Troubleshooting Tip: Using IKEv2 for a dial-up IPsec tunnel with a RADIUS server and Local user

This article describes how to solve some of the error messages that can be encountered when using IKEv2 and a RADIUS server:

• IKEv2 requires an EAP framework to proceed with authentication.
• If the IKEv2 is used on FortiGate and FortiClient and the following error appears, this is how to resolve it:

Error - gw validation failed.

1. If this error appears, it means EAP is not enabled in the Phase1-interface.
   
   
2. The configuration on the FortiClient should look like this:

3. Since EAP is used, the settings will be as follows:

Solution:

1. Change that EAP setting to 'enable'. This will fix the error in most cases.

For example:

Error -  EAP response is empty.

Explanation.

This error message appears when there is no user group defined in the IPsec tunnel for authentication.

Solution.

1. There are two types of EAP identity methods:

2. First, it is necessary to change it to send a request. By default, it is 'use-id-payload'.
   
   
3. Second, it is necessary to specify the group to authenticate against:

4. This setting will only appear after enabling the EAP in phase 1.
   
   
5. The final setting should look like the below:

If required, instead of applying the user group in the VPN settings, it's also possible to apply it to a firewall policy.

The firewall policy will look like this:

To unset the group from the IPsec VPN settings:

conf vpn ipsec phase1-interface

    edit <VPN_Name>

        unset  authusrgrp 

end

6. It is now possible to connect with a local user.

7. If a RADIUS or LDAP server is used for the authentication server, it would not be possible to authenticate yet.

Related article:

Technical Tip: IKEv2 dialup IPsec tunnel with Radius server authentication and FortiClient

Error:

EAP 94840547 pending

EAP 94840547 result 1

EAP failed for user "lovepreet"

If it is authenticated against the radius server, then this error will be encountered.

Troubleshooting.

1. Run debugs:

diag debug console timestamp enable (showing timestamps on the debug output)
diag debug app fnbamd -1 (debugging certificate validation)
diag debug app ike -1 (debugging IPsec)
diag debug app eap_proxy -1 (debugging EAP)
diag debug enable

Focus on the response code:

This one means the RADIUS server denied the request:

0: Success

1: Deny

2: Challenged (password renewal or token is needed)

3: unknown

4: Pending

5: Error

6: Framed IP Conflict

7: Token code is required

8: Need another token due to the previous one is out of sync

9: Response Buffer is too small

10: Authentication time out

11: Max Concurrent authentication sessions are reached

12: Token code is already used.

Related article:

Technical Tip: Radius authentication troubleshooting

1. It is possible to verify this fact by running the packet capture on the RADIUS server and filtering for RADIUS traffic.

The reason this is happening is that the credentials used for authenticating against other schemes such as mschap2 on the NPS in window AD are not accepted for this example.

2. Verify the credentials against FortiGate by using the command below:

diagnose test authserver radius <radius server_name> <authentication scheme><username> <password>

3. On the radius server, there was no mschap2 scheme selected.
   
   
4. To solve this, go to the radius server.
   
   
5. Go to Network policies -> Virtual private connection -> Select Constraints -> Authentication method -> Choose.

Related articles:

• Technical Tip: IKEv2 dialup IPsec tunnel with RADIUS server authentication and FortiClient
• Technical Tip: RADIUS authentication troubleshooting