Description |
This article describes that FortiGate should store the EAP identity and authentication user group settings for the IKEv2 tunnel. For this reason, after creating the tunnel it is not possible to establish a remote connection.
This behavior is related to a known issue ID 1054953 in v7.6.0. When configuring the IPSec tunnel for remote access, the template utilizes IKEv2, allowing the selection of a 'User group' within the parameters, as shown in the following image:
After configuring the tunnel, the authentication section does not provide an option to verify the user group assigned for authentication, as shown in the following image:
The Phase 1 tunnel configuration appears as follows in the CLI:
config vpn ipsec phase1-interface edit "VPN tunnel" set type dynamic set interface "port1" set ike-version 2 set peertype any set net-device disable set mode-cfg enable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set comments "VPN: VPN tunnel -- Created by VPN wizard" set wizard-type dialup-forticlient set ipv4-start-ip 20.1.1.1 set ipv4-end-ip 20.1.1.50 set ipv4-netmask 255.255.255.0 set ipv4-split-include "VPN tunnel_split" set save-password enable set psksecret ENC next end |
Scope | FortiGate v7.6.0. |
Solution |
To resolve the issue mentioned above, two alternative solutions are provided.
config vpn ipsec phase1-interface end
After using either of the two solution options, it is possible to establish an IPSec tunnel in remote access mode with FortiClient. |
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Great contribution, thank you @JCPL