Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPresence
- FortiPortal
- FortiProxy
- FortiRecon
- FortiSRA
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- VPN IPSEC Dialup Connection IKE v2
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN IPSEC Dialup Connection IKE v2
Hello Guys,
I have two questions about the Ike V2 IPSEC DIalup Connection.
I want to configure in my enviroment (two fortigate 100F HA) like 150 dialup external connection. I have setup an IPSEC Tunnel (IkeV2) and set policy correctly.
I created the users locally (without any Proxy or RADIUS) and inserted in a group.
The VPN works fine but i have two questions:
- Is binding set in the IPSEC configuration the authusrgrp? because i haven't set and i won't set because if i set, every time thast the people connect appear when the people search a local ip for example, the Fortigate Auth page, and for us isn't necessary. So if i unset that is an error?
- Ikev2 works fine with the local user (i enabled the EAP)? because i haven't any other type of authentication
Thank you so much
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Albimatta,
Group should not be specified in the firewall policy. You can specify it under IPsec phase1-interface.
Regards,
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, a bit hard to understand the questions, but anyway:
- EAP is authentication, once you enable it, how further you authenticate users is up to you and security demands - if you set local user group, it will work, if you set RADIUS group - this will work too. Generally, local users with local authentication is deemed NOT best practice nowadays. What do you mean by "not setting authusrgrp" ? How does then local user authentication works? Did you set user group in rules instead?
- If you disable EAP (disabled by default), then users will only need Pre-Shared Key to connect, no user/pass will pop up, which is again - today deemed not best practice at all.
Here is an example of working IKEv2 Dial up with local users/passwords:
config user group
edit "yurisk1grp"
set member "yurisk1"
next
end
config vpn ipsec phase1-interface
edit IKEv2
set int port1
set type dynamic
set ike-version 2
set peertype any
set mode-cfg enable
set ipv4-start 192.168.103.0
set ipv4-end 192.168.103.10
set dns-mode auto
set eap enable
set eap-identity send-request
set authusrgrp yurisk1grp
set psk LSkJDFHKJfh==
end
config vpn ipsec phase2-interface
edit "IKEv2P2"
set phase1name "IKEv2"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
next
end
And rule allowing access to LAN for ANY service (not recommended):
config firewall policy
edit 0
set srcint IKEv2
set dstint port1
set srcaddr all
set dstaddr all
set service ALL
set schedule always
set action accept
set nat enable
set logtraffic all
end
https://yurisk.info
https://yurisk.info
Created on 07-02-2024 12:31 AM Edited on 07-02-2024 04:51 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yuri thanks for your indications, and sorry for bad explanation of questions!
So my problem is, if i set this:
set authusrgrp yurisk1grp
Everytime that the people try to reach some internal ip (like a NAS or other) appear a fgtauth webpage (although there is a group policy with the users in the group, the address range, ecc..
)
The people pass the authentication through the FortiCLient but after, if they navigate to local ip, appears the Fortigate Authentication page
So i don't wanna that this page appear everytime and if i remove this:
set authusrgrp yurisk1grp
the fgtauth page doesn't appear anymore...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes i specified a group and a range IP Address in a firewall Policy from Tunnel IPSEC to Internal LAN
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Albimatta,
Group should not be specified in the firewall policy. You can specify it under IPsec phase1-interface.
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After i seen this post, i remove the group from FIrewall Policy and keep only the group in phase1 and the fgtauth page disappear....thank you so much again to all!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI @hbac @Albimatta
I can't find groups to specify them under IPsec phase1-interface. Can you guide me where exactly can i find this setting?
grazie
.
.
Created on 05-11-2025 02:46 AM Edited on 05-11-2025 02:47 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @iamirreza13 , It is possible Group Setting is visible on CLI only, once you are in the GUI editing Phase1 interface - to the right you will see button "Edit in CLI", click on it, it will open the Phase1-interface in config mode, just enter the command:
set authusrgrp yurisk1grp
where instead of yurisk1grp you put your group of users you created previously.
https://yurisk.info
https://yurisk.info
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI @Yurisk thanks for the insight
yes seems like i can only config it with CLI and it did work for local users i had on fortigate and from what i read seems like it works with RADIUS too but i authenticate users with LDAP and when i try a user from LDAP it can't connect to the tunnel. what's your suggestion in this case.
also i have some other question can you please answer them:
1- on android forticlient i didn't see any option for user and pass but when it's only pre shared key it works. when i turn the EAP on it doesn't ask for pass and can't connect. what can i do?
2- i've used this config:
set eap enable
set eap-identity [use-id-payload|send-request]
set acct-verify [enable|disable]
set authusrgrp "ExampleGroup"
i can only connect when identity is on send request. when i try "use-id-payload" i get time out. whats the difference between these two?
grazie mille.
.
.
Labels
-
FortiGate
9,854 -
FortiClient
2,007 -
FortiManager
837 -
5.2
801 -
FortiAnalyzer
647 -
5.4
639 -
FortiSwitch
542 -
FortiAP
527 -
FortiClient EMS
506 -
6.0
416 -
5.6
362 -
FortiMail
357 -
SSL-VPN
330 -
IPsec
324 -
6.2
251 -
FortiNAC
244 -
FortiAuthenticator v5.5
234 -
FortiWeb
234 -
5.0
196 -
SD-WAN
164 -
FortiGuard
155 -
FortiAuthenticator
146 -
6.4
128 -
Firewall policy
120 -
FortiGateCloud
112 -
FortiSIEM
109 -
FortiCloud Products
108 -
FortiToken
102 -
Wireless Controller
91 -
Customer Service
85 -
FortiGate-VM
78 -
High Availability
76 -
FortiProxy
73 -
ZTNA
69 -
FortiEDR
65 -
VLAN
65 -
4.0MR3
64 -
Fortivoice
64 -
Routing
61 -
DNS
61 -
FortiADC
60 -
SAML
59 -
Authentication
55 -
BGP
55 -
radius
54 -
Certificate
53 -
FortiSandbox
51 -
LDAP
50 -
NAT
49 -
FortiExtender
47 -
SSO
47 -
FortiDNS
43 -
FortiLink
42 -
VDOM
38 -
FortiGate v5.4
37 -
Application control
37 -
Logging
36 -
FortiSwitch v6.4
35 -
Interface
35 -
FortiConnect
34 -
FortiWAN
31 -
Virtual IP
31 -
Web profile
30 -
FortiPAM
29 -
FortiGate v5.2
27 -
FortiConverter
27 -
SSL SSH inspection
25 -
Traffic shaping
24 -
FortiPortal
23 -
Automation
23 -
Static route
23 -
FortiGate Cloud
22 -
SSID
22 -
FortiSwitch v6.2
20 -
SNMP
20 -
FortiMonitor
19 -
WAN optimization
19 -
API
18 -
OSPF
17 -
System settings
17 -
Web application firewall profile
16 -
FortiDDoS
15 -
Admin
15 -
Security profile
15 -
FortiAP profile
15 -
IP address management - IPAM
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
FortiCASB
14 -
IPS signature
14 -
Proxy policy
13 -
Intrusion prevention
13 -
FortiManager v4.0
12 -
Explicit proxy
12 -
Traffic shaping policy
12 -
Web rating
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Port policy
11 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Users
10 -
Traffic shaping profile
10 -
Fabric connector
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiDeceptor
9 -
FortiAnalyzer v5.0
9 -
RMA Information and Announcements
9 -
DNS filter
9 -
trunk
9 -
Fortinet Engage Partner Program
9 -
FortiCache
8 -
Antivirus profile
8 -
4.0
7 -
Application signature
7 -
Authentication rule and scheme
7 -
FortiToken Cloud
6 -
Packet capture
6 -
NAC policy
6 -
VoIP profile
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
Vulnerability Management
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
FortiNDR
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
File filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2336 | |
| 1267 | |
| 776 | |
| 457 | |
| 453 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.