Description
This article explains IKEv2 dialup tunnel setup with Radius server and using FortiClient.
Solution
FortiGate dial up IPsec tunnels can be configured as IKEv2 with Radius authentication.
Note that EAP will need to be configured even LDAP is used as IKEv2 requires EAP.
LDAP will be a result of a 'translation' from RADIUS EAP to LDAP if that is possible.
Configuration.
Defining radius user.
config user local
edit "test_user"
set type radius
set radius-server "Radius_server"
next
end
User group.
config user group
edit "VPN_Users"
set member "test_user”
next
end
IPsec config.
config vpn ipsec phase1-interface
edit "Dialup_IKEv2"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set mode-cfg enable
set proposal aes128-sha1 aes256-sha256
set dpd on-idle
set comments "FTG IPsec VPN IKEv2 and Radius user auth"
set dhgrp 5
set eap enable
set eap-identity send-request
set authusrgrp "VPN_Users"
set ipv4-start-ip 192.168.88.10
set ipv4-end-ip 192.168.88.150
set dns-mode auto
set psksecret ENC xx
set dpd-retryinterval 60
next
end
The above highlighted settings can only be available through CLI. If errors such as ‘gw validation failed’ or ‘EAP response is empty’ can be observed in the IKE debug output then please refer to the following article:
Troubleshooting Tip: For using Ikev2 for dialup Ipsec tunnel with radius server and Local user
config vpn ipsec phase2-interface
edit "Dialup_IKEv2"
set phase1name "Dialup_IKEv2"
set proposal aes128-sha1 aes256-sha256
set dhgrp 5
next
end
Firewall policy.
config firewall policy
edit 0
set name "Dialup_IKEv2"
set srcintf "Dialup_IKEv2"
set dstintf "lan"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end
- For IKEv2, FortiClient will use EAP-MSCHAPv2.
- For this setup to work, the remote radius server must support EAP-MSCHAPv2 authentication (EAP-MS-CHAP) (Microsoft NPS for example).
