Description
This article explains IKEv2 dialup tunnel setup with Radius server and using FortiClient.
Solution
FortiGate dial up IPsec tunnels can be configured as IKEv2 with Radius authentication.
Note that EAP will need to be configured even LDAP is used as IKEv2 requires EAP.
LDAP will be a result of a 'translation' from RADIUS EAP to LDAP if that is possible.
Configuration.
## Defining radius user ##
# config user local
edit "test_user"
set type radius
set radius-server "Radius_server"
next
end
## User group ##
# config user group
edit "VPN_Users"
set member "test_user”
next
end
## IPsec config ##
# config vpn ipsec phase1-interface
edit "Dialup_IKEv2"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set mode-cfg enable
set proposal aes128-sha1 aes256-sha256
set dpd on-idle
set comments "FTG IPsec VPN IKEv2 and Radius user auth"
set dhgrp 5
set eap enable
set eap-identity send-request
set authusrgrp "VPN_Users"
set ipv4-start-ip 192.168.88.10
set ipv4-end-ip 192.168.88.150
set dns-mode auto
set psksecret ENC xx
set dpd-retryinterval 60
next
end
1) For IKEv2, FortiClient will use EAP-MSCHAPv2.
2) For this setup to work, it is important that the remote radius server supports EAP-MSCHAPv2 authentication (EAP-MS-CHAP) (Microsoft NPS for example).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.