Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AD91
New Contributor

Created on ‎06-20-2022 04:01 AM

Dialup IPSec VPN with IKEv2 using Forticlient, Fortigate and FortiAuthenticatior

Dear All,

 

Hope you are doing good!

 

Current Scenario:

We are using forticlient for dialup ipsec vpn using IKEv1 with Two factor authentication.

FortiGate tunnels are authenticated via Radius (PAP) from FAC.

Forticlient ---> FortiGate -->(Radius)-> FortiAuthenticator

 

Forticlient version:  6.4

Fortigate:                  200E firware 6.4.3

FortiAuthenticator: 300F firware 6.3.2

 

Required Scenario:

we need to shift IKEv2 and do following changes in existing tunnel but tunnel didn't connect.

  • set ike-version 2
  • set eap enable
  • set eap-identity send-request

Radius B/w FG and FAC.

change authentication method from pap to MSCHAPv2 on FG and PEAP in FAC Radius Policies. (Radius connection Successful)

 

Troubleshooting:

IKEv2 VPN successfully connect with local user on firewall.

found mismatch authentication method on FAC in debug logs.

 

If anyone have idea about this please guide.

 

Regards,

AD

 

 

2993
0 Kudos
6 REPLIES 6
Debbie_FTNT
Staff
Staff

Created on ‎06-20-2022 06:07 AM

Hey AD91,

If you're using MSCHAPv2 on FortiGate, you need to ensure FortiAuthenticator is joined to the domain, so it can send the hashed password to AD to cross-check; if FortiAuthenticator is not joined to the domain it can only authenticate local users via MSCHAPv2, remote users via PAP.

 

I would suggest the following:

- test VPN with a local user on FortiAuthenticator

-> that might require changing the RADIUS policy to use the local realm, not a remote realm

- join FortiAuthenticator to domain (https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Joining-FortiAuthenticator-in-the...)

 

If you're still getting failures, can you provide the specific error message you get (beyond 'mismatched authentication method)?

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2986
0 Kudos
AD91
New Contributor

Created on ‎06-21-2022 12:17 AM

Dear Debbie,

 

Good day to you!

 

Thanks for your quick response.

We have already tested your advised scenario with local user & local realm radius policies on FAC but failed to connect. FAC general logs and debug logs are attached for your reference.

 

AD91_0-1655795754860.jpeg

AD91_1-1655795778448.jpeg

 

appreciate your quick response.

 

Regards,

AD

 

2974
0 Kudos
Debbie_FTNT
Staff
Staff
In response to AD91

Created on ‎06-21-2022 01:18 AM

Hey AD,

do you see that error 'unable to find matching authpolicy' after each VPN connection attempt?

From the way you took the screenshot, I can see that error, and underneath a new authentication attempt, but I don't know what the error belongs to, and what error the new authentication attempt might result in.

If you get that 'unable to find matching authpolicy' error throughout, that means there is no suitable RADIUS policy for that client and the authentication (EAP-TLS? MAB?) it wants to attempt.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2968
0 Kudos
AD91
New Contributor

Created on ‎06-21-2022 02:51 AM

Dear Debbie,

 

Really appreciate your quick response,

 

I have checked my Radius policies and found no check on MAB & EAP-TLS, for this it means Forticlient is using EAP-TLS but we use PEAP on FAC.

If we enable certificate based authentication (EAP-TLS) on FAC, how it will work with forticlient dialup IPSec tunnel.

 

AD91_0-1655804779568.jpeg

Thankyou!

2966
0 Kudos
Debbie_FTNT
Staff
Staff
In response to AD91

Created on ‎06-21-2022 02:57 AM

Hey AD,

 

if you switch to EAP-TLS on FortiAuthenticator (or create a new RADIUS policy with EAP-TLS instead), FortiAuthenticator should then try to confirm the client certificate; this setup is a bit more complex on FortiAuthenticator.

For 802.1x authentication you would have to import remote users (from AD for example) and define certificate bindings:

-> define what certificate subject is expected (the user's CN, or DN, or sAMAccountName, or mail, or whatever)

-> define what CA should have signed the user's certificate

--> you might have to import the CA as remote CA to FortiAuthenticator so that the Authenticator trusts it

More details on EAP-TLS in FortiAuthenticator: https://docs.fortinet.com/document/fortiauthenticator/5.5.0/cookbook/551938/wired-802-1x-eap-tls-wit...
this is a somewhat older article, but aside from RADIUS policy/profile the setup should be identical.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2965
0 Kudos
NAN_JET_1213
New Contributor

Created on ‎11-16-2022 12:28 PM

After struggling with attempting to get this configured myself recently, I was able to finally get it working. Initially we were on FortiAuthenticator 6.4.4 which had an unlisted bug that was noted and resolved in FortiAuthenticator 6.4.6. The bug in question is 846732 with description '2FA support for FortiClient IKEv2 VPN is broken.'.

https://docs.fortinet.com/document/fortiauthenticator/6.4.6/release-notes/279684/resolved-issues#Res...

 

We now have a working dial-up IKEv2 IPsec VPN using FortiClient/EMS, FortiGate, and FortiAuthenticator.

 

I just wanted to post this in the event anyone finds this and is on an affected version of code for the bug.

2284
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.