Hi

I'm chewing on this for two days now and I'm not sure whether this is even doable with FortiOS 6.0.x.

Goal is to have the Windows native IKEv2 VPN client to authenticate using a user certificate signed by a private PKI.

For the client device itself, with a computer certificate, this is already working. So certificate chain stuff, etc. is sorted.

The issue seems to be, that I can't use peertype peergrp for the user-based authentication because Windows seems to be stupid. In the Windows client, you can choose between "EAP" and "Use Computer Certificate" for authentication. With the latter, everything works, even with peertype peergrp because Windows is sending the CN of the computer certificate as local identifier and I can use that in the peer-grp on the Fortigate to identify the client. With EAP however, which I have to use if I want the USER to authenticate and not the device, Windows always sends "IPV4_ADDR = <local_adapter_ip>" as local identifier, no matter what. So for user auth, I have to use "peertype any" and "set eap enable" and "set eap-identity send-request". This doesn't even seem to work with user/password based authentication, if the user is a remote (LDAP) user. With a local user, I managed to get this working.

So I tried to add "set authusrgrp <grpname_with_peers_with_certificates>" to the EAP based phase1 config but then the fnbamd daemon fails to authenticate the request like this:

[2280] handle_req-Rcvd auth req 787562041 for in grp_Win_UserTunnel opt=00000000 prot=8 [422] __compose_group_list_from_req-Group 'grp_Win_UserTunnel', type 1 [615] fnbamd_pop3_start- [341] radius_start-Didn't find radius servers (0) [718] auth_tac_plus_start-Didn't find tac_plus servers (0) [574] create_auth_session-Error starting authentication [2300] handle_req-Error starting session [181] fnbamd_comm_send_result-Sending result 5 (error 0, nid 0) for req 787562041 [2644] handle_req-Rcvd abort req for 787562041 [2667] handle_req-Can't abort, no active req 787562041

So this works:

config vpn ipsec phase1-interface     edit "win-ike2-3G"         set type dynamic         set interface "internal6"         set ike-version 2         set authmethod signature         set peertype peergrp         set mode-cfg enable         set proposal aes128-sha1 aes256-sha256         set dpd on-idle         set dhgrp 2         set certificate "myCert"         set peergrp "winikev2_grp"         set ipv4-start-ip 10.20.26.101         set ipv4-end-ip 10.20.26.200         set dns-mode auto         set dpd-retryinterval 60     next

But this doesn't:

    edit "win-user-3G"         set type dynamic         set interface "internal6"         set ike-version 2         set authmethod signature         set peertype any         set mode-cfg enable         set proposal aes128-sha1 aes256-sha256         set dpd on-idle         set dhgrp 2         set eap enable         set eap-identity send-request         set authusrgrp "grp_Win_UserTunnel"         set certificate "myCert"         set ipv4-start-ip 10.20.26.1         set ipv4-end-ip 10.20.26.100         set dns-mode auto         set dpd-retryinterval 60     next

TLDR;

So, is there a way to have "peertype any" but still authenticate a remote user by EAP with a certificate against a peergrp which contains peer objects with certificates? Also: is there a limitation to local users for EAP authentication with FortiOS 6.0? LDAP users don't seem to work, they fail with the same message:

[2280] handle_req-Rcvd auth req 787562041 for in grp_Win_UserTunnel opt=00000000 prot=8 [422] __compose_group_list_from_req-Group 'grp_Win_UserTunnel', type 1 [615] fnbamd_pop3_start- [341] radius_start-Didn't find radius servers (0) [718] auth_tac_plus_start-Didn't find tac_plus servers (0) [574] create_auth_session-Error starting authentication [2300] handle_req-Error starting session [181] fnbamd_comm_send_result-Sending result 5 (error 0, nid 0) for req 787562041 [2644] handle_req-Rcvd abort req for 787562041 [2667] handle_req-Can't abort, no active req 787562041

Thanks.