Skip to main content
arkololo
arkololo
Visitor III
February 5, 2026
Solved

IKEv2 IPsec with LDAP authentication (no RADIUS / no EMS)

  • February 5, 2026
  • 1 reply
  • 685 views

 

Hello, 

 

I am testing an IKEv2 IPsec dial-up VPN on a FortiGate 81F (FortiOS 7.6.6) and I would like to confirm if my use case is fully supported.

Setup

  • FortiGate 81F – FortiOS 7.6.6

  • IPsec dial-up VPN (IKEv2)

  • Authentication: LDAP (Active Directory)

  • No RADIUS, no FortiAuthenticator, no EMS

  • Client: FortiClient VPN Only (free)

Issue

  • The tunnel establishes correctly (IKE + Child SA).

  • The client receives an IP address and traffic is allowed.

  • A few seconds later, the VPN is disconnected immediately.

IKE debug shows repeated EAP challenges:

 

 
FNBAM_CHALLENGE
 

until the client sends an IKE DELETE.

Observations

  • EAP-TTLS fails (expected, since no RADIUS/FAC is present).

  • EAP-MSCHAPv2 seems required for LDAP auth, but on FortiOS 7.6.6 there is no option to force the EAP method on the FortiGate.

  • The EAP method appears to be fully client-driven.

Question

Is IKEv2 IPsec with LDAP authentication (without RADIUS/FAC/EMS) officially supported with FortiClient VPN Only?
If yes, is EAP-MSCHAPv2 the only supported method, and is there a way to enforce it on FortiOS 7.6.x?

Thanks for any clarification.

Best answer by funkylicious

here's my working IKEv2 w/ LDAP

 

config vpn ipsec phase1-interface     edit "RA-IKEv2"         set type dynamic         set interface "wan1"         set ike-version 2         set local-gw <>         set peertype any         set net-device enable         set mode-cfg enable         set proposal aes128-sha1 aes256-sha256         set dpd on-idle         set dhgrp 20         set eap enable         set eap-identity send-request         set ipv4-start-ip 10.0.2.100         set ipv4-end-ip 10.0.2.200         set dns-mode auto         set ipv4-split-include "DialUP_split"         set psksecret <>         set dpd-retryinterval 60     next end config vpn ipsec phase2-interface     edit "RA-IKEv2"         set phase1name "RA-IKEv2"         set proposal aes128-sha1 aes256-sha256         set dhgrp 20         set keepalive enable     next ebd

The LDAP server is on 389 w/ sAMAccountName and the LDAP user/group is in the firewall policy instead of phase1

 

L.E. I do have <eap_method>2</eap_method> set in my VPN connection profile

1 reply

funkylicious
SuperUser
funkylicious
SuperUser
February 5, 2026

try https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-EAP-TTLS-for-IPSec-IKEv2-tunnels-in/ta-p/408602 

"jack of all trades, master of none"
arkololo
arkololoAuthor
Visitor III
February 5, 2026

Thanks for the link.

I have already tested this and manually forced EAP-TTLS and MSCHAPv2 in the FortiClient VPN profile.

However, in my setup the behavior is:

  • IKEv2 tunnel comes up
  • Client gets an IP
  • FortiGate immediately terminates the VPN session

IKE debug shows repeated FNBAM_CHALLENGED until the tunnel is deleted.

So even when EAP-TTLS or MSCHAPv2 is forced on the FortiClient side, authentication never completes without a backend (RADIUS/FAC) and the FortiGate drops the session idk why.

funkylicious
SuperUser
funkylicious
SuperUser
February 5, 2026

can you share your ipsec phase1/2 config leaving out sensitive info ?

"jack of all trades, master of none"
Terms & ConditionsAccessibility statement