Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fortiuser
New Contributor

Dial-Up with FortiClient and IKEv2 - EAP Problem

Hi all,

 

we want to switch our FortiClient dial-up connections from IKEv1 to IKEv2, but we are having problems with this. I have created a new IKEv2 Test-VPN on the Fortigate and a test user that is authenticated via RADIUS. Everything in the setup works fine with IKEv1, but as soon as I change the parameters to IKEv2, the login fails. Device is a FortiGate 300E cluster with OS 6.0.10, I tested with different FortiClient-VPN versions from v6.4 to 7.0.

 

Here is what an IKE debug shows me:

ike 0: comes 178.2.99.151:64916->20.30.40.50:4500,ifindex=11.... ike 0: IKEv2 exchange=AUTH id=xxxx/xx len=80 ike 0: in xxx ike 0:IKE-v2:31239: dec xxxA65 ike 0:IKE-v2:31239: responder received EAP msg ike 0:IKE-v2:31239: send EAP message to FNBAM ike 0:IKE-v2:31239: initiating EAP authentication ike 0:IKE-v2: EAP user "testuser" ike 0:IKE-v2: auth group IKEv2-Users ike 0:IKE-v2: EAP 1195273714 pending ike 0:IKE-v2:31239 EAP 1195273714 result 2 ike 0:IKE-v2: EAP challenged for user "testuser" ike 0:IKE-v2:31239: responder preparing EAP pass through message ike 0:IKE-v2:31239: enc xxxx ike 0:IKE-v2:31239: out xxxx ike 0:IKE-v2:31239: sent IKE msg (AUTH_RESPONSE): 20.30.40.50:4500->178.2.99.151:64916 ike 0: comes 178.2.99.151:64916->20.30.40.50:4500,ifindex=11.... ike 0: IKEv2 exchange=AUTH id=xxx ike 0:IKE-v2:31239: responder received EAP msg ike 0:IKE-v2:31239: send EAP message to FNBAM ike 0:IKE-v2: EAP 1195273714 pending ike 0:IKE-v2:31239 EAP 1195273714 result 1 ike 0:IKE-v2: EAP failed for user "testuser" ike 0:IKE-v2:31239: responder preparing EAP pass through message ike 0:IKE-v2:31239: enc xxx ike 0:IKE-v2:31239: out xxx ike 0:IKE-v2:31239: sent IKE msg (AUTH_RESPONSE): 20.30.40.50:4500->178.2.99.151:64916 ike 0:IKE-v2: connection expiring due to EAP failure ike 0:IKE-v2: deleting ike 0:IKE-v2: reset NAT-T ike 0:IKE-v2: deleted

Apparently the EAP request goes through first without a problem, but then gets repeated, which I don't understand.

 

Here's the config from FortiGate VPN:

 

config vpn ipsec phase1-interface     edit "IKE-v2"         set type dynamic         set interface "port3"         set ike-version 2         set peertype any         set mode-cfg enable         set ipv4-dns-server1 10.1.1.10         set proposal aes256-sha256         set dpd on-idle         set dhgrp 20         set eap enable         set eap-identity send-request         set authusrgrp "IKEv2-Users"         set ipv4-start-ip 10.1.30.2         set ipv4-end-ip 10.1.30.10         set ipv4-netmask 255.255.224.0         set ipv4-split-include "VPN-CFS-FG-Splitting"         set client-auto-negotiate enable         set client-keep-alive enable         set psksecret ENC xxxx         set dpd-retryinterval 60     next end

 

Does anyone have an idea where the problem could be? Many thanks already!

 

1 Solution
emnoc
Esteemed Contributor III

Does the NAS support EAP? I would start at that point and then continue your diagnostic but b4 you go down that rabbit test with a local-account and then if that works, you know to focus at the NAS

 

YMMV 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
4 REPLIES 4
emnoc
Esteemed Contributor III

Does the NAS support EAP? I would start at that point and then continue your diagnostic but b4 you go down that rabbit test with a local-account and then if that works, you know to focus at the NAS

 

YMMV 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Fortiuser

Hi Ken,

thanks for your reply, test with local user was a good idea! It worked right away.

So I took another look at the NPS and found, that only PEAP was enabled there, not EAP-MSCHAP-v2. After I turned it on, it now works. Thanks a lot for your hints!

Fortiuser

Unfortunately, I now have another problem: IKEv2 connection only works if the user does not have 2-factor authentication enabled (via FortiToken). Does anyone know if this is possible with a later FortiOS version? I have seen hints that this is only possible with OS 6.2 or 6.4. Can anyone confirm this?

FlavioB1
New Contributor III

Hi. Did you ever get this to work?

I'm trying to set this up as well, with FGT 7.2.8, FCT 7.2.5 and FAC 6.6.2.

Thanks for any helpful input.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors