IKEv2 IPsec VPN remote connection fails — EAP failed for LDAP user/group authentication

isafterov · ‎10-21-2025

🧱 Environment

FortiGate model: FG-101F
FortiOS version: (please add, e.g. 7.4.3 or 7.2.6)
VPN type: IKEv2 IPsec (remote access)
Authentication: LDAP users & groups
Client: FortiClient 7.4.3 (Windows 10 Pro 64-bit)

🪪 Scenario

I’m configuring an IKEv2 IPsec remote access VPN that authenticates users via an LDAP server.
The connection is established from FortiClient successfully up to Phase-1 (SA_INIT), but it fails during user authentication (EAP phase).

EAP failed for user "test"
EAP response is empty
connection expiring due to EAP failure

funkylicious · ‎10-22-2025

I can confirm that setting the param in XML in EMS will push the setting to the client.

here's my working IPsec over TCP IKEv2 config:

config vpn ipsec phase1-interface
    edit "RA-IKEv2"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set local-gw <>
        set peertype any
        set net-device enable
        set mode-cfg enable
        set proposal aes128-sha1 aes256-sha256
        set dpd on-idle
        set dhgrp 20
        set eap enable
        set eap-identity send-request
        set transport tcp
        set ipv4-start-ip 10.0.2.100
        set ipv4-end-ip 10.0.2.200
        set dns-mode auto
        set ipv4-split-include "DialUP_split"
        set psksecret <>
        set dpd-retryinterval 60
    next
end

show system settings | grep tcp
    set ike-tcp-port 40443
end

EMS XML, under ike_settings:
<transport_mode>1</transport_mode>
<tcp_port>40443</tcp_port>
<udp_port>500</udp_port>
<eap_method>2</eap_method>


diagnose vpn ike gateway list
name: RA-IKEv2_0
version: 2
interface: wan1 17
addr: IP:40443 -> IP:49487
tun_id: 10.0.2.100/::10.0.0.9
transport: TCP
created: 14s ago
eap-user: LDAP-USER
2FA: no
groups:
  RA-IKEv2 5

For IPsec over UDP IKEv2:

- you use unset transport under phase-1

- in EMS set Encapsulation to Auto

<transport_mode>2</transport_mode>

<tcp_port>40443</tcp_port>

<udp_port>500</udp_port>

<eap_method>2</eap_method>

confirmation:

diagnose vpn ike gateway list
name: RA-IKEv2_0
version: 2
interface: wan1 17
addr: IP:4500 -> IP:64917
tun_id: 10.0.2.100/::10.0.0.11
transport: UDP
created: 228s ago
eap-user: LDAP-USER
groups:
  RA-IKEv2 5

I don't set the LDAP usergroup in IPsec , but in the firewall rule.

"jack of all trades, master of none"

View solution in original post

funkylicious · ‎10-22-2025

hi,

can you share a sanitized config for the ipsec phase-1 ?

L.E. try adding this line in your FortiClient config file by exporting it adding the line and then importing it back , under <ike_settings> add the line <eap_method>2</eap_method>

after the import validate that the setting is set by looking in the registry , \HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\IPSec\Tunnels\[tunnel name]\P1
eap_method (0x00000002)

source: https://community.fortinet.com/t5/FortiGate/Technical-Tip-IKEv2-tunnel-fails-when-LDAP-based-usergro...

"jack of all trades, master of none"

isafterov · ‎10-22-2025

Thanks for the tip!

We’re using FortiClient EMS to deploy the IPsec VPN configuration.
I added the following line under the <ike_settings> section in the EMS XML template to force EAP-MSCHAPv2:
<ike_settings>
<server>server ip</server>
<authentication_method>Preshared Key</authentication_method>
<transport_mode>2</transport_mode>
<eap_method>2</eap_method>
<tcp_port>443</tcp_port>
<udp_port>500</udp_port>
<fgt>1</fgt>
<prompt_certificate>0</prompt_certificate>
</ike_settings>

Phase1 Config:
edit "IPSEC_VPN"
set type dynamic
set interface "VLAN-"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal
set dpd on-idle
set dhgrp 14
set eap enable
set eap-identity send-request
set ipv4-start-ip 10.10.10.10
set ipv4-end-ip 10.10.10.20
set dns-mode auto
set dpd-retryinterval 60
next

funkylicious · ‎10-22-2025

are you using or trying to use IPsec over TCP ?

"jack of all trades, master of none"

funkylicious · ‎10-22-2025

I can confirm that setting the param in XML in EMS will push the setting to the client.

here's my working IPsec over TCP IKEv2 config:

config vpn ipsec phase1-interface
    edit "RA-IKEv2"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set local-gw <>
        set peertype any
        set net-device enable
        set mode-cfg enable
        set proposal aes128-sha1 aes256-sha256
        set dpd on-idle
        set dhgrp 20
        set eap enable
        set eap-identity send-request
        set transport tcp
        set ipv4-start-ip 10.0.2.100
        set ipv4-end-ip 10.0.2.200
        set dns-mode auto
        set ipv4-split-include "DialUP_split"
        set psksecret <>
        set dpd-retryinterval 60
    next
end

show system settings | grep tcp
    set ike-tcp-port 40443
end

EMS XML, under ike_settings:
<transport_mode>1</transport_mode>
<tcp_port>40443</tcp_port>
<udp_port>500</udp_port>
<eap_method>2</eap_method>


diagnose vpn ike gateway list
name: RA-IKEv2_0
version: 2
interface: wan1 17
addr: IP:40443 -> IP:49487
tun_id: 10.0.2.100/::10.0.0.9
transport: TCP
created: 14s ago
eap-user: LDAP-USER
2FA: no
groups:
  RA-IKEv2 5

For IPsec over UDP IKEv2:

- you use unset transport under phase-1

- in EMS set Encapsulation to Auto

<transport_mode>2</transport_mode>

<tcp_port>40443</tcp_port>

<udp_port>500</udp_port>

<eap_method>2</eap_method>

confirmation:

diagnose vpn ike gateway list
name: RA-IKEv2_0
version: 2
interface: wan1 17
addr: IP:4500 -> IP:64917
tun_id: 10.0.2.100/::10.0.0.11
transport: UDP
created: 228s ago
eap-user: LDAP-USER
groups:
  RA-IKEv2 5

I don't set the LDAP usergroup in IPsec , but in the firewall rule.

"jack of all trades, master of none"

isafterov · ‎10-22-2025

I faced error which i shared below:

responder received EAP msg
2025-10-22 14:51:29.101916 ike V=root:0:IPSEC_VPN: send EAP message to FNBAM
2025-10-22 14:51:29.101952 ike V=root:0:IPSEC_: initiating EAP authentication
2025-10-22 14:51:29.101990 ike V=root:0:IPSEC_VPN: EAP user "test"
2025-10-22 14:51:29.102078 ike V=root:0:IPSEC_VPN: EAP failed for user "test"
2025-10-22 14:51:29.102156 ike V=root:0:IPSEC_VPN: EAP response is empty
2025-10-22 14:51:29.102197 ike V=root:0:IPSEC_VPN: connection expiring due to EAP failure
2025-10-22 14:51:29.102268 ike V=root:0:IPSEC_VPN: going to be deleted

funkylicious · ‎10-22-2025

are you using the LDAP user in the firewall rule or do you use a LDAP group that contains the test user ?

"jack of all trades, master of none"

isafterov · ‎10-22-2025

Thank you very much — it’s working now!

I just have one more question:
when I try to connect, it takes a bit longer than expected before the VPN actually establishes.
Is this normal behavior for IKEv2 with LDAP authentication, or is there a way to make the connection process faster?

isafterov · ‎10-22-2025

EAP Method is Okay

IKEv2 IPsec VPN remote connection fails — EAP failed for LDAP user/group authentication

🧱 Environment

🪪 Scenario

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website