Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortimaster
Contributor II

Created on ‎03-12-2024 02:28 PM Edited on ‎03-12-2024 02:30 PM

IPSEC Tunnel doesn't match user in incoming traffic.

Hi all,


I have create an IPSEC dial up tunnel with Ike v2 and NAT-T. I use Forticlient to connect to it and it works well. 

 

I have observed that some traffic are denyed cause when I send traffic across the tunnel, the user with witch Im logged (using forticlient) is not associated with the incoming traffic. I can see the IP from the private tunnel network but not the username. That causes the incoming traffic matches a deny policy, cause I use an user group in the incoming rule that permits traffic from the IPSEC interface. For example, I can see traffic from 192.168.106.x but the incoming traffic has not an user associated.

Why the username with witch Im connected to the tunnel are not matched in incoming traffic?

I attach you the tunnel configuration:

one.JPGtwo.JPG

 

Thanks ¡¡¡

 

Labels:
2964
0 Kudos
1 Solution
hbac
Staff
Staff
In response to fortimaster

Created on ‎03-22-2024 07:57 AM

@fortimaster,

 

Yes, it is a limitation because "inherit from policy" doesn't exist when using IKEv2. You can submit a new feature request for it if you want. 

 

Regards, 

View solution in original post

2728
13 REPLIES 13
fortimaster
Contributor II
In response to hbac

Created on ‎03-22-2024 01:28 AM

Hi hbac. Ikev2 is recommended whenever possible. Could you confirm me that with this protocol I have that limitation? I am surprised cause I thought that Ikev1 is an evolution of ikev2.

729
0 Kudos
hbac
Staff
Staff
In response to fortimaster

Created on ‎03-22-2024 07:57 AM

@fortimaster,

 

Yes, it is a limitation because "inherit from policy" doesn't exist when using IKEv2. You can submit a new feature request for it if you want. 

 

Regards, 

2729
fortimaster
Contributor II
In response to hbac

Created on ‎03-22-2024 08:04 AM

Thanks hbac. I will do different tunnels to solve that limitation. Thank you very much for your help ¡

706
qx
New Contributor

Created on ‎02-21-2025 06:13 AM

I came across this thread because I also wanted to use ikev2 but regulate user privilges by firewall policies. I found this post https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-multiple-groups-with-EAP-for-IK...

Which gives instructions on how to do it, so it is definitely possible by now!

138
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.