Description
This article describes how to authenticate with remote LDAP via site-to-site IPSEC VPN.
Scope
FortiGate.
Solution
Let's assume that the site-to-site IPSEC VPN tunnel is up and the traffic can pass through just fine.
Test the credentials to verify the same.
Furthermore, there is another solution to fix the problem by assigning an IP address on the IPsec tunnel interface.
Ensure that the IPsec Interface IP prefix must be part of the Phase2 local selectors. If not created, create a new Phase2 selector for this IP or subnet to be used as a local network.
config system interface
edit "IPSec-VPN"
set vdom "root"
set ip 10.10.10.1 255.255.255.255
set allowaccess ping
set type tunnel
set snmp-index 12
set interface "wan1"
next
end
config user ldap
edit LDAP-SERVER
set source-ip 10.10.10.1
end
Related articles:
Technical Tip: How to configure LDAP server
Technical Tip: Configure IP address on an IPSec tunnel interface
Technical Tip: Self-originating traffic over IPSec VPN (For example ping)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.