IPsec IKE v2 Config

alaaelrayes · ‎05-24-2023

Hi Team,

I have IPsec IKE V1 remote access and I need to change it to V2.

After changing it to V2 I didn't connect to the tunnel giving the below warning in logs:

No response from the peer, phase1 retransmit reaches maximum count

Note that we uses Forti authenticator with FortiGate.

My Config:

set type dynamic
set interface "IPSec"
set ike-version 2
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set dpd on-idle
set idle-timeout enable
set idle-timeoutinterval 60
set ipv4-start-ip
set ipv4-end-ip
set ipv4-netmask
set dns-mode auto
set psksecret

What is the problem ?

Thanks,

alaaelrayes · ‎05-30-2023

Could anyone help me ?

after entering the token it gives VPN connection failed in forticlient but no error in FAC.

May because the client uses EAP-GTC as shown in the above pictures ?

Note that the failure from FG debug as below:

eap fail.JPG

fnbamd debug:

[1862] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[323] extract_success_vsas-FORTINET attr, type 1, val VPN Users
fnbamd_dbg_hex_pnt[48] EAP msg from server (4)-03 01 00 04
[1449] fnbamd_auth_handle_radius_result-->Result for radius svr 'FortiAuthenticator' IP(1) is 0
[1608] fnbam_user_auth_group_match-req id: 952356062, server: FortiAuthenticator, local auth: 0, dn match: 0
[280] find_matched_usr_grps-Failed group matching

FortiGate FortiClient

alaaelrayes · ‎06-08-2023

The last update that I configured the tunnel and I can connect but without internet.

My policies include groups but when I remove those groups and replace them with "All" I'm able to connect.

In my environment I don't need to remove groups from polices.

Is there a solution for this issue?

In the tunnel config there is a command should specify( set authgrp " "), I've added one group but how do I add multiple groups ?