Skip to main content
rarora
Staff
rarora
Staff
November 12, 2020

Technical Tip: Authentication with remote LDAP via site-to-site VPN

  • November 12, 2020
  • 0 replies
  • 20933 views

Description


This article describes how to authenticate with remote LDAP via site-to-site IPsec VPN.

 

Scope

 

FortiGate.

Solution


Let's assume that the site-to-site IPSEC VPN tunnel is up and the traffic can pass through just fine.

 

  1. Adding the remote LDAP server: Go to User & Device -> LDAP server and select 'Create New'.

 
Add the LDAP server as a usual LDAP server: Technical Tip: How to configure FortiGate to use an LDAP server.
 
  1. Even though the server is added, it is not reflected as connected in the status with the error 'Can't contact LDAP server'. Open the CLI and modify the source-ip configuration for the LDAP server.
                                                                 
Screenshot 2026-04-08 085033.png

config user ldap
(ldap) edit 1stLDAPServer
(1stLDAPServer) set source-ip 192.168.1.99
(1stLDAPServer) end
 
Note:
'source-ip' is the FortiGate interface IP whose subnet is added in the IPsec tunnel phase-2 local subnet settings. Below is the snippet for reference, the IPsec configuration section:
  

In the setting of IPsec tunnels, select the concerned tunnel, phase 2 Selectors, and the Local address subnet added here will be used to set the source-IP discussed above.
 
Now, the LDAP status will be green and connected.
 

Test the credentials to verify the same.


  1. It is possible now to pull groups from the remote LDAP server. Follow the ideal process of adding groups in Users & Device -> User Groups.
  2. Configure a policy to allow access to these groups. It is possible now to authenticate with remote LDAP via the site-to-site tunnel.
 
Note:
If X-Auth in IPSEC tunnel settings is used, make sure to add the group in X-Auth as well.
 
 

Furthermore, there is another solution to fix the problem by assigning an IP address to the IPsec tunnel interface.

Ensure that the IPsec Interface IP prefix is part of the Phase2 local selectors. If not created, create a new Phase2 selector for this IP or subnet to be used as a local network.

Configure the right access and routing on the remote site device to allow the tunnel IP address to the LDAP server.

 

config system interface
    edit "IPSec-VPN"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.255
        set allowaccess ping
        set type tunnel
        set snmp-index 12
        set interface "wan1"
    next
end

 

config user ldap
    edit LDAP-SERVER
        set source-ip 10.10.10.1
end

 

Related articles:

Technical Tip: How to configure LDAP server

Technical Tip: Configure IP address on an IPSec tunnel interface

Technical Tip: Self-originating traffic over IPSec VPN (For example ping)

Terms & ConditionsAccessibility statement