FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 195199

This article describes how to authenticate with remote LDAP via site-to-site IPSEV VPN.

Let's assume that the site-to-site IPSEC VPN tunnel is up and the traffic can pass through just fine.

1) Adding the remote LDAP server:
Go to User & Device -> LDAP server and select 'Create New'.

Add the LDAP server as any usual LDAP server, the IP address is the remote LDAP server.
2) Even though the server is added, it is not reflected as connected in the status.
Open the CLI and modify the source-ip configuration for the LDAP server.
# config user ldap
(ldap) edit 1stLDAPServer
(1stLDAPServer) set source-ip
(1stLDAPServer) end
'source-ip' is FortiGate interface IP whose subnet is added in IPSEC tunnel phase-2 local subnet settings.
Below is the snippet for reference IPSEC configuration section:

The setting in IPSEC tunnels, select concerned tunnel, phase 2 Selectors, and the Local address subnet added here will be used to set the source-IP discussed above.
Now, the LDAP status will be green and connected.

Test the credentials to verify the same.

3) It is possible now to pull groups from the remote LDAP server.
Follow the ideal process of adding groups in Users & Device -> User Groups.

4) Configure a policy to allow access to these groups.
It is possible now to authenticate with remote LDAP via the site-to-site tunnel.
If X-Auth in IPSEC tunnel settings is used, make sure to add the group in X-Auth as well.

Furthermore, there is another solution to fix the problem by assigning an IP address on the IPsec tunnel interface.

Ensure that the IPsec Interface IP prefix must be part of the Phase2 local selectors. If not created, create a new Phase2 selector for this IP or subnet to be used as a local network.


# config system interface
    edit "IPSec-VPN"
        set vdom "root"
        set ip
        set allowaccess ping
        set type tunnel
        set snmp-index 12
        set interface "wan1"


# config user ldap
    edit LDAP-SERVER
        set source-ip


Related Articles:

Technical Tip: How to configure LDAP server

Technical Tip: Configure IP address on an IPSec tunnel interface

Technical Tip: Self-originating traffic over IPSec VPN (For example ping)