| Description | This article explains how to troubleshoot and display dialup IPsec VPN user identities in the 'Firewall Users' widget within the 'Assets & Identities' dashboard. |
| Scope | FortiGate. |
| Solution |
When a client authenticates to a dialup IPsec tunnel, it may be necessary and useful to display their session information in the 'Firewall Users' widget. To display this information, the user group must be configured in the firewall policy rather than the IPsec VPN phase1 interface.
Additionally, the identity can be displayed for Entra ID SAML-authenticated users and clients who are using the auto-connect to IPsec VPN feature with Entra ID logon session information through the msgraph API.
If the user group is configured in both IPsec VPN phase 1 and the firewall policy, traffic will stop flowing through the IPsec VPN tunnel.
Starting with v7.4 and later, this widget is located in the 'Assets & Identities' dashboard. In the v7.2 branch, it can be found under 'Users & Devices'.
Configuration of a user and user-group:
config user local
edit "test" set type password set passwd fortinet next end config user group
edit "testgrp"
set member "test"
next
end
IPsec VPN IKEv2 configuration:
config vpn ipsec phase1-interface
edit "TestIKEv2"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha1 aes256-sha256
set dpd on-idle
set dhgrp 5
set eap enable
set eap-identity send-request
set ipv4-start-ip 192.168.30.5
set ipv4-end-ip 192.168.30.20
set dns-mode auto
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret fortinet
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "TestIKEv2P2"
set phase1name "TestIKEv2"
set proposal aes128-sha1 aes256-sha256
set dhgrp 5
next
end
config firewall policy
edit 101
set name "TestIKEv2"
set srcintf "TestIKEv2"
set dstintf "LAN"
set action accept
set srcaddr "all"
set dstaddr "LAN address"
set schedule "always"
set service "ALL"
set logtraffic all
set groups "testgrp"
next
end
IPsec VPN IKEv1 configuration:
config vpn ipsec phase1-interface
edit "TestIKEv1"
set type dynamic
set interface "wan1"
set mode aggressive
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256
set xauthtype auto
set ipv4-start-ip 192.168.20.5
set ipv4-end-ip 192.168.20.20
set dns-mode auto
set client-keep-alive enable
set psksecret fortinet
next
end
config vpn ipsec phase2-interface
edit "TestIKEv1P2"
set phase1name "TestIKEv1"
set proposal aes128-sha256 aes256-sha256
next
end
config firewall policy
edit 100
set name "TestIkev1"
set srcintf "TestIKEv1"
set dstintf "LAN"
set action accept
set srcaddr "all"
set dstaddr "LAN address"
set schedule "always"
set service "ALL"
set logtraffic all
set groups "testgrp"
next
end
|
Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Troubleshooting Tip: Dialup IPsec VPN user-info no...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.