It is possible to authenticate users using XAuth with LDAP and then apply firewall policies based on the IP Pool assigned to users connecting via IPsec VPN. It allows users authenticated in LDAP to be able to connect to the VPN. This means that only members of an LDAP group, or single LDAP users will be able to authenticate and establish a connection to the IPsec VPN.

However, it is not possible to directly specify LDAP users in firewall policies. Traffic is not filtered directly by LDAP users but by the IP Pool assigned to those users. To apply user-based policies,  use the IP addresses assigned to users when they connect to the VPN.

Example:

config firewall ippool
    edit "VPN Pool"
        set startip 192.168.1.1
        set endip 192.168.1.10
    next

end

config firewall policy
    edit 1
        set srcintf "ipsec-vpn" 
        set dstintf "LAN" 
        set srcaddr "VPN Pool" 
        set dstaddr "internal_network"
        set action accept
        set schedule always
        set service ALL 
        set logtraffic all
    next
end

In summary:

1. In an IPsec VPN, LDAP users are only used to authenticate over the IPsec tunnel using XAuth.
2. Firewall policies are based on the IP Pool assigned to users when they connect, not directly on the LDAP users.
3. To enforce policies based on specific users for granular access to resources, consider using SSL VPN, as this type of VPN allows an assignment of firewall policies based on users or LDAP groups directly, rather than just working at the IP level as IPSEC. This is because IPSEC manages the traffic at the IP level and not by users or groups directly in the firewall policies.