Skip to main content
fhwn
fhwn
New Member
February 7, 2017
Question

IKEv2 Tunnel - Tunnels for different Usergroups

  • February 7, 2017
  • 1 reply
  • 8921 views

Hi How to set up this configuration correct? - Users should be able to dialin with IKEv2 - Different rights for different users - i dont care if i distinquish them by sourceip, user or group Since i found no way to distinquish between users i made two tunnels. The config for the tunnels is the same - only  "authusergroup" and the IP-Range is different. Authentication is via windows 2012R2 radius server.  I created two policies - each of them is sending different vsa-values for the Fortinet-Group-Name (boss and studnets). Authentication works - i see the sucessfull login in the logs. On the client-side login for the first tunnel (admins) works too - the second hangs at "Checking User Name" - the same behavior i had when i sent wrong values in the vsa-values. How to correctly configure these tunnel(s)??? I attached my config Hope you can help me Arnold config user radius     edit "myRadius"         set server "10.10.1.117"         set auth-type ms_chap_v2     next end config user group     edit "admins"         set member "myRadius"             config match                 edit 1                     set server-name "myRadius"                     set group-name "boss"                 next             end     next     edit "students"         set member "myRadius"             config match                 edit 1                     set server-name "myRadius"                     set group-name "students"                 next             end     next end config user peer     edit "admin_peer"         set ca "CA_Cert_1"     next     edit "student_peer"         set ca "CA_Cert_1"     next end config vpn ipsec phase1-interface     edit "IKE2_Admin"         set type dynamic         set interface "WAN"         set ike-version 2         set authmethod signature         set peertype peer         set mode-cfg enable         set ipv4-dns-server1 10.10.1.3         set ipv4-dns-server2 10.10.1.16         set proposal aes256-sha1 aes256-sha256 aes128-sha1 aes128-sha256         set dhgrp 2         set eap enable         set eap-identity send-request         set authusrgrp "admins"         set certificate "my_public_cert"         set peer "admin_peer"         set ipv4-start-ip 10.214.134.200         set ipv4-end-ip 10.214.134.210         set ipv4-split-include "LAN_ALL"     next end config vpn ipsec phase2-interface     edit "IKE2_Admin"         set phase1name "IKE2_Admin"         set proposal aes256-sha1 aes256-sha256 aes128-sha1 aes128-sha256         set dhgrp 2         set src-addr-type name         set dst-addr-type name         set src-name "LAN_ALL"         set dst-name "all"     next end config vpn ipsec phase1-interface     edit "IKE2_Students"         set type dynamic         set interface "WAN"         set ike-version 2         set authmethod signature         set peertype peer         set mode-cfg enable         set ipv4-dns-server1 10.10.1.3         set ipv4-dns-server2 10.10.1.16         set proposal aes256-sha1 aes256-sha256 aes128-sha1 aes128-sha256         set dhgrp 2         set eap enable         set eap-identity send-request         set authusrgrp "students"         set certificate "my_public_cert"         set peer "student_peer"         set ipv4-start-ip 10.215.134.200         set ipv4-end-ip 10.215.134.210         set ipv4-split-include "LAN_ALL"     next end config vpn ipsec phase2-interface     edit "IKE2_Students"         set phase1name "IKE2_Students"         set proposal aes256-sha1 aes256-sha256 aes128-sha1 aes128-sha256         set dhgrp 2         set src-addr-type name         set dst-addr-type name         set src-name "LAN_ALL"         set dst-name "all"     next end

    1 reply

    rwpatterson
    rwpatterson
    New Member
    February 7, 2017

    Just a shot in the dark. Reverse the order of the two authentication policies and see if the behavior changes. I believe the problem is there.

    fhwn
    fhwnAuthor
    New Member
    February 7, 2017

    Unfortunatly this dosnt matter.

    The order of the tunnels in the firewall-config counts

     

    Here Students can log in....

    config vpn ipsec phase1-interface     edit "IKE2_Students"     edit "IKE2_admin"

    Here Admins can log in....

    config vpn ipsec phase1-interface

        edit "IKE2_admin"

        edit "IKE2_Students" Both Tunnels have the Same certificate-setting. But i dont want to use two different certificates/urls for students and admins.

    I want one Config for the user to login - and depending on username the user should belong to a group i can use in firewall-rules

    nothingel
    nothingel
    New Member
    February 8, 2017

    I am interested in this problem as well.  I have yet to find a perfect solution either.  Fortigate dial-up tunnels can be assigned IPs from RADIUS but sadly Windows IAS/NPS is not capable of handing out IP addresses from a pool.  I always find Windows' RADIUS to be so limiting.

     

    If you were willing to have a different configuration per groups of people, you could require ID identifiers as a means to distinguish between groups of people.  Alternatively, if you have more than one IP, each instance of a dialup configuration could be bound to a different IP.

     

    It would be nice if an unmatched group resulted in a "failed" connection rather than a hanging one.  I've seen this too.

    Terms & ConditionsAccessibility statement