Hi,
I've created an L2TP/IPsec VPN connection for Remote Users. Authentication is provided by LDAP.
Unfortunately during P1 negotiations I get the error returned on the Firewall 'XAUTH Authentication Failed'. This is also reflected on the clients machine with the error 'Wrong Credentials' being displayed on Forticlient.
I attempted to create a local user with local firewall authentication but I get the same error message.
If anyone has any ideas on what this could be, I would be grateful. It's driving me nuts.
Kind regards
Michael
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
A snippet of what you have configured for either LDAP or local-user would be helpful.
For the former you have a few diag test commands that you can explore for check user/password
e.g
FGT100DNYCNYNY4 (root) $ diag test authserver ldap "MYLDAPSERV" ken.felix MYPASSWORDHERE authenticate 'ken.felix' against 'MYLDAPSERV' succeeded! ( output is redacted )
using this approach validate the
1: search binding
2: username
3: password
4: communication path
Ken
PCNSE
NSE
StrongSwan
Hi Ken,
We're running 2 x 100D in HA. Both are running a variant of 5.2.
I've created a LDAP connection to a primary DC. I'm able to test the connection to the DC via the GUI. The test runs successfully.
I'm able to query to CN and pull the user information from the CN.
The LDAP Server is titled Primary_LDAP.
I've then created a new user account from 'Users'. I've queried Primary_LDAP and selected the required user from the CN.
I created a User Group called LDAP_User_Group and put the user into this group and added Primary_LDAP as the remote server.
In the VPN XAUTH setup. I have seleted Primary_LDAP to authenticate. I've also added the LDAP_User_Group to the source of the VPN policy.
I ran your test and it failed to authenticate the LDAP user. Local Firewall users also do not work with the VPN connection.
Any ideas greatly appreciated.
Kind regards
Michael
Hi,
I've managed to fix the Authentication issue. Replaced cn with sAMAccountName in the LDAP setup.
Just looking at P2 errors now.
The joy.
Cheers
Michael
Hi,
The VPN is all working.
I don't suppose you know if there is a way to get the standard Windows VPN client to work with the Fortigate? Forticlient works a treat but I would ideally like to be able to use the Windows Client.
Cheers
Michael
For ipsec/L2TP windows clients will work. This is older blog post of my mine but the concept is the same across all FortiOS versions
http://socpuppet.blogspot.com/2013/02/l2tp-setup-fortigate-200b-mr3p12.html
PCNSE
NSE
StrongSwan
Thanks for the link Ken. Much appreciated.
I've not had much look with the Windows VPN Client setup. I've tried all sorts of variations of encryption/authentication.
I only have limited access to the Firewall so I cannot perform any debugs and the VPN logs tell me nothing. At an educated guess, I would say there is a mismatch in P1 proposals or it's just getting to the stage of authenticating the user but does not know what to do.
Thanks
On windows and even macosx or mobile device, it's all in proposal and algo/ciphers. If in doubt allow all and then filter off the proposals after finding what the client actually uses for LT2P/IPSEC.
I will draft a new post as a update and with newier windows versions.
;)
Ken
PCNSE
NSE
StrongSwan
Thanks Ken.
If you do manage to stumble across any encryption/authentication details for the standard Windows 10 VPN client whilst completing your draft - please give me a shout :)
Cheers
Michael
Hi Michael,
in the L2TP/IPSec there should be user group and auth in L2TP.
IPsec/phase2 should be in transport ... "set encapsulation transport-mode".
And combo with LDAP reminds me that PPTP/L2TP protocols do support PAP auth protocol only, no CHAP by design.
Not sure if it's still in there, but FortiOS CLI guide had clear statement ...
--- cit --- "LDAP user authentication is supported for PPTP, L2TP, IPSec VPN, and firewall authentication. With PPTP, L2TP, and IPSec VPN, PAP (Packet Authentication Protocol) is supported and CHAP (Challenge Handshake Authentication Protocol) is not. --- cit --- MS Windows uses MSCHAP or MSCHAPv2 by default ! Android 2.3.5 and above uses MSCHAP protocol. AUTHENTICATION TEST RESULTS: - local user - OK - LDAP - not working (as expected and documented) - Radius - OK MS Windows and how to change host authentication method - step 11 shows where to change auth method: http://kb.cyberoam.com/default.asp?id=1941&Lang=1&SID=#MSWindowsXPConfiguration
If you do not have to use L2TP, then I'd strongly recommed to use IPSec only.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.