New Member

Question

Dialup IPSec VPN with IKEv2 using Forticlient, Fortigate and FortiAuthenticatior

Forum|Forum|3 years ago
June 20, 2022
4 replies
9139 views

Dear All,

Hope you are doing good!

Current Scenario:

We are using forticlient for dialup ipsec vpn using IKEv1 with Two factor authentication.

FortiGate tunnels are authenticated via Radius (PAP) from FAC.

Forticlient ---> FortiGate -->(Radius)-> FortiAuthenticator

Forticlient version: 6.4

Fortigate: 200E firware 6.4.3

FortiAuthenticator: 300F firware 6.3.2

Required Scenario:

we need to shift IKEv2 and do following changes in existing tunnel but tunnel didn't connect.

set ike-version 2
set eap enable
set eap-identity send-request

Radius B/w FG and FAC.

change authentication method from pap to MSCHAPv2 on FG and PEAP in FAC Radius Policies. (Radius connection Successful)

Troubleshooting:

IKEv2 VPN successfully connect with local user on firewall.

found mismatch authentication method on FAC in debug logs.

If anyone have idea about this please guide.

Regards,

AD

Debbie_FTNT

Staff & Editor

Hey AD91,

If you're using MSCHAPv2 on FortiGate, you need to ensure FortiAuthenticator is joined to the domain, so it can send the hashed password to AD to cross-check; if FortiAuthenticator is not joined to the domain it can only authenticate local users via MSCHAPv2, remote users via PAP.

I would suggest the following:

- test VPN with a local user on FortiAuthenticator

-> that might require changing the RADIUS policy to use the local realm, not a remote realm

- join FortiAuthenticator to domain (https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Joining-FortiAuthenticator-in-the-active-directory/ta-p/195891)

If you're still getting failures, can you provide the specific error message you get (beyond 'mismatched authentication method)?

fmeloni

Explorer

Hi Debbie,

I made the join to the Fac domain but again I cannot authenticate the remote user. the FortiAuthenticator log tells me this:

Remote LDAP administrator authentication from Y.X.Z.V (mschap) with no token failed: invalid password

and in debug log, this:

Remote ldap user 'fXXXXX': NULL password is not allowed
2025-05-19T12:28:34.213883+02:00 Fortiauthenticator radiusd[7009]: (804) facauth: Remote LDAP user authentication failed
2025-05-19T12:28:34.214578+02:00 Fortiauthenticator radiusd[7009]: (804) facauth: update_fac_authlog:164 nas_str = 10.15.0.50~Y.X.Z.V.
2025-05-19T12:28:34.214615+02:00 Fortiauthenticator radiusd[7009]: (804) facauth: Updated auth log 'fXXXXXX' for attempt from 10.15.0.50~Y.X.Z.V: Remote LDAP administrator authentication from 5.91.42.223 (mschap) with no token failed: invalid password

if I authenticate a local user it works, but if I dem authenticate to the LPDA of Active Direcory it doesn't go.. :(

I need authentication with Fac and AD to enable 2FA

AD91Author

New Member

Dear Debbie,

Good day to you!

Thanks for your quick response.

We have already tested your advised scenario with local user & local realm radius policies on FAC but failed to connect. FAC general logs and debug logs are attached for your reference.

appreciate your quick response.

Regards,

AD

Debbie_FTNT

Staff & Editor

Hey AD,

do you see that error 'unable to find matching authpolicy' after each VPN connection attempt?

From the way you took the screenshot, I can see that error, and underneath a new authentication attempt, but I don't know what the error belongs to, and what error the new authentication attempt might result in.

If you get that 'unable to find matching authpolicy' error throughout, that means there is no suitable RADIUS policy for that client and the authentication (EAP-TLS? MAB?) it wants to attempt.

AD91Author

New Member

Dear Debbie,

Really appreciate your quick response,

I have checked my Radius policies and found no check on MAB & EAP-TLS, for this it means Forticlient is using EAP-TLS but we use PEAP on FAC.

If we enable certificate based authentication (EAP-TLS) on FAC, how it will work with forticlient dialup IPSec tunnel.

Thankyou!

Debbie_FTNT

Staff & Editor

Hey AD,

if you switch to EAP-TLS on FortiAuthenticator (or create a new RADIUS policy with EAP-TLS instead), FortiAuthenticator should then try to confirm the client certificate; this setup is a bit more complex on FortiAuthenticator.

For 802.1x authentication you would have to import remote users (from AD for example) and define certificate bindings:

-> define what certificate subject is expected (the user's CN, or DN, or sAMAccountName, or mail, or whatever)

-> define what CA should have signed the user's certificate

--> you might have to import the CA as remote CA to FortiAuthenticator so that the Authenticator trusts it

More details on EAP-TLS in FortiAuthenticator: https://docs.fortinet.com/document/fortiauthenticator/5.5.0/cookbook/551938/wired-802-1x-eap-tls-with-computer-authentication
this is a somewhat older article, but aside from RADIUS policy/profile the setup should be identical.

NAN_JET_1213

New Member

After struggling with attempting to get this configured myself recently, I was able to finally get it working. Initially we were on FortiAuthenticator 6.4.4 which had an unlisted bug that was noted and resolved in FortiAuthenticator 6.4.6. The bug in question is 846732 with description '2FA support for FortiClient IKEv2 VPN is broken.'.

https://docs.fortinet.com/document/fortiauthenticator/6.4.6/release-notes/279684/resolved-issues#Resolved_issues

We now have a working dial-up IKEv2 IPsec VPN using FortiClient/EMS, FortiGate, and FortiAuthenticator.

I just wanted to post this in the event anyone finds this and is on an affected version of code for the bug.

jr14

Visitor III

Hi @NAN_JET_1213 How did you do, to make it work, i am trying to configure IKEv2 with my fortiauthenticator as radius server, but i am having the same problem. I change to MSCHAP v2 on the FGT and in the FAC. but it does not work

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded