Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
QuentinR
New Contributor

Unable to authenticate with IPsec tunnel on FortiGate via Windows native client

I have setup an IPsec tunnel on our FortiGate 51E (FortiOS v6.2.10 build1263 (GA)) and I am able to connect via my Windows native client, however when I am asked for a username and password, I am getting the error "The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server."

 

I have tried different combinations of my username from the username on Active Directory, email address, domain\username, username@domain.tld, and the FortiGate user name. None of these seem to want to authenticate. Perhaps I have a configuration issue on the Windows client or on the FortiGate?

 

Also worth noting that I have the FortiGate SSL-VPN setup and using FortiClient correctly and authenticating via LDAP. So LDAP authentication between the FortiGate and Active Directory is working.

 

Configurations below:

 

config vpn l2tp
set eip 10.0.100.199
set sip 10.0.100.1
set status enable
set usrgrp "FortiClient Users"
end

 

---------------------------------------

 

config user group
edit "FortiClient Users"
set member "DC1.domain.tld" "User 1"
config match
edit 1
set server-name "DC1.domain.tld"
set group-name "CN=FortiClient.Users,OU=Security.Groups,OU=CORP,DC=domain,DC=tld"
next
end
next
end

 

---------------------------------------

 

config vpn ipsec phase1
edit "WIN-IPsec_p1"
set type dynamic
set interface "wan1"
set peertype any
set proposal aes256-md5 3des-sha1 aes192-sha1
set dhgrp 2
set psksecret ENC base64
set dpd-retryinterval 60
next
end

 

---------------------------------------

 

config vpn ipsec phase2
edit "WIN-IPsec_p2"
set phase1name "WIN-IPsec_p1"
set proposal aes256-md5 3des-sha1 aes192-sha1
set pfs disable
set encapsulation transport-mode
set keylifeseconds 3600
next
end

 

---------------------------------------

 

config firewall policy

edit 27
set name "WIN-IPsec to Internet"
set uuid ac74e9cc-6fed-51ec-7ad2-0df13b167bbe
set srcintf "vsw.FortiSwitch"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action ipsec
set schedule "always"
set service "ALL"
set fsso disable
set vpntunnel "WIN-IPsec_p1"
next

edit 28
set name "WIN-IPsec to LAN"
set uuid aea950b0-6fee-51ec-2e71-63ba80754538
set srcintf "wan1"
set dstintf "vsw.FortiSwitch"
set srcaddr "IPsec.VPNRange"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set nat enable
next

 

---------------------------------------

 

config firewall address

edit "IPsec.VPNRange"
set uuid 34cf43d0-6fee-51ec-5dc2-71b54eac4587
set type iprange
set start-ip 10.0.100.1
set end-ip 10.0.100.199
next

 

---------------------------------------

 

Windows native client:

PowerShell: Get-VpnConnection -Name IPsec


Name : IPsec
ServerAddress : 1.2.3.4
AllUserConnection : False
Guid : {6DF154C4-82FB-4E4C-BE77-2908FBE2E646}
TunnelType : L2tp
AuthenticationMethod : {Eap, MsChapv2}
EncryptionLevel : Optional
L2tpIPsecAuth : Psk
UseWinlogonCredential : False
EapConfigXmlStream :
ConnectionStatus : Disconnected
RememberCredential : True
SplitTunneling : False
DnsSuffix :
IdleDisconnectSeconds : 0

 

Windows 10 IPsec is set to allow these security methods which are also defined in my phase 1 proposal:

phase.PNG

 

I was able to make some headway by changing the Windows native VPN client to use this configuration but it still fails:

 

vpn.PNG

 

After checking the event viewer in Windows I see the following events in this sequence:

 

CoId={CC3D0ED6-03D3-0002-7493-48CCD303D801}: The user domain\user has started dialing a VPN connection using a per-user connection profile named IPsec. The connection settings are:
Dial-in User =
VpnStrategy = L2TP
DataEncryption = Requested
PrerequisiteEntry =
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = PAP
Ipv4DefaultGateway = Yes
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = Yes
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags =
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No
IPsec authentication for L2TP = Pre-shared key.

 

---------------------------------------

 

CoId={CC3D0ED6-03D3-0002-7493-48CCD303D801}: The user domain\user is trying to establish a link to the Remote Access Server for the connection named IPsec using the following device:
Server address/Phone Number = 1.2.3.4
Device = WAN Miniport (L2TP)
Port = VPN4-1
MediaType = VPN.

 

---------------------------------------

 

CoId={CC3D0ED6-03D3-0002-7493-48CCD303D801}: The user domain\user has successfully established a link to the Remote Access Server using the following device:
Server address/Phone Number = 1.2.3.4
Device = WAN Miniport (L2TP)
Port = VPN4-1
MediaType = VPN.

 

---------------------------------------

 

CoId={CC3D0ED6-03D3-0002-7493-48CCD303D801}: The link to the Remote Access Server has been established by user domain\user.

 

---------------------------------------

 

Event ID: 20291, Rasclient

IPsec requires attention.

 

---------------------------------------

 

CoId={CC3D0ED6-03D3-0002-7493-48CCD303D801}: The user domain\user dialed a connection named IPsec which has failed. The error code returned on failure is 0.

 

---------------------------------------

 

The connection is failing with event Event ID: 20291, Rasclient - IPsec requires attention.

 

 

3 REPLIES 3
QuentinR
New Contributor

Just an update. I have updated the firmware on the FortiGate 51E to version FortiOS v6.2.10 build1263 (GA) and I am still unable to authenticate.

Anonymous
Not applicable

Hello @QuentinR ,

 

             Welcome to Fortinet community and Thank you for your post. Hopefully, you've been keeping safe and doing well!

 

Would you be able to run the following debug commands, when you  try to make a VPN connection. This will give us more information from the firewall perspective.

 

diagnose debug application ike -1

diagnose debug application l2tp -1

diagnose debug enable

 

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/269357/troubleshooting-l2tp-and-ipsec#Ma...

 

Hope to hear back

 

Regards

QuentinR

Hello @Anonymous 

 

Please see the results here: https://pastebin.com/0Jtfai69

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors