Hi all,
I have create an IPSEC dial up tunnel with Ike v2 and NAT-T. I use Forticlient to connect to it and it works well.
I have observed that some traffic are denyed cause when I send traffic across the tunnel, the user with witch Im logged (using forticlient) is not associated with the incoming traffic. I can see the IP from the private tunnel network but not the username. That causes the incoming traffic matches a deny policy, cause I use an user group in the incoming rule that permits traffic from the IPSEC interface. For example, I can see traffic from 192.168.106.x but the incoming traffic has not an user associated.
Why the username with witch Im connected to the tunnel are not matched in incoming traffic?
I attach you the tunnel configuration:
Thanks ¡¡¡
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yes, it is a limitation because "inherit from policy" doesn't exist when using IKEv2. You can submit a new feature request for it if you want.
Regards,
Hello @fortimaster ,
- Can you please share the full-config of the policy you are using and also if the group you are using is remote-server or local group on FortiGate?
Off course Dbhavsar.
The group I'm using is local. The users belongs to the Fortigate and there are no active directory users. I attach you the required configuration:
As you can see, the policy is the same for 2 IPsec Tunnels. One is working well (it matches correctly group and IP address) but is not equal (it uses ikev1). The group is the same from both tunnels.
Thanks
Hi @fortimaster ,
- Thanks for sharing the details, I would recommend to try creating the separate policy for both tunnels and give it a try.
Hi @fortimaster,
Group specified under IPsec phase1 is XAUTH group, it is not the same as group specified in firewall policy and it will not match. If you specify group under phase1, you don't need to specify the same group in the firewall policy.
Alternatively, you can set group under phase1 to 'Inherit from policy' and specify the group in the firewall policy. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-group-based-firewall-policy-for-Dial...
Regards,
Thanks hbac,
I can't find the XAUTH option to configure it in the CLI or in the GUI. The phase 1 doesn't accepts the set xauthtype command and the GUI does not display XAHTH option.
Who can I configure it? On the other hand, by default group specified under Phase1 is XAUTH?
# set xauthtype
command parse error before 'xauthtype'
Sorry for the confusion, XAUTH will not work with IKEv2. Based on your current configuration, you don't have to specify the group in the firewall policy.
Regards,
Thanks for your reply. I need to specify the group cause, each user group, has different permissions in the tunnel.
I have a less permissive policy for current users group an another one for network administrators. And both group users use the same tunnel. That is why I have user group in the policy.
If you want to specify groups in the firewall policy, you can use IKEv1 and follow this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-group-based-firewall-policy-for-Dial...
Regards,
Thanks hbac.
This tunnel was Ikev1 and it has worked fine with users. But I would like to upgrade it to v2 to do it more strong and secure. I tought that ikev2 was better than v1. You cannot filter by groups using v2?
Thanks ¡¡¡
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.