FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes an issue when an IPSEC VPN user cannot connect to the VPN if the option 'Inherit from policy' is configured in the XAUTH field in the VPN phase1 configuration, even though the groups are properly configured in the firewall policy.
The user can receive the message 'connection expiring due to XAUTH failure' by checking the debugs. This issue may happen in v7.6.2 and v7.6.3.
Scope
FortiGate.
Solution
This is due to an issue where the IKED daemon is not communicating correctly with the FNBAMD daemon for authentication when the xauthtype is set to chap or pap. It is necessary to validate if chap or pap, and if so, change the configuration to use 'auto' instead.
Verify configuration:
config vpn ipsec phase1-interface edit "dialup" set xauthtype pap < or chap end
Change it to auto:
config vpn ipsec phase1-interface edit "dialup" set xauthtype auto end
As another workaround, the authentication should work if the user chooses the User Group directly in XAUTH.
However, this may not be feasible if the users want to use multiple users/groups in the authentication and control them via a firewall policy.
It will be used only when the users are from Radius or LDAP. For local users, it will be done directly by FortiGate without any challenge request to external authentication servers.
