Description
This article describes the feature when IPsec Dialup users can bind the IP on the RADIUS server using the Framed IP option.
In this case, the RADIUS server is configured on FortiAuthenticator and the FortiGate IPsec dialup tunnel will be configured.
Scope
Framed IP address for IPsec dialup users.
Solution
RADIUS server configuration on FortiAuthenticator:
To use the remote users for RADIUS, choose LDAP as RADIUS users.
- Configuring LDAP server on FortiAuthenticator:
To import the LDAP users go to Authentication -> User Management -> Remote Users -> Import then select the LDAP server created earlier and import the users.
In this example 'sslvpn1' and 'sslvpn2'.
-
Configuring the Framed IP for these users:
Make sure to select the vendor as Default and search for 'Framed-IP-Address' attribute.Configure the IP address to lease the wanted user during the dialup IPsec VPN connection. -
Configuring User Group:
-
Configuring Realm:
-
Configuring RADIUS client:
-
Configuring FortiGate as a RADIUS client:
-
Configuring RADIUS group:
Make sure to configure the RADIUS group as same as configured on RADIUS server
In this example 'windows'.
8. Configuring dialup IPsec VPN:
Enable the mode-cfg and from the CLI set the 'assign-ip-from' to 'usrgrp'.
To push static DNS (IPV4) DNS to VPN client, set the command 'set ipv4-dns-server1 x.x.x.x'
Below are the CLI commands:config vpn ipsec phase1-interface
edit "MFVPN"
set type dynamic
set interface /port1'
set mode aggressive
set peertype one
set mode-cfg enable
set ipv4-dns-server1 10.40.9.76
set proposal aes128-sha1 aes256-sha1
set dhgrp 5
set xauthtype pap
set authusrgrp 'windows'
set peerid 'TEST'
set net-device enable
set assign-ip-from usrgrp
set psksecret ENC BHphWjwiiDQgH07ApjAx
next
end9. Configuring the IPV4 firewall policies:
10. FortiClient Configuration:
The below commands be used on FortiGate to further troubleshoot:
diag debug application ike -1
diag debug application fnbamd -1
diag debug enable
(part of IKE debug attached):ike 0::24: received peer identifier FQDN 'TEST' PEER id match
ike 0: IKEv1 Aggressive, comes 10.5.22.160:1011->10.5.22.168 3
ike 0:bd8030e1f93a0f27/0000000000000000:24: negotiation result
ike 0:bd8030e1f93a0f27/0000000000000000:24: proposal id = 1:
ike 0:bd8030e1f93a0f27/0000000000000000:24: protocol id = ISAKMP:
ike 0:bd8030e1f93a0f27/0000000000000000:24: trans_id = KEY_IKE.
ike 0:bd8030e1f93a0f27/0000000000000000:24: encapsulation = IKE/none
ike 0:bd8030e1f93a0f27/0000000000000000:24: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:bd8030e1f93a0f27/0000000000000000:24: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:bd8030e1f93a0f27/0000000000000000:24: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:bd8030e1f93a0f27/0000000000000000:24: type=OAKLEY_GROUP, val=MODP1536.
ike 0:bd8030e1f93a0f27/0000000000000000:24: ISAKMP SA lifetime=86400
ike 0:bd8030e1f93a0f27/0000000000000000:24: SA proposal chosen, matched gateway MFVPN
ike 0:MFVPN:24: received NAT-D payload type 20
ike 0:MFVPN:24: received NAT-D payload type 20
ike 0:MFVPN:24: received p1 notify type INITIAL-CONTACT
ike 0:MFVPN:24: PSK authentication succeeded
ike 0:MFVPN:24: authentication OK
ike 0:MFVPN:24: NAT detected: PEER
ike 0:MFVPN:24: remote port change 1011 -> 64916
ike 0:MFVPN: adding new dynamic tunnel for 10.5.22.160:64916
ike 0:MFVPN_0: added new dynamic tunnel for 10.5.22.160:64916
ike 0:MFVPN_0:24: established IKE SA bd8030e1f93a0f27/6142f3392c86e077
ike 0:MFVPN_0:24: processing INITIAL-CONTACT
ike 0:MFVPN_0: flushing
ike 0:MFVPN_0: flushed
ike 0:MFVPN_0:24: processed INITIAL-CONTACT
ike 0:MFVPN_0:24: initiating XAUTH.
ike 0:MFVPN_0:24: sending XAUTH request
ike 0:MFVPN_0:24: enc BD8030E1F93A0F276142F3392C86E07708100601CE787211000000480E0000182EBCABAF96DAAAEAD6502361713D01A43C505C5A000000140100B872C088000040890000408A0000
ike 0:MFVPN_0:24: out BD8030E1F93A0F276142F3392C86E07708100601CE7872110000004C24E0FEB5B22D0B2CE5D4DB92374A8A07D47D02A991C6E3ED079E706F175FE18A037464C4904F4BF1E949ADBD7AE179ED
ike 0:MFVPN_0:24: sent IKE msg (cfg_send): 10.5.22.168:4500->10.5.22.160:64916, len=76, id=bd8030e1f93a0f27/6142f3392c86e077:ce787211
ike 0:MFVPN_0:24: peer has not completed XAUTH exchange
ike 0: comes 10.5.22.160:64916->10.5.22.168:4500,ifindex=3....
ike 0: IKEv1 exchange=Mode config id=bd8030e1f93a0f27/6142f3392c86e077:ce787211 len=92
ike 0: in BD8030E1F93A0F276142F3392C86E07708100601CE7872110000005CAA4DCAB2F67B8F3E9F5326D49A7720AF69B8874B5D79AB854EE30DB01B60E778D000908B1ACDDC65558854B9128F7DB80ED669DFCC0DDEB438809F6DBFC067BE
ike 0:MFVPN_0:24: dec BD8030E1F93A0F276142F3392C86E07708100601CE7872110000005C0E0000185AA07CA7F3CC80DE39B67C0562EAEAA69172EBBC000000230200B872C08800004089000773736C76706E31408A0008704073737730726489CE88E304
ike 0:MFVPN_0:24: received XAUTH_USER_NAME 'sslvpn1' length 7
ike 0:MFVPN_0:24: received XAUTH_USER_PASSWORD length 8
ike 0:MFVPN_0: XAUTH user "sslvpn1"
ike 0:MFVPN: auth group windows
ike 0:MFVPN_0: XAUTH 286808400 pending
ike 0:MFVPN_0:24: XAUTH 286808400 result 0
ike 0:MFVPN_0: XAUTH succeeded for user "sslvpn1" group "windows"
ike 0:MFVPN_0: assigned IP 192.168.100.102
ike 0:MFVPN_0:24: mode-cfg assigned (1) IPv4 address 192.168.100.102
ike 0:MFVPN_0:24: mode-cfg assigned (2) IPv4 netmask 255.255.255.255
ike 0:MFVPN_0:24: mode-cfg send (13) 0:0.0.0.0/0.0.0.0:0
ike 0:MFVPN_0:24: mode-cfg send (3) IPv4 DNS(1) 10.40.9.76
ike 0:MFVPN_0:24:300: peer proposal is: peer:0:192.168.100.102-192.168.100.102:0, me:0:0.0.0.0-255.255.255.255:0
ike 0:MFVPN_0:24:MFVPN:300: trying
ike 0:MFVPN_0:24:MFVPN:300: matched phase2
ike 0:MFVPN_0:24:MFVPN:300: dynamic client
ike 0:MFVPN_0:24:MFVPN:300: my proposal:
ike 0:MFVPN_0:24:MFVPN:300: proposal id = 1:
ike 0:MFVPN_0:24:MFVPN:300: protocol id = IPSEC_ESP:
ike 0:MFVPN_0:24:MFVPN:300: PFS DH group = 5
ike 0:MFVPN_0:24:MFVPN:300: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:MFVPN_0:24:MFVPN:300: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:MFVPN_0:24:MFVPN:300: type = AUTH_ALG, val=SHA1
ike 0:MFVPN_0:24:MFVPN:300: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:MFVPN_0:24:MFVPN:300: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:MFVPN_0:24:MFVPN:300: type = AUTH_ALG, val=SHA1
ike 0:MFVPN_0:24:MFVPN:300: incoming proposal:
ike 0:MFVPN_0:24:MFVPN:300: proposal id = 1:
ike 0:MFVPN_0:24:MFVPN:300: protocol id = IPSEC_ESP:
ike 0:MFVPN_0:24:MFVPN:300: PFS DH group = 5
ike 0:MFVPN_0:24:MFVPN:300: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:MFVPN_0:24:MFVPN:300: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike 0:MFVPN_0:24:MFVPN:300: type = AUTH_ALG, val=SHA1
ike 0:MFVPN_0:24:MFVPN:300: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:MFVPN_0:24:MFVPN:300: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike 0:MFVPN_0:24:MFVPN:300: type = AUTH_ALG, val=SHA1
ike 0:MFVPN_0:24:MFVPN:300: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:MFVPN_0:24:MFVPN:300: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike 0:MFVPN_0:24:MFVPN:300: type = AUTH_ALG, val=SHA1
ike 0:MFVPN_0:24:MFVPN:300: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:MFVPN_0:24:MFVPN:300: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike 0:MFVPN_0:24:MFVPN:300: type = AUTH_ALG, val=SHA1
ike 0:MFVPN_0:24:MFVPN:300: negotiation result
ike 0:MFVPN_0:24:MFVPN:300: proposal id = 1:
ike 0:MFVPN_0:24:MFVPN:300: protocol id = IPSEC_ESP:
ike 0:MFVPN_0:24:MFVPN:300: PFS DH group = 5
ike 0:MFVPN_0:24:MFVPN:300: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:MFVPN_0:24:MFVPN:300: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:MFVPN_0:24:MFVPN:300: type = AUTH_ALG, val=SHA1
ike 0:MFVPN_0:24:MFVPN:300: set pfs=MODP1536
ike 0:MFVPN_0:24:MFVPN:300: using udp tunnel mode.
ike 0:MFVPN_0:24:MFVPN:300: replay protection enabled
ike 0:MFVPN_0:24:MFVPN:300: SA life soft seconds=43185.
ike 0:MFVPN_0:24:MFVPN:300: SA life hard seconds=43200.
ike 0:MFVPN_0:24:MFVPN:300: IPsec SA selectors #src=1 #dst=1
ike 0:MFVPN_0:24:MFVPN:300: src 0 7 0:0.0.0.0-255.255.255.255:0
ike 0:MFVPN_0:24:MFVPN:300: dst 0 7 0:192.168.100.102-192.168.100.102:0
ike 0:MFVPN_0:24:MFVPN:300: add dynamic IPsec SA selectors
ike 0:MFVPN_0:300: add route 192.168.100.102/255.255.255.255 gw 10.5.22.160 oif MFVPN_0(32) metric 15 priority 0
ike 0:MFVPN_0:24:MFVPN:300: tunnel 1 of VDOM limit 0/0
ike 0:MFVPN_0:24:MFVPN:300: add IPsec SA: SPIs=90051760/eacc05b8
ike 0:MFVPN_0:24:MFVPN:300: IPsec SA dec spi 90051760 key 16:BA23372514E0DC97AB5E8F6C9AE1EEB4 auth 20:0562E1DB428CC368B4BDCA6D63C8A18701FEBF05
ike 0:MFVPN_0:24:MFVPN:300: IPsec SA enc spi eacc05b8 key 16:1876C006E4FB7CEFB9081D486C52A218 auth 20:FD542EA0AAAB8A75DF8E0E82F50A5F12FE6B89EA
ike 0:MFVPN_0:24:MFVPN:300: added IPsec SA: SPIs=90051760/eacc05b8
ike 0:MFVPN_0:24:MFVPN:300: sending SNMP tunnel UP trapAuthentication logs:
handle_req-Rcvd auth req 286808401 for sslvpn1 in windows opt=00000020 prot=0
[397] __compose_group_list_from_req-Group 'windows'
[614] fnbamd_pop3_start-sslvpn1
[607] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'fac-radius' for usergroup 'windows' (2)
[305] fnbamd_create_radius_socket-Opened radius socket 15
[305] fnbamd_create_radius_socket-Opened radius socket 16
[1338] fnbamd_radius_auth_send-Compose RADIUS request
[1305] fnbamd_rad_dns_cb-10.40.6.105->10.40.6.105
[1280] __fnbamd_rad_send-Sent radius req to server 'fac-radius': fd=15, IP=10.40.6.105(10.40.6.105:1812) code=1 id=15 len=116 user="sslvpn1" using PAP
[282] radius_server_auth-Timer of rad 'fac-radius' is added
[718] auth_tac_plus_start-Didn't find tac_plus servers (0)
[439] ldap_start-Didn't find ldap servers (0)
[556] create_auth_session-Total 1 server(s) to try
[2503] fnbamd_auth_handle_radius_result-Timer of rad 'fac-radius' is deleted
[1746] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[305] extract_success_vsas-FORTINET attr, type 1, val windows
[2529] fnbamd_auth_handle_radius_result-->Result for radius svr 'fac-radius' 10.40.6.105(1) is 0
[2453] fnbamd_radius_group_match-Passed group matching
[331] fnbamd_framed_ip_add_ip-Added IP 192.168.100.102
[1029] find_matched_usr_grps-Group 'windows' passed group matching
[1030] find_matched_usr_grps-Add matched group 'windows'(2)
[182] fnbamd_comm_send_result-Sending result 0 (error 0, nid 0) for req 286808401
[710] destroy_auth_session-delete session 286808401
[2607] handle_req-Rcvd abort req for 286808401
[2630] handle_req-Can't abort, no active req 286808401
[2685] handle_req-Rcvd 7 req
[300] fnbamd_acct_start_START-Error getting radius server
[1436] create_acct_session-Error start acct type 7
[2699] handle_req-Error creating acct session 7
Related Article:
