Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
germafab
New Contributor

IPsec dialup VPN - user groups in firewall rules

For a while now I have been successfully using the IPsec VPN with Forticlient (and native client on mac). However as soon as I assign user groups to firewall rules (the user groups contain the users which successfully connected to the IPsec VPN) the traffic is blocked.

 

According to documentation I understood that I need to have XAuth activated for the VPNs which I have - still no luck.

 

I currently have 2 types of IPsec VPNs, a PSK+XAuth based and a Cert+XAuth based one.

Below you will find the config snippets of the respective VPN configurations:

 

edit "RemoteAccess"
        set type dynamic
        set interface "wan1"
        set authmethod signature
        set mode aggressive
        set peertype peergrp
        set mode-cfg enable
        set comments "VPN: with cert and xauth"
        set xauthtype pap
        set authusrgrp "IPsec-users"
        set certificate "forti_Intra"
        set peergrp "intra_peers"
        set ipv4-start-ip 192.168.134.100
        set ipv4-end-ip 192.168.134.110
        set dns-mode auto
        set ipv4-split-include "RemoteAccess_split"
        set unity-support disable
    next

 

and:

 

edit "mVPN"
        set type dynamic
        set interface "wan1"
        set mode aggressive
        set peertype any
        set mode-cfg enable
        set comments "VPN: psk and xauth"
        set xauthtype pap
        set authusrgrp "mVPN-users"
        set ipv4-start-ip 192.168.134.150
        set ipv4-end-ip 192.168.134.160
        set dns-mode auto
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret ENC <hidden>
    next

1 Solution
ede_pfau
Esteemed Contributor III

User groups on policies trigger 'firewall authentication'. That is, the user has to use an interactive protocol like HTTP(S), ftp or telnet, and needs to enter his credentials. Then he's authenticated and traffic is allowed through.

 

This has nothing to do with VPN authentication. XAuth is already the way to go.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
3 REPLIES 3
ede_pfau
Esteemed Contributor III

User groups on policies trigger 'firewall authentication'. That is, the user has to use an interactive protocol like HTTP(S), ftp or telnet, and needs to enter his credentials. Then he's authenticated and traffic is allowed through.

 

This has nothing to do with VPN authentication. XAuth is already the way to go.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
germafab

Thanks for the clarification. This means that if I have a IPv4 policy like the following:

 

srcintf[RemoteAccess]

dstintf[internal]

srcaddr[RemoteAccess_range]

dstaddr[HTTP_Test_Host]

action[accept]

schedule[always]

service[HTTP]

users[aquila]

 

I should get a "FortiGate Login" window (or similar) to authenticate? Because currently this does not happen / the policy is ignored.

Philippe_ASTIER

ede_pfau wrote:

User groups on policies trigger 'firewall authentication'. That is, the user has to use an interactive protocol like HTTP(S), ftp or telnet, and needs to enter his credentials. Then he's authenticated and traffic is allowed through.

 

This has nothing to do with VPN authentication. XAuth is already the way to go.

Good... but would it be possible to get the XAUTH user in the firewall group ?

I don't want the banner....

Labels
Top Kudoed Authors