IPSEC Tunnel doesn't match user in incoming traffic.

fortimaster · ‎03-12-2024

Hi all,

I have create an IPSEC dial up tunnel with Ike v2 and NAT-T. I use Forticlient to connect to it and it works well.

I have observed that some traffic are denyed cause when I send traffic across the tunnel, the user with witch Im logged (using forticlient) is not associated with the incoming traffic. I can see the IP from the private tunnel network but not the username. That causes the incoming traffic matches a deny policy, cause I use an user group in the incoming rule that permits traffic from the IPSEC interface. For example, I can see traffic from 192.168.106.x but the incoming traffic has not an user associated.

Why the username with witch Im connected to the tunnel are not matched in incoming traffic?

I attach you the tunnel configuration:

Thanks ¡¡¡

hbac · ‎03-22-2024

@fortimaster,

Yes, it is a limitation because "inherit from policy" doesn't exist when using IKEv2. You can submit a new feature request for it if you want.

Regards,

View solution in original post

dbhavsar · ‎03-13-2024

Hello @fortimaster ,

- Can you please share the full-config of the policy you are using and also if the group you are using is remote-server or local group on FortiGate?

DNB

fortimaster · ‎03-13-2024

Off course Dbhavsar.

The group I'm using is local. The users belongs to the Fortigate and there are no active directory users. I attach you the required configuration:

As you can see, the policy is the same for 2 IPsec Tunnels. One is working well (it matches correctly group and IP address) but is not equal (it uses ikev1). The group is the same from both tunnels.

Thanks

dbhavsar · ‎03-13-2024

Hi @fortimaster ,

- Thanks for sharing the details, I would recommend to try creating the separate policy for both tunnels and give it a try.

DNB

hbac · ‎03-13-2024

Hi @fortimaster,

Group specified under IPsec phase1 is XAUTH group, it is not the same as group specified in firewall policy and it will not match. If you specify group under phase1, you don't need to specify the same group in the firewall policy.

Alternatively, you can set group under phase1 to 'Inherit from policy' and specify the group in the firewall policy. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-group-based-firewall-policy-for-Dial...

Regards,

fortimaster · ‎03-14-2024

Thanks hbac,

I can't find the XAUTH option to configure it in the CLI or in the GUI. The phase 1 doesn't accepts the set xauthtype command and the GUI does not display XAHTH option.

Who can I configure it? On the other hand, by default group specified under Phase1 is XAUTH?

# set xauthtype
command parse error before 'xauthtype'

hbac · ‎03-14-2024

@fortimaster,

Sorry for the confusion, XAUTH will not work with IKEv2. Based on your current configuration, you don't have to specify the group in the firewall policy.

Regards,

fortimaster · ‎03-14-2024

Thanks for your reply. I need to specify the group cause, each user group, has different permissions in the tunnel.
I have a less permissive policy for current users group an another one for network administrators. And both group users use the same tunnel. That is why I have user group in the policy.

hbac · ‎03-15-2024

@fortimaster,

If you want to specify groups in the firewall policy, you can use IKEv1 and follow this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-group-based-firewall-policy-for-Dial...

Regards,

fortimaster · ‎03-15-2024

Thanks hbac.

This tunnel was Ikev1 and it has worked fine with users. But I would like to upgrade it to v2 to do it more strong and secure. I tought that ikev2 was better than v1. You cannot filter by groups using v2?

Thanks ¡¡¡