Description
This article describes how to force the Dialup IPsec client to re-authenticate after a configured time and failure to do so would lead to disconnecting from the VPN.
Scope
FortiGate.
Solution
The re-authentication can be forced for dialup IPsec clients using the command 'set reauth enable' in the phase1 settings. The hard re-authentication can only be achieved in the following scenarios.
There are two scenarios when using Dialup IPSEC Tunnel:
- Using IKE-v1 with FortiToken as MFA.
After enabling 'reauth' in phase1 settings, it will force the user to re-authenticate at the time when phase1 keylife time expires.
Without using MFA with IKEv1, at the end of keylife time, the phase1 is negotiated again and does not force the user to provide the credentials again. To avoid this, it is necessary to use MFA such as FortiToken.
Configuration of reauth in phase1 settings:
config vpn ipsec phase1-interface
edit Test-Dialup
set reauth enable
set authusrgrp "test-group"
end
The following is the behavior seen in the IKE debugs when phase1 re-negotiates during the expiry of keylife time and FortiToken is required again.
Username: test-user.
Usergroup: test-group.
2024-08-27 10:51:25.553972 ike 0:Test-Dialup_0:585213: received XAUTH_USER_NAME 'test-user' length 4
2024-08-27 10:51:25.554013 ike 0:Test-Dialup_0:585213: received XAUTH_USER_PASSWORD length 9
2024-08-27 10:51:25.554056 ike 0:Test-Dialup_0: XAUTH user "test-user"
2024-08-27 10:51:25.554094 ike 0:Test-Dialup: auth group test-group
2024-08-27 10:51:25.555175 ike 0:Test-Dialup_0: XAUTH 993837392 pending
2024-08-27 10:51:25.573858 ike 0:Test-Dialup_0:585213: XAUTH 993837392 result 7
2024-08-27 10:51:25.574007 ike 0:Test-Dialup_0: XAUTH requires token for user "test-user"
2024-08-27 10:51:25.574056 ike 0:Test-Dialup_0:585213: sending XAUTH token request <----Reauth is initiated at this point.
Note that there is a timeout value to provide the FortiToken during the re-authentication. The timeout value is calculated using the formula below.
Fortitoken Timeout = 10 x remoteauthtimeout + 30 seconds
For example – remoteauthtimeout = 10 seconds
Fortitoken Timeout = 10 X 10 + 30 = 130 seconds
The following is the behavior when the FortiToken is not provided by the user within the timeout value, for example, 130 seconds.
2024-08-27 10:51:25.553972 ike 0:Test-Dialup_0:585213: received XAUTH_USER_NAME 'test-user' length 4
2024-08-27 10:51:25.554013 ike 0:Test-Dialup_0:585213: received XAUTH_USER_PASSWORD length 9
2024-08-27 10:51:25.554056 ike 0:Test-Dialup_0: XAUTH user "test-user"
2024-08-27 10:51:25.554094 ike 0:Test-Dialup: auth group test-group
2024-08-27 10:51:25.555175 ike 0:Test-Dialup_0: XAUTH 993837392 pending
2024-08-27 10:51:25.573858 ike 0:Test-Dialup_0:585213: XAUTH 993837392 result 7
2024-08-27 10:51:25.574007 ike 0:Test-Dialup_0: XAUTH requires token for user "test-user"
2024-08-27 10:51:25.574056 ike 0:Test-Dialup_0:585213: sending XAUTH token request <----Reauth is initiated at this point.
2024-08-27 10:53:35.568119 ike 0:Test-Dialup_0:585228: negotiation timeout, deleting
2024-08-27 10:53:35.568271 ike 0:Test-Dialup_0: connection expiring due to phase1 down
2024-08-27 10:53:35.568316 ike 0:Test-Dialup_0: deleting
2024-08-27 10:53:35.568815 ike 0:Test-Dialup_0: sent tunnel-down message to EMS: (fct-uid=xxxx, intf=Test-Dialup_0, addr=x.x.x.x, vdom=root)
2024-08-27 10:53:35.568993 ike 0:Test-Dialup_0: flushing
2024-08-27 10:53:35.569241 ike 0:Test-Dialup_0: flushed <----After 130 seconds, the connection is expired and the tunnel is DOWN.
- Using IKE-v2 with/without MFA.
When reauth is enabled for dialup IPsec tunnels using IKEv2, the re-authentication is triggered for clients with/without MFA during the expiry of keylife time.
Configuration of reauth in phase1 settings:
config vpn ipsec phase1-interface
edit "IKEv2-Dialup"
set ike-version 2
set reauth enable
end
More information can be found using the document below:
IKEv2 re-authentication for Phase1
