IPSec Remote Access VPN Question

Forum|Forum|5 months ago
December 18, 2025
1 reply
172 views

Hi all,

I have previously used SSL VPN with SAML auth and users have been assigned ip addressing from specific ranges. I have set up a proof of concept with IPSec VPN and am looking to do the same thing.

I understand you can reference a user group in the phase 1 settings of the IPSec VPN, but am struggling to make this work with different user groups on different phase 1 tunnels. Also to mention each user group should have a unique ip range and should not share the range on 1 tunnel.

Any ideas please?

FortiGate

filiaks1

Explorer III

You mean XAuth after phase 1?

Using XAuth authentication | FortiGate / FortiOS 6.2.0 | Fortinet Document Library

After that the authusrgrp parameter seems to select the group.

Dialup VPN tunnel having 'set authgro... - Fortinet Community

Have you tried to make this work by having 2 different tunnels using different groups and Ip address ranges but to the LDAP/Radius server? Also you need to be certain that the autentication works as well and that the user does not fail for some reason. See the LDAP or radius debug options if needed.

Other than that why you want different IP addresses per group? If you have fortiauthenticator the firewalls after the VPN one can also use rules based on users and groups not ip addresses.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded