Description
This article describes how to force the Dialup IPsec client to re-authenticate after a configured time and failure to do so would lead to disconnecting from the VPN.
Scope
FortiGate.
Solution
The re-authentication can be forced for dialup IPsec clients using the command 'set reauth enable' in the phase1 settings. The hard re-authentication can only be achieved in the following scenarios.
There are two scenarios when using Dialup IPSEC Tunnel:
- Using IKE-v1 with FortiToken as MFA.
After enabling 'reauth' in phase1 settings, it will force the user to re-authenticate at the time when phase1 keylife time expires.
Without using MFA with IKEv1, at the end of keylife time, the phase1 is negotiated again and does not force the user to provide the credentials again. To avoid this, it is necessary to use MFA such as FortiToken.
Configuration of reauth in phase1 settings:
config vpn ipsec phase1-interface
edit Test-Dialup
set reauth enable
set authusrgrp "test-group"
end
The following is the behavior seen in the IKE debugs when phase1 re-negotiates during the expiry of keylife time and FortiToken is required again.
Username: test-user.
Usergroup: test-group.
2024-08-27 10:51:25.553972 ike 0:Test-Dialup_0:585213: received XAUTH_USER_NAME 'test-user' length 4
2024-08-27 10:51:25.554013 ike 0:Test-Dialup_0:585213: received XAUTH_USER_PASSWORD length 9
2024-08-27 10:51:25.554056 ike 0:Test-Dialup_0: XAUTH user "test-user"
2024-08-27 10:51:25.554094 ike 0:Test-Dialup: auth group test-group
2024-08-27 10:51:25.555175 ike 0:Test-Dialup_0: XAUTH 993837392 pending
2024-08-27 10:51:25.573858 ike 0:Test-Dialup_0:585213: XAUTH 993837392 result 7
2024-08-27 10:51:25.574007 ike 0:Test-Dialup_0: XAUTH requires token for user "test-user"
2024-08-27 10:51:25.574056 ike 0:Test-Dialup_0:585213: sending XAUTH token request <----Reauth is initiated at this point.
Note that there is a timeout value to provide the FortiToken during the re-authentication. The timeout value is calculated using the formula below.
Fortitoken Timeout = 10 x remoteauthtimeout + 30 seconds
For example – remoteauthtimeout = 10 seconds
Fortitoken Timeout = 10 X 10 + 30 = 130 seconds
The following is the behavior when the FortiToken is not provided by the user within the timeout value, for example, 130 seconds.
2024-08-27 10:51:25.553972 ike 0:Test-Dialup_0:585213: received XAUTH_USER_NAME 'test-user' length 4
2024-08-27 10:51:25.554013 ike 0:Test-Dialup_0:585213: received XAUTH_USER_PASSWORD length 9
2024-08-27 10:51:25.554056 ike 0:Test-Dialup_0: XAUTH user "test-user"
2024-08-27 10:51:25.554094 ike 0:Test-Dialup: auth group test-group
2024-08-27 10:51:25.555175 ike 0:Test-Dialup_0: XAUTH 993837392 pending
2024-08-27 10:51:25.573858 ike 0:Test-Dialup_0:585213: XAUTH 993837392 result 7
2024-08-27 10:51:25.574007 ike 0:Test-Dialup_0: XAUTH requires token for user "test-user"
2024-08-27 10:51:25.574056 ike 0:Test-Dialup_0:585213: sending XAUTH token request <----Reauth is initiated at this point.
2024-08-27 10:53:35.568119 ike 0:Test-Dialup_0:585228: negotiation timeout, deleting
2024-08-27 10:53:35.568271 ike 0:Test-Dialup_0: connection expiring due to phase1 down
2024-08-27 10:53:35.568316 ike 0:Test-Dialup_0: deleting
2024-08-27 10:53:35.568815 ike 0:Test-Dialup_0: sent tunnel-down message to EMS: (fct-uid=xxxx, intf=Test-Dialup_0, addr=x.x.x.x, vdom=root)
2024-08-27 10:53:35.568993 ike 0:Test-Dialup_0: flushing
2024-08-27 10:53:35.569241 ike 0:Test-Dialup_0: flushed <----After 130 seconds, the connection is expired and the tunnel is DOWN.
- Using IKE-v2 with/without MFA.
When reauth is enabled for dialup IPsec tunnels using IKEv2, the re-authentication is triggered for clients with/without MFA during the expiry of keylife time.
Configuration of reauth in phase1 settings:
config vpn ipsec phase1-interface
edit "IKEv2-Dialup"
set ike-version 2
set reauth enable
end
More information can be found using the document below:
IKEv2 re-authentication for Phase1
Related articles:
Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity
Technical Tip: How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard)
Troubleshooting Tip: IPsec VPNs tunnels
Technical Tip: Setting multiple DNS server for IPSec dial-up VPN
Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels
Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication
Technical Tip : How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.
Technical Tip: IPSec dial-up full tunnel with FortiClient
Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations
Technical Note: Dynamic routing (BGP) over IPsec tunnel
Technical Tip: OSPF with IPSec VPN for network redundancy
Technical Tip: Dynamic dial-up VPN with OSPF
Technical Tip: Fortinet Auto Discovery VPN (ADVPN)
Technical Tip: 'set net-device' new route-based IPsec logic
Technical Tip: Simple OCVPN deployment
Technical Tip: SD-WAN integration with OCVPN
Technical Tip: Configure IPsec VPN with SD-WAN
Technical Tip: SD-WAN with DDNS type IPsec
Technical Tip: SD-WAN primary and backup ipsec tunnel Scenario
Troubleshooting Tip: IPsec VPN Phase 1 Process - Aggressive Mode
Technical Note : Configuring more than one Main-Mode Pre-Shared Key (PSK) *dialup* IPSec phase1 on a...
Technical Tip: How to configure IPsec VPN Tunnel using IKE v2
