IPsec VPN with IKEv2 and LDAP authentication error

Question

Hello team!!!

We have a Fortigate 100F with many IPsec VPNs for FortiClient

I configured all IPsec VPNs with IKE v1 and allways used an AD group synchronized in the Fortigate for user authentication

Also, I use the peer ID field to select an specific VPN

All these VPNs are working

Now I created an IPsec VPN with IKE v2, but when I try to connect, I get an error:

In FortiClient: Wrong Credentials EAP failed connecting to VPNname

In Fortigate: date=2025-07-23 time=16:06:15 eventtime=1753297576267021760 tz="-0300" logid="0101037121" type="event" subtype="vpn" level="error" vd="root" logdesc="Negotiate IPsec phase 1" msg="negotiate IPsec phase 1" action="negotiate" remip=1.3.5.7 locip=1.2.3.4 remport=4500 locport=4500 outintf="port9" srccountry="Argentina" cookies="b51c1f1809859ab8/7f365d0b1f864add" user="1000" group="N/A" useralt="N/A" eapuser="testdomain" eapauthgroup="N/A" assignip=N/A vpntunnel="IPsec-dom-W3" status="failure" result="N/A" peer_notif="NOT-APPLICABLE" fctuid="E2D4BA7AF7DD4761B682A1A835348004" advpnsc=0

This is the VPN config:

config vpn ipsec phase1-interface
edit "IPsec-dom-W3"
set type dynamic
set interface "port9"
set ike-version 2
set peertype one
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 150.0.0.14
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set comments "VPN: IPsec-dom-W3 -- Created by VPN wizard"
set dhgrp 20
set eap enable
set eap-identity send-request
set wizard-type dialup-forticlient
set authusrgrp "VPN-domain_Users"
set transport udp
set peerid "1000"
set ipv4-start-ip 10.0.210.151
set ipv4-end-ip 10.0.210.250
set ipv4-netmask 255.255.255.0
set ipv4-split-include "IPsec-DialUp-domain-rutas"
set save-password enable
set psksecret ENC xxx
next
end

config vpn ipsec phase2-interface
edit "IPsec-dom-W3"
set phase1name "IPsec-dom-W3"
set proposal aes128-sha1 aes256-sha256
set dhgrp 20
set comments "VPN: IPsec-dom-W3 -- Created by VPN wizard"
next
end

config system interface
edit "IPsec-dom-W3"
set vdom "root"
set type tunnel
set snmp-index 62
set interface "port9"
next
end

config user group
edit "VPN-domain_Users"
set member "srvxdctemp"
config match
edit 1
set server-name "srvxdctemp"
set group-name "CN=GRP-Acceso-VPN-domain,OU=Grupos de Navegacion,OU=domain,DC=domain,DC=com,DC=ar"
next
end
next
end

I tried adding a local user to the VPN Group and I could connect using the local user, I cannot connect using AD user wich is in this group.

When I change from IKE v2 to IKE v1, the VPN works.

Any Idea?

Thanks in advance.

Regards,

Damián

FortiDor · Accepted Answer

Hello @damianhlozano

For your information you can keep the LDAP connection between your FGT and your AD.

You need to follow this KB to solve your issue :

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IKEv2-tunnel-fails-when-LDAP-based-usergroup-is/ta-p/214966

and add the <eap_method>2</eap_method> line in your FCT XML file for your VPN connection

sferoz · Answer

Kindly do the following for the fix:Migrate to use RADIUS-based user authentication with EAP;Use EAP-TTLS to support LDAP user authentication.For an explanation of EAP-TTLS, see EAP-TTLS support for IPsec VPN - FortiClient 7.4.0 new features.To implement EAP-TTLS, there are some requirements.FortiClient version 7.4.3 and later;FortiClient EMS 7.4;IKEv2 tunnel (works with IKEv2 over UDP or TCP). Kindly refer to the below for more info :https://community.fortinet.com/t5/FortiGate/Technical-Tip-IKEv2-tunnel-fails-when-LDAP-based-usergroup-is/ta-p/214966 https://docs.fortinet.com/document/fortigate/latest/administration-guide/442351/ldap-authentication-with-ikev2-using-tcp-as-transporthttps://docs.fortinet.com/document/forticlient/7.4.0/new-features/907253/eap-ttls-support-for-ipsec-vpn-7-4-3

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded