DescriptionWhen a network one or multiple branch offices with one centralized LDAP server that is reachable through the VPN established between the branch office's FortiGate and the headquarters' FortiGate, the remote server can be used to authenticate local users on the branch office. However, if the VPN has phase-2 quick selectors (as usual), the communication between the branch office's FortiGate and the remote server might failed due to the source IP used (usually the WAN interface IP address) does not matches with the quick selectors defined on the phase 2.
SolutionTo solve this issue, the source IP address from the packets generated from the FortiGate toward the LDAP server must be the IP address assigned to the local LAN interface (subnet allowed by quick selectors). In the example shown above, the source IP address must be 192.168.2.1.
Depending on what type of service is tying to be reached on the remote server (LDAP or FSSO), the source IP must be define on one profile or the other:
1) To reach LDAP server:
config user ldap
edit <Server_Name>
set source-ip 192.168.2.1
next
end
2) To use FSSO profile (Agent-mode):
config user fsso
edit <Profile_Name>
set source-ip 192.168.2.1
next
end