Step 1: Configure LDAP Server.

1. Go to User & Authentication -> LDAP Servers.

2. Create a new LDAP server or edit an existing one.

3. Enter the LDAP server details, such as IP address and port.

4. Optionally, test user credentials to verify proper access rights.

Step 2: Create User Group

1. Go to User & Authentication -> User Groups.

2. Create a user group and add LDAP users as members.

3. For example, create a user group named LDAP-GRP and add LDAP users.

Step 3: Configure IPsec VPN.

1. Go to VPN -> IPsec Wizard.
2. Select the type of VPN and configure the necessary settings.
3. In the Authentication section, select the LDAP user group created earlier.

Note: After creating the IPsec VPN using the wizard, the following items are created:

• Phase 1 VPN tunnel settings (the LDAP user group is configured under the XAUTH settings).

• Phase 2 VPN tunnel settings.

• A firewall policy allowing traffic from the IPsec VPN tunnel to the local network.

Step 4: Test the VPN on the FortiClient machine.

Note: If the user group is configured under the Phase 1 settings, the user will not appear in Firewall Users or in the output of diagnose firewall auth list. Instead, the authenticated user can be seen in the Phase 1 status of the VPN tunnel.

To check the details, open the Command Prompt and run:

diagnose vpn ike gate list

It is also possible to use the following command to filter the output:

diagnose vpn ike gate list | grep "name:\|xauth-user"
name: Remote Access_0
xauth-user: vpnuser1

Note: The user will appear in Firewall Users or in the output of diagnose firewall auth list only when the user group is configured on the firewall policy. This is done by enabling Inherit from policy in the IPsec VPN Phase 1 settings.

Note:

• This is the recommended configuration when multiple user groups are involved. More information about the configuration can be found in this KB article: Technical Tip: Using group based firewall policy for Dial-Up VPN to restrict network access.
• The user group must be configured either in the IPsec Phase 1 settings or in the firewall policy. If the group is configured in both the IPsec Phase 1 settings and the firewall policy, traffic will stop flowing through the IPsec tunnel.
• On the Dashboard, view the user by adding an XAUTH User column to the IPsec monitor dashboard.

 
Note: XAUTH occurs after the IKEv1 Aggressive Mode message exchange:

Run the following commands:

diagnose debug reset

diagnose debug application ike -1

diagnose debug application fnbamd -1

diagnose debug enable

ike 0:Remote Access:1: received p1 notify type INITIAL-CONTACT
ike 0:Remote Access:1: PSK authentication succeeded
ike 0:Remote Access:1: authentication OK
ike 0:Remote Access:1: NAT not detected
ike 0:Remote Access: mode-cfg allocate 172.16.20.1/0.0.0.0
ike 0:Remote Access: IPv6 pool is not configured
ike 0:Remote Access: adding new dynamic tunnel for 10.47.3.222:500
ike 0:Remote Access_0: tunnel created tun_id 172.16.20.1/::10.0.0.3 remote_location 0.0.0.0
ike 0:Remote Access_0: added new dynamic tunnel for 10.47.3.222:500
ike 0:Remote Access_0:1: established IKE SA d6d1522644fd77e6/4abb8e05cc9778a3
ike 0:Remote Access_0:1: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
ike 0:Remote Access_0:1: processing INITIAL-CONTACT
ike 0:Remote Access_0: flushing
ike 0:Remote Access_0: flushed
ike 0:Remote Access_0:1: processed INITIAL-CONTACT
ike 0:Remote Access_0:1: initiating XAUTH.
ike 0:Remote Access_0:1: sending XAUTH request

ike 0:Remote Access_0:1: received XAUTH_USER_NAME 'vpnuser1' length 8
ike 0:Remote Access_0:1: received XAUTH_USER_PASSWORD length 12
ike 0:Remote Access_0: XAUTH user "vpnuser1"
ike 0:Remote Access: auth group LDAP-GRP
ike 0:Remote Access_0: XAUTH 772057113 pending
[1909] handle_req-Rcvd auth req 772057113 for vpnuser1 in LDAP-GRP opt=00000000 prot=5

Note: The FortiGate will search the Distinguished Name (DN) of the LDAP server for the Common Name cn=vpnuser1, since cn is the configured Common Name Identifier in the LDAP server settings.

[750] fnbamd_ldap_build_dn_search_req-base:'DC=40LABV2,DC=COM' filter:cn=vpnuser1 

<omitted output>

2831] fnbamd_ldap_result-Result for ldap svr 10.149.0.2(LDAP-SVR) is SUCCESS
[401] ldap_copy_grp_list-copied CN=VPN-Users,OU=Manila TAC,OU=Fortinet,DC=40labv2,DC=com
[401] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=40labv2,DC=com
[1623] fnbam_user_auth_group_match-req id: 772057113, server: LDAP-SVR, local auth: 0, dn match: 1
[1592] __group_match-Group 'LDAP-GRP' passed group matching
[1595] __group_match-Add matched group 'LDAP-GRP'(2)
[2843] fnbamd_ldap_result-Passed group matching
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 772057113, len=2641
ike 0:Remote Access_0:1: XAUTH 772057113 result FNBAM_SUCCESS
ike 0:Remote Access_0: XAUTH succeeded for user "vpnuser1" group "LDAP-GRP" 2FA=no

Note: The Common Name Identifier can be changed depending on configuration preferences and requirements.

Some examples with actual user format:

• cn = vpnuser1.
• sAMAccountName = vpnuser1.
• UserPrincipalName = vpnuser1@40labv2.com

Note:

• LDAP-based user authentication is designed to work with XAUTH and IPsec IKEv1.Due to the removal of IKEv1 support in FortiClient version 7.4.4, EAP-TTLS can be used with IKEv2 authentication for LDAP authentication: EAP-TTLS support for IPsec VPN v7.4.3.
• In earlier versions of FortiClient, EAP-MSCHAPv2 was used for username/password authentication and did not work with LDAP. EAP-TTLS now supports LDAP authentication.

Related articles:

Technical Tip: How to configure IPsec remote access with full tunnelling

Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations

Troubleshooting Tip: IPsec VPN Phase 1 Process - Aggressive Mode

Technical Tip: Username format for LDAP authentication

Technical Tip: IKEv2 tunnel fails when LDAP based usergroup is used for EAP