I have tried everything I can think of. Cannot seem to get AD/LDAP credentials to process from FortiClient IPsec VPN client. Locally-stored user works fine to establish tunnel, but not LDAP. Running on FG200B-4.0MR3(Build441) I' ve got multiple LDAP servers defined and can expand the tree with no problem using ' Regular' binding. F/W rule is set for Policy-based IPsec tunnel, which points to User Group, containing three variants of the same of LDAP-defined user (straight username, domainname\username, and username@our.domain.name.com). I' ve added the multi-group option to the user config definition for this VDOM. At this point, I don' t care if a user is a member of a particular group or not, I just want to authenticate the user. Since the user has to be a firewall-defined user anyway, AD group control seems redundant. I see on the forum folks say it works like a charm and others say it' s like pulling teeth. I' ve seen this post (http://support.fortinet.com/forum/tm.asp?m=69588) and it comes close, but not enough detail to seal the deal. Many thanks in advance for any configuration or diagnostic suggestions.