Blog

Get the inside scoop with LoginTC and learn about relevant security news and insights.

← Back to Blog

How to migrate Fortinet IPsec VPN MFA

June 13, 2025Victoria Savage

FortiOS 7.6.3 officially removes SSL VPN tunnel mode, a change that affects countless enterprises who relied on SSL VPN to secure remote access. For network security administrators this shift raises critical questions around multi-factor authentication (MFA) for Fortinet environments.

In this post, we’ll explore how the deprecation of SSL VPN tunnel mode impacts your Fortinet IPsec VPN MFA deployments and how LoginTC’s MFA for Fortinet easily integrates to keep your remote access both secure and user-friendly.

Why did Fortinet drop SSL VPN tunnel mode?

A recent FortiOS release officially deprecated Fortinet SSL VPN tunnel mode in favor of more robust, high-throughput options. Some of the key reasons for this include:

  • Performance and Scalability: SSL VPN tunnel mode routed encrypted traffic through the SSL engine, creating potential bottlenecks under heavy load.
  • Feature Parity: Modern IPsec VPN solutions now offer built-in split tunneling, advanced route-based policies, and support for the latest encryption suites.
  • Security Alignment: IPsec VPNs are better suited for Zero Trust frameworks, offering fine-grained access control and compatibility with advanced MFA solutions.

As of FortiOS 7.6.3, any existing SSL tunnel-mode configurations will not carry over. Upgrading without a migration plan risks immediate disruption for remote users.

Impact on MFA for Fortinet environments

If your organization leverages SSL VPN tunnel mode together with MFA, the removal introduces two main challenges:

1. Configuration Breaks

Migrating to IPsec means replacing your Phase 1/Phase 2 SSL profiles. Any existing MFA triggers tied to SSL tunnel logins will need to be reconfigured or rebuilt.

2. User Experience Shift

SSL tunnel-mode clients often handle authentication and tunnel setup in one flow. Switching to IPsec can introduce complexity for end users if MFA is not tightly integrated into the new connection workflow.

Ensuring continuity of MFA prompts and a seamless user experience is critical. Without it, you risk weakening user adoption, increasing help-desk tickets, and potentially exposing your network to unauthorized access.

What is the best way to mitigate the Fortinet SSL VPN change with MFA?

Follow these high-level steps to migrate your SSL VPN tunnel mode and MFA setup to a resilient IPsec configuration.

First, audit your current SSL VPN + MFA setup, and export your SSL VPN profiles and note all MFA triggers, including RADIUS endpoints, user groups, etc. Next, build new IPsec tunnel interfaces. Be sure to configure Phase 1 (IKE) and Phase 2 (IPsec) profiles on TCP/UDP 443 if you want to reuse firewall rules.

Third, integrate an MFA solution, such as LoginTC MFA. Point your FortiGate’s authentication server settings to your MFA’s RADIUS connector. Define user-group mappings and MFA policies within your solution’s administration tools.

fortinet fortigate ipsec mfa

Example Fortinet IPsec MFA architecture setup

Fourth, pilot and validate your setup by testing with a small group of users, verifying that tunnel establishment prompts the MFA challenge and that connections succeed. Validate split-tunnel, full-tunnel, and mobile-client behaviors.

Finally, you can roll out and decommission SSL tunnel mode. Schedule your FortiOS 7.6.3 upgrade during a planned maintenance window, and after validating connectivity, remove any remaining SSL VPN configurations to avoid confusion.

LoginTC MFA for Fortinet IPsec VPN

To address these challenges, LoginTC offers an out-of-the-box MFA solution designed specifically for the FortiGate IPsec VPN. With LoginTC MFA you get:

  • Native Fortinet integration: LoginTC plugs directly into FortiGate’s RADIUS authentication workflows. Whether you choose certificate-based Phase 1 or pre-shared keys, LoginTC adds a secondary authentication challenge during tunnel establishment, allowing you to implement Fortinet IPsec VPN MFA without scripting or custom workarounds.
  • User-friendly authentication methods: With LoginTC you can choose from the widest variety of authentication methods that meet the needs of your end users easily. From push notifications, to hardware tokens and software OTPs, to FIDO2 keys, passcode grids, and more that work seamlessly with your Fortinet IPsec VPN.

hardware token mfa fortinet ipsec vpn

Fortinet VPN with Hardware Token authentication

  • Administrator policies: LoginTC allows you to define MFA requirements per user group, application, or even more specific attributes like geolocation or time of day. For example, you can require FIDO2 token authentication for critical infrastructure teams, while permitting push notifications for less privileged roles.
  • Fast deployment: With pre-built connectors and comprehensive documentation, LoginTC can be up and running in under an hour. No need to rebuild your entire VPN layer, simply insert LoginTC into your existing IPsec profiles.

Conclusion

The removal of SSL VPN tunnel mode in FortiOS 7.6.3 is an opportunity to modernize your remote access security posture. By migrating to IPsec VPN and layering on LoginTC’s MFA for Fortinet, you’ll gain a scalable, policy-driven solution that enforces strong authentication without compromising user experience.

Ready to secure your FortiGate IPsec VPN with best-in-class MFA? Start your free trial with LoginTC MFA today.

← Back to Blog

Free to try for up to 3 users.

Get Started

Start protecting your enterprise assets.

Learn How

Discover LoginTC products for all your MFA needs.

Explore

Start your free trial today. No credit card required.

Sign up and Go

By continuing to use our website, you acknowledge the use of cookies. Privacy Policy Close