¶ Fortigate Remote-Access IPsec VPN
Versions 6.x
¶ Configuration on NACVIEW
On the NACVIEW server you need to add a Fortigate device with configured OTP parameters. It is possible in NACVIEW to perform an OTP using the NACVIEW Authenticator or Google Authenticator application, or using an SMS code. In the OTP parameter field, select Fortinet-Group-Name.
¶ Configuration on Fortigate
Configuration on Fortigate consists of two parts:
creating a RADIUS authorization server and a group of users based on it, and assigning this group to a given VPN profile.
¶ The User group
Go to the menu User & Device, in the RADIUS Servers** tab and click Create New.
Now set the communication protocol to PAP and specify the NACVIEW name, address and RADIUS key, as well as the IP address that Fortigate will use when communicating with NACVIEW (NAS IP). Then confirm with OK.
Then go to the User Groups tab and click Create New. Specify the group name, select the type as Firewall and, in the Remote Groups section, add the newly created RADIUS server. Confirm OK twice.
Then log in via SSH to Fortigate and execute the following commands:
config system global
set remoteauthtimeout 30
end
config user radius
edit ENTER THE NAME OF YOUR CREATED SERVER HERE
set radius-port 1817
next
end
¶ VPN configuration
Go to the VPN menu in the IPsec Tunnels tab.
Give a name, select the Remote Access type and also: Client-based, FortiClient.
Select the new created user group. The rest of the settings do according to the planned VPN settings.
Enter the rest of the VPN settings and confirm.
Once the configuration is approved and loaded on the device, the OTP-authorized VPN is ready to go.