VPN IPSEC Dialup Connection IKE v2

Albimatta · ‎07-01-2024

Hello Guys,

I have two questions about the Ike V2 IPSEC DIalup Connection.

I want to configure in my enviroment (two fortigate 100F HA) like 150 dialup external connection. I have setup an IPSEC Tunnel (IkeV2) and set policy correctly.

I created the users locally (without any Proxy or RADIUS) and inserted in a group.

The VPN works fine but i have two questions:

- Is binding set in the IPSEC configuration the authusrgrp? because i haven't set and i won't set because if i set, every time thast the people connect appear when the people search a local ip for example, the Fortigate Auth page, and for us isn't necessary. So if i unset that is an error?

- Ikev2 works fine with the local user (i enabled the EAP)? because i haven't any other type of authentication

Thank you so much

Yurisk · ‎07-01-2024

Hi, a bit hard to understand the questions, but anyway:

- EAP is authentication, once you enable it, how further you authenticate users is up to you and security demands - if you set local user group, it will work, if you set RADIUS group - this will work too. Generally, local users with local authentication is deemed NOT best practice nowadays. What do you mean by "not setting authusrgrp" ? How does then local user authentication works? Did you set user group in rules instead?

- If you disable EAP (disabled by default), then users will only need Pre-Shared Key to connect, no user/pass will pop up, which is again - today deemed not best practice at all.

Here is an example of working IKEv2 Dial up with local users/passwords:

config user group
    edit "yurisk1grp"
        set member "yurisk1"
    next
end

config vpn ipsec phase1-interface
    edit IKEv2
        set int port1
        set type dynamic
        set ike-version 2
        set peertype any
        set mode-cfg enable
        set ipv4-start 192.168.103.0
        set ipv4-end   192.168.103.10
        set dns-mode auto
        set eap enable
        set eap-identity send-request
        set authusrgrp yurisk1grp
        set psk LSkJDFHKJfh==
    end


config vpn ipsec phase2-interface
    edit "IKEv2P2"
        set phase1name "IKEv2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
    next
end


And rule allowing access to LAN for ANY service (not recommended):

config firewall policy
    edit 0
        set srcint IKEv2
        set dstint port1
        set srcaddr all
        set dstaddr all
        set service ALL
        set schedule always
        set action accept
        set nat enable
        set logtraffic all
    end

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.

Albimatta · ‎07-02-2024

Hi Yuri thanks for your indications, and sorry for bad explanation of questions!

So my problem is, if i set this:

set authusrgrp yurisk1grp

Everytime that the people try to reach some internal ip (like a NAS or other) appear a fgtauth webpage (although there is a group policy with the users in the group, the address range, ecc..

)

The people pass the authentication through the FortiCLient but after, if they navigate to local ip, appears the Fortigate Authentication page

So i don't wanna that this page appear everytime and if i remove this:

set authusrgrp yurisk1grp

the fgtauth page doesn't appear anymore...

hbac · ‎07-04-2024

Hi @Albimatta,

Do you have group specified as source in the firewall policy?

Regards,

Albimatta · ‎07-04-2024

Yes i specified a group and a range IP Address in a firewall Policy from Tunnel IPSEC to Internal LAN

hbac · ‎07-05-2024

Hi @Albimatta,

Group should not be specified in the firewall policy. You can specify it under IPsec phase1-interface.

Regards,

Albimatta · ‎07-04-2024

I appreciate it if someone can explain this.

I don't understand why, if i put this:

config vpn ipsec phase1-interface
edit "IPSEC_NOVA"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes128-sha256 aes256-sha256
set localid "*****"
set comments "******"
set dhgrp 5
set eap enable
set eap-identity send-request
set authusrgrp "Mygroup"
set ipv4-start-ip 192.168.55.1
set ipv4-end-ip 192.168.55.5
set dns-mode auto
set ipv4-split-include "192.168.0.0/16"
set client-keep-alive enable

and i have set a firewall policy correctly with the groups for IPSEC and the correctly range ip address, everytime appear the fgtauth (i think Captive Portal) and for remove this i must remove this string:

set authusrgrp "Mygroup"

For not showing the captive portal...

Also,in the Interface settings, the IPSEC setting have the Network - Security mode disabled...

Yurisk · ‎07-04-2024

Is this a case, by any chance, of remote users being already authenticated and connected with Forticlient, still getting the authentication pop up? Like this:

Because I've heard of such cases with 200E/400E after recent firmware upgrades, while haven't seen myself. Also no Captivate portal is enabled or used in FOrtigate.

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.

Albimatta · ‎07-04-2024

Hi Yuri, is correctly. The users can authenticate with the FortiClient, and when search a internal LAN IP (like a NAS) appears the redirect fgt auth portal. But in all the settings (Interface, Users, ecc...) the captive portal is set to off.