Troubleshooting Tip: Dialup IPsec VPN user-info not displaying in 'Assets & Identities'
| Description | This article explains how to troubleshoot and display dialup IPsec VPN user identities in the 'Firewall Users' widget within the 'Assets & Identities' dashboard. |
| Scope | FortiGate. |
| Solution | When a client authenticates to a dialup IPsec tunnel, it may be necessary and useful to display their session information in the 'Firewall Users' widget.
IPsec VPN authentication itself does not create an entry in the firewall user list.
To display this information, the user group must be configured in the firewall policy rather than the IPsec VPN phase1 interface.
Additionally, the identity can be displayed for Entra ID SAML-authenticated users and clients who are using the auto-connect to IPsec VPN feature with Entra ID logon session information through the msgraph API.
If the user group is configured in both IPsec VPN phase 1 and the firewall policy, traffic will stop flowing through the IPsec VPN tunnel. As no entry is created under the 'diagnose firewall auth list', any firewall policy that uses authentication groups (set groups 'yyyy') will not be matched.
Starting with v7.4 and later, this widget is located in the 'Assets & Identities' dashboard. In the v7.2 branch, it can be found under 'Users & Devices'.
Configuration of a user and user-group: config user local edit "test" set type password set passwd fortinet next end config user group edit "testgrp" set member "test" next end IPsec VPN IKEv2 configuration: config vpn ipsec phase1-interface edit "TestIKEv2" set type dynamic set interface "wan1" set ike-version 2 set peertype any set net-device disable set mode-cfg enable set proposal aes128-sha1 aes256-sha256 set dpd on-idle set dhgrp 5 set eap enable set eap-identity send-request set ipv4-start-ip 192.168.30.5 set ipv4-end-ip 192.168.30.20 set dns-mode auto set client-auto-negotiate enable set client-keep-alive enable set psksecret fortinet set dpd-retryinterval 60 next end config vpn ipsec phase2-interface edit "TestIKEv2P2" set phase1name "TestIKEv2" set proposal aes128-sha1 aes256-sha256 set dhgrp 5 next end config firewall policy edit 101 set name "TestIKEv2" set srcintf "TestIKEv2" set dstintf "LAN" set action accept set srcaddr "all" set dstaddr "LAN address" set schedule "always" set service "ALL" set logtraffic all set groups "testgrp" next end IPsec VPN IKEv1 configuration: config vpn ipsec phase1-interface edit "TestIKEv1" set type dynamic set interface "wan1" set mode aggressive set peertype any set net-device disable set mode-cfg enable set proposal aes128-sha256 aes256-sha256 set xauthtype auto set ipv4-start-ip 192.168.20.5 set ipv4-end-ip 192.168.20.20 set dns-mode auto set client-keep-alive enable set psksecret fortinet next end config vpn ipsec phase2-interface edit "TestIKEv1P2" set phase1name "TestIKEv1" set proposal aes128-sha256 aes256-sha256 next end config firewall policy edit 100 set name "TestIkev1" set srcintf "TestIKEv1" set dstintf "LAN" set action accept set srcaddr "all" set dstaddr "LAN address" set schedule "always" set service "ALL" set logtraffic all set groups "testgrp" next end |
