Prepare Your Environment

Before starting the configuration, ensure you have the following:

  • A FortiGate firewall running FortiOS 7.2.
  • FortiToken licenses for MFA.
  • Administrative access to the FortiGate management interface.

Step 2: Configure User and User Group

  1. Create a User Account

    • Navigate to User & Device > User Definition.
    • Click on Create New.
    • Fill in necessary details (username, password).
    • Enable FortiToken for MFA.
    • Save the user settings.

  2. Create a User Group

    • Go to User & Device > User Groups.
    • Click on Create New.
    • Name the group (e.g., "VPN_Users").
    • Add the previously created user to this group.
    • Save the user group settings.

Step 3: Configure FortiToken

  1. Assign FortiToken to User

    • Navigate to the user you created.
    • Under the FortiToken section, click on Assign Token.
    • Follow prompts to link the token to the user account.

  2. Token Activation

    • Users must activate their tokens via the FortiToken Mobile app.
    • Provide users with the appropriate QR code or activation details.

Step 4: Set Up the IPsec VPN

  1. Create a VPN Tunnel

    • Go to VPN > IPsec Tunnels.
    • Click on Create New.
    • Select Custom for the template type.
    • Fill in the tunnel settings:
      • Name your tunnel.
      • Set the remote gateway (usually the public IP of the VPN client).
      • Configure the authentication method (select pre-shared key).

  2. Configure Phase 1 Settings

    • Enable Enable IKEv2.
    • Set the encryption and authentication algorithms.
    • Set the key lifetime.

  3. Configure Phase 2 Settings

    • Navigate to the Phase 2 selectors.
    • Define the local and remote subnets.
    • Select encryption and authentication settings.
    • Set the key lifetime for Phase 2.

  4. Apply Security Policies

    • Go to Policy & Objects > IPv4 Policy.
    • Create a new policy allowing traffic from the VPN to the internal network.
    • Ensure to enable logging for monitoring.

Step 5: Test the VPN Connection

  1. Connect to the VPN

    • Use a compatible VPN client to connect.
    • Input the username and password when prompted.
    • Enter the FortiToken code generated by the app.

  2. Verify Connectivity

    • Check if you can access resources in the private network.
    • Monitor logs for any connection issues.

Conclusion

You have now successfully set up an IPsec VPN with Multi-Factor Authentication using FortiToken in FortiOS 7.2. This configuration enhances security for remote users accessing the network. For further improvements, consider regularly updating the FortiOS version and monitoring user access patterns.

Table of Contents

Recent