FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JCPL
Staff
Staff
Article Id 347243
Description

This article describes that FortiGate should store the EAP identity and authentication user group settings for the IKEv2 tunnel. For this reason, after creating the tunnel it is not possible to establish a remote connection.

 

This behavior is related to a known issue ID 1054953 in v7.6.0.

When configuring the IPSec tunnel for remote access, the template utilizes IKEv2, allowing the selection of a 'User group' within the parameters, as shown in the following image:

IKE1.PNG

 

After configuring the tunnel, the authentication section does not provide an option to verify the user group assigned for authentication, as shown in the following image:

 

IKE2.PNG

 

The Phase 1 tunnel configuration appears as follows in the CLI:

 

config vpn ipsec phase1-interface

    edit "VPN tunnel"

        set type dynamic

        set interface "port1"

        set ike-version 2

        set peertype any

        set net-device disable

        set mode-cfg enable

        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256

        set comments "VPN: VPN tunnel -- Created by VPN wizard"

        set wizard-type dialup-forticlient

        set ipv4-start-ip 20.1.1.1

        set ipv4-end-ip 20.1.1.50

        set ipv4-netmask 255.255.255.0

        set ipv4-split-include "VPN tunnel_split"

        set save-password enable

        set psksecret ENC

   next

end

Scope FortiGate v7.6.0.
Solution

To resolve the issue mentioned above, two alternative solutions are provided.

 

  1. Execute the following commands to enable EAP on the tunnel while retaining IKEv2:

 

config vpn ipsec phase1-interface
    edit "VPN tunnel"
        set eap enable
        set eap-identity send-request
        set authusrgrp <User Group name>
    end

end

 

  1. Switch to IKEv1. After implementing the change, the tunnel configuration will appear as follows:

 

IKE3.PNG

 

After using either of the two solution options, it is possible to establish an IPSec tunnel in remote access mode with FortiClient.

Comments
GILMENDO
Staff
Staff

Great contribution, thank you @JCPL 

Contributors