Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jlim11
Staff
Staff

Created on ‎09-23-2024 02:03 AM

Article Id 343237

Technical Tip: Remote Access IPSEC VPN with LDAP authentication

Description This article demonstrates how to set up FortiClient IPSEC VPN access with LDAP as the authentication method.
The IPSEC phase1 settings also selected for this example is IKE version 1, which is created with the IPSEC VPN Wizard as the default IKE version for Remote Access.
Scope FortiGate.
Solution

LDAP and user group configuration:

 

LDAP Server.PNG

 

User Group.PNG

 

user test.PNG

 

 

 

After configuration of the LDAP server, use the IPSEC Wizard for the VPN Creation:

 

Wizard.PNG

 

LDAP-grp-wizard.PNG


After creating the IPSEC VPN using the wizard, It will create the following:

  • Phase1 VPN tunnel settings (The LDAP user group is under the XAUTH settings).
  • Phase2 VPN tunnel settings.
  • Firewall Policy allowing traffic from the IPSEC VPN tunnel to the local network.

 

phase1n2cli.PNG

 

firewallpolicycli.PNG

 

Testing using FortiClient machine:

 

VPN connected forticlient.PNG

 

 



The user will not be listed user the Firewall User or 'diagnose firewall auth list'. Instead, The user authenticated can be seen with the Phase-1 status of the VPN tunnel.

 

diag vpn ike gate list

ike gate list.PNG

The command below can be used also to filter the output:

diag vpn ike gate list | grep "name:\|xauth-user"
name: Remote Access_0
xauth-user: vpnuser1



On the Dashboard, It is possible to view the user also by adding an 'XAUTH User' column on the IPSEC monitor dashboard.

 

VPN User dashboard.PNG

 
XAUTH happens after the IKEv1 Aggressive Mode message exchange:


ike 0:Remote Access:1: received p1 notify type INITIAL-CONTACT
ike 0:Remote Access:1: PSK authentication succeeded
ike 0:Remote Access:1: authentication OK
ike 0:Remote Access:1: NAT not detected
ike 0:Remote Access: mode-cfg allocate 172.16.20.1/0.0.0.0
ike 0:Remote Access: IPv6 pool is not configured
ike 0:Remote Access: adding new dynamic tunnel for 10.47.3.222:500
ike 0:Remote Access_0: tunnel created tun_id 172.16.20.1/::10.0.0.3 remote_location 0.0.0.0
ike 0:Remote Access_0: added new dynamic tunnel for 10.47.3.222:500
ike 0:Remote Access_0:1: established IKE SA d6d1522644fd77e6/4abb8e05cc9778a3
ike 0:Remote Access_0:1: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
ike 0:Remote Access_0:1: processing INITIAL-CONTACT
ike 0:Remote Access_0: flushing
ike 0:Remote Access_0: flushed
ike 0:Remote Access_0:1: processed INITIAL-CONTACT
ike 0:Remote Access_0:1: initiating XAUTH.
ike 0:Remote Access_0:1: sending XAUTH request

ike 0:Remote Access_0:1: received XAUTH_USER_NAME 'vpnuser1' length 8
ike 0:Remote Access_0:1: received XAUTH_USER_PASSWORD length 12
ike 0:Remote Access_0: XAUTH user "vpnuser1"
ike 0:Remote Access: auth group LDAP-GRP
ike 0:Remote Access_0: XAUTH 772057113 pending
[1909] handle_req-Rcvd auth req 772057113 for vpnuser1 in LDAP-GRP opt=00000000 prot=5

The FortiGate will search the Distinguished Name of the LDAP Server for the Common Name of 'cn=vpnuser1', since 'cn' is the configured Common Name Identifier under the LDAP Server settings:


[750] fnbamd_ldap_build_dn_search_req-base:'DC=40LABV2,DC=COM' filter:cn=vpnuser1 

<ommitted output>

2831] fnbamd_ldap_result-Result for ldap svr 10.149.0.2(LDAP-SVR) is SUCCESS
[401] ldap_copy_grp_list-copied CN=VPN-Users,OU=Manila TAC,OU=Fortinet,DC=40labv2,DC=com
[401] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=40labv2,DC=com
[1623] fnbam_user_auth_group_match-req id: 772057113, server: LDAP-SVR, local auth: 0, dn match: 1
[1592] __group_match-Group 'LDAP-GRP' passed group matching
[1595] __group_match-Add matched group 'LDAP-GRP'(2)
[2843] fnbamd_ldap_result-Passed group matching
[209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 772057113, len=2641
ike 0:Remote Access_0:1: XAUTH 772057113 result FNBAM_SUCCESS
ike 0:Remote Access_0: XAUTH succeeded for user "vpnuser1" group "LDAP-GRP" 2FA=no

 

It is possible to change the Common Name Identifier, depending on the configuration preference and requirement.

Some examples with actual user format:

cn = vpnuser1

sAMAccountName = vpnuser1
UserPrincipalName = vpnuser1@40labv2.com


Related articles:
Technical Tip: How to configure IPsec remote access with full tunnelling

Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations

Troubleshooting Tip: IPsec VPN Phase 1 Process - Aggressive Mode

Technical Tip: Username format for LDAP authentication
734
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.