Technical Tip: IKEv2 dialup IPsec tunnel with RADIUS server authentication and FortiClient
Description
This article describes an IKEv2 dial-up tunnel setup with a RADIUS server and using FortiClient.
Scope
FortiGate, FortiClient.
Solution
FortiGate dial-up IPsec tunnels can be configured as IKEv2 with Radius authentication. Note that EAP will need to be configured even if LDAP is used, as IKEv2 requires EAP. LDAP will be a result of a 'translation' from RADIUS EAP to LDAP if that is possible.
Note:
Starting from FortiClient v7.4.3, EAP-TTLS is supported with IKEv2 authentication: EAP-TTLS support for IPsec VPN 7.4.3.
In earlier versions of FortiClient, EAP-MSCHAPv2 was the method used for username + password authentication and did not work with LDAP. EAP-TTLS now works with LDAP authentication.
Configuration.
Defining the RADIUS user.
config user local
edit "test_user"
set type radius
set radius-server "Radius_server"
next
end
User group.
config user group
edit "VPN_Users"
set member "test_user”
next
end
IPsec config.
config vpn ipsec phase1-interface
edit "Dialup_IKEv2"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set mode-cfg enable
set proposal aes128-sha1 aes256-sha256
set dpd on-idle
set comments "FTG IPsec VPN IKEv2 and Radius user auth"
set dhgrp 5
set eap enable
set eap-identity send-request
set authusrgrp "VPN_Users"
set ipv4-start-ip 192.168.88.10
set ipv4-end-ip 192.168.88.150
set dns-mode auto
set psksecret ENC xx
set dpd-retryinterval 60
next
end
The above highlighted settings can only be available through the CLI. If errors such as 'gw validation failed' or 'EAP response is empty' can be observed in the IKE debug output, then refer to the following KB article: Troubleshooting Tip: For using Ikev2 for dialup Ipsec tunnel with radius server and Local user.
config vpn ipsec phase2-interface
edit "Dialup_IKEv2"
set phase1name "Dialup_IKEv2"
set proposal aes128-sha1 aes256-sha256
set dhgrp 5
next
end
Firewall policy.
config firewall policy
edit 0
set name "Dialup_IKEv2"
set srcintf "Dialup_IKEv2"
set dstintf "lan"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end
- For IKEv2, FortiClient will use EAP-MSCHAPv2.
- For this setup to work, the remote RADIUS server must support EAP-MSCHAPv2 authentication (EAP-MS-CHAP) (Microsoft NPS, for example).
To add the EAP-MSCHAPv2 authentication method, navigate to the following path:
Network Policy Server -> Policies -> Network Policies -> 'right-click' the specific policy name -> Properties -> Constraints.
Note: If there is also an MFA enabled on the RADIUS server, increase the timeout for the MFA to finish:
config system global
set remoteauthtimeout 50
end
When two-factor authentication is used for a dial-up tunnel, extending the IPsec negotiation timeout beyond the default 30 seconds may be necessary. This adjustment can prevent connection failures if additional time is required to enter the one-time password (OTP).
config vpn ipsec phase1-interface
edit Dialup_IKEv2
set negotiate-timeout 50 <-- Enter an integer value from <1> to <300> <-- Default = <30>.
end
Note 1: In FortiOS version 7.2 and later, when FIPS mode is enabled, standard unprotected RADIUS authentication is no longer configurable. If RADIUS authentication is necessary, the associated RADIUS server must be updated to support RADSEC. (See document: Add RADSEC client support)
Related articles:
Technical Tip: How to configure IPsec VPN Tunnel using IKE v2
Technical Tip: IKEv2 Dialup IPsec tunnel with RADIUS and FortiToken MFA
Technical Tip: A guide to Dial-Up IPSec VPN Authentication and Policy Matching
Technical Tip: No RADIUS Accounting packets for 'Remote RADIUS Users' when using IKEv2