- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- VPN IPSEC Dialup Connection IKE v2
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN IPSEC Dialup Connection IKE v2
Hello Guys,
I have two questions about the Ike V2 IPSEC DIalup Connection.
I want to configure in my enviroment (two fortigate 100F HA) like 150 dialup external connection. I have setup an IPSEC Tunnel (IkeV2) and set policy correctly.
I created the users locally (without any Proxy or RADIUS) and inserted in a group.
The VPN works fine but i have two questions:
- Is binding set in the IPSEC configuration the authusrgrp? because i haven't set and i won't set because if i set, every time thast the people connect appear when the people search a local ip for example, the Fortigate Auth page, and for us isn't necessary. So if i unset that is an error?
- Ikev2 works fine with the local user (i enabled the EAP)? because i haven't any other type of authentication
Thank you so much
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, a bit hard to understand the questions, but anyway:
- EAP is authentication, once you enable it, how further you authenticate users is up to you and security demands - if you set local user group, it will work, if you set RADIUS group - this will work too. Generally, local users with local authentication is deemed NOT best practice nowadays. What do you mean by "not setting authusrgrp" ? How does then local user authentication works? Did you set user group in rules instead?
- If you disable EAP (disabled by default), then users will only need Pre-Shared Key to connect, no user/pass will pop up, which is again - today deemed not best practice at all.
Here is an example of working IKEv2 Dial up with local users/passwords:
config user group
edit "yurisk1grp"
set member "yurisk1"
next
end
config vpn ipsec phase1-interface
edit IKEv2
set int port1
set type dynamic
set ike-version 2
set peertype any
set mode-cfg enable
set ipv4-start 192.168.103.0
set ipv4-end 192.168.103.10
set dns-mode auto
set eap enable
set eap-identity send-request
set authusrgrp yurisk1grp
set psk LSkJDFHKJfh==
end
config vpn ipsec phase2-interface
edit "IKEv2P2"
set phase1name "IKEv2"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
next
end
And rule allowing access to LAN for ANY service (not recommended):
config firewall policy
edit 0
set srcint IKEv2
set dstint port1
set srcaddr all
set dstaddr all
set service ALL
set schedule always
set action accept
set nat enable
set logtraffic all
end
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Created on 07-02-2024 12:31 AM Edited on 07-02-2024 04:51 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yuri thanks for your indications, and sorry for bad explanation of questions!
So my problem is, if i set this:
set authusrgrp yurisk1grp
Everytime that the people try to reach some internal ip (like a NAS or other) appear a fgtauth webpage (although there is a group policy with the users in the group, the address range, ecc..
)
The people pass the authentication through the FortiCLient but after, if they navigate to local ip, appears the Fortigate Authentication page
So i don't wanna that this page appear everytime and if i remove this:
set authusrgrp yurisk1grp
the fgtauth page doesn't appear anymore...
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- RDP Sessions randomly dropping over IPSEC... 135 Views
- Fortinetclient SSL VPN Unable to use... 438 Views
- Forticlient (ZTNA) for ARM? 208 Views
- Need help to debug IPSEC VPN 222 Views
Labels
-
FortiGate
7,200 -
FortiClient
1,422 -
5.2
801 -
5.4
639 -
FortiManager
621 -
FortiAnalyzer
461 -
6.0
416 -
FortiAP
377 -
FortiSwitch
375 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
177 -
FortiNAC
129 -
6.4
128 -
FortiGuard
117 -
IPsec
111 -
SSL-VPN
109 -
FortiGateCloud
98 -
FortiSIEM
94 -
FortiCloud Products
90 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
66 -
4.0MR3
64 -
SD-WAN
51 -
FortiProxy
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
40 -
FortiGate v5.4
36 -
FortiExtender
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
FortiSandbox
34 -
FortiSwitch v6.4
32 -
High Availability
32 -
VLAN
31 -
DNS
25 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
LDAP
22 -
FortiConverter
22 -
Certificate
21 -
BGP
21 -
SAML
20 -
FortiGate v5.2
20 -
FortiPortal
18 -
Routing
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Authentication
17 -
VDOM
17 -
FortiMonitor
15 -
FortiLink
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
NAT
14 -
FortiDDoS
14 -
Logging
14 -
RADIUS
13 -
SSL SSH inspection
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
11 -
Application control
11 -
SSO
10 -
Virtual IP
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
OSPF
9 -
WAN optimization
9 -
4.0MR2
9 -
RMA Information and Announcements
8 -
FortiSOAR
8 -
IP address management - IPAM
8 -
FortiAnalyzer v5.0
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
Security profile
7 -
FortiAP profile
7 -
Automation
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
IPS signature
5 -
Packet capture
5 -
System settings
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
Fortinet Engage Partner Program
4 -
FortiPAM
4 -
FortiCarrier
4 -
3.6
4 -
FortiTester
4 -
FortiScan
4 -
DLP sensor
4 -
Email filter profile
3 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Application signature
3 -
DLP Dictionary
3 -
FortiDB
3 -
DLP profile
3 -
DoS policy
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
FortiAI
2 -
FortiHypervisor
2 -
Authentication rule and scheme
2 -
VoIP profile
2 -
Explicit proxy
2 -
Internet Service Database
2 -
4.0MR1
1 -
RIP
1 -
Multicast policy
1 -
FortiCWP
1 -
Kerberos
1 -
Zone
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
FortiManager-VM
1 -
SDN connector
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1078 | |
| 892 | |
| 529 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.