Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rarora
Staff
Staff

Created on ‎11-11-2020 11:22 PM Edited on ‎11-25-2022 08:08 AM By Moderator

Article Id 195199

Technical Tip: Authentication with remote LDAP via site-to-site VPN

Description
This article describes how to authenticate with remote LDAP via site-to-site IPSEV VPN.

Solution
Let's assume that the site-to-site IPSEC VPN tunnel is up and the traffic can pass through just fine.

1) Adding the remote LDAP server:
Go to User & Device -> LDAP server and select 'Create New'.

 
Add the LDAP server as any usual LDAP server, the IP address is the remote LDAP server.
 
2) Even though the server is added, it is not reflected as connected in the status.
 
Open the CLI and modify the source-ip configuration for the LDAP server.
 
# config user ldap
(ldap) edit 1stLDAPServer
(1stLDAPServer) set source-ip 192.168.1.99
(1stLDAPServer) end
 
Note:
'source-ip' is FortiGate interface IP whose subnet is added in IPSEC tunnel phase-2 local subnet settings.
Below is the snippet for reference IPSEC configuration section:
  

The setting in IPSEC tunnels, select concerned tunnel, phase 2 Selectors, and the Local address subnet added here will be used to set the source-IP discussed above.
 
Now, the LDAP status will be green and connected.
 

Test the credentials to verify the same.


3) It is possible now to pull groups from the remote LDAP server.
Follow the ideal process of adding groups in Users & Device -> User Groups.

4) Configure a policy to allow access to these groups.
It is possible now to authenticate with remote LDAP via the site-to-site tunnel.
 
Note:
If X-Auth in IPSEC tunnel settings is used, make sure to add the group in X-Auth as well.
 
 

Furthermore, there is another solution to fix the problem by assigning an IP address on the IPsec tunnel interface.


Ensure that the IPsec Interface IP prefix must be part of the Phase2 local selectors. If not created, create a new Phase2 selector for this IP or subnet to be used as a local network.

 

# config system interface
    edit "IPSec-VPN"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.255
        set allowaccess ping
        set type tunnel
        set snmp-index 12
        set interface "wan1"
    next
end

 

# config user ldap
    edit LDAP-SERVER
        set source-ip 10.10.10.1
end

 

Related Articles:

Technical Tip: How to configure LDAP server

Technical Tip: Configure IP address on an IPSec tunnel interface

Technical Tip: Self-originating traffic over IPSec VPN (For example ping)

16386
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.