Helpful ReplyHot!Dial-Up with FortiClient and IKEv2 - EAP Problem

Author
Fortiuser
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/03/02 01:37:21
  • Status: offline
2021/10/12 07:12:50 (permalink)
0

Dial-Up with FortiClient and IKEv2 - EAP Problem

Hi all,
 
we want to switch our FortiClient dial-up connections from IKEv1 to IKEv2, but we are having problems with this. I have created a new IKEv2 Test-VPN on the Fortigate and a test user that is authenticated via RADIUS. Everything in the setup works fine with IKEv1, but as soon as I change the parameters to IKEv2, the login fails. Device is a FortiGate 300E cluster with OS 6.0.10, I tested with different FortiClient-VPN versions from v6.4 to 7.0.
 
Here is what an IKE debug shows me:
ike 0: comes 178.2.99.151:64916->20.30.40.50:4500,ifindex=11....
ike 0: IKEv2 exchange=AUTH id=xxxx/xx len=80
ike 0: in xxx
ike 0:IKE-v2:31239: dec xxxA65
ike 0:IKE-v2:31239: responder received EAP msg
ike 0:IKE-v2:31239: send EAP message to FNBAM
ike 0:IKE-v2:31239: initiating EAP authentication
ike 0:IKE-v2: EAP user "testuser"
ike 0:IKE-v2: auth group IKEv2-Users
ike 0:IKE-v2: EAP 1195273714 pending
ike 0:IKE-v2:31239 EAP 1195273714 result 2
ike 0:IKE-v2: EAP challenged for user "testuser"
ike 0:IKE-v2:31239: responder preparing EAP pass through message
ike 0:IKE-v2:31239: enc xxxx
ike 0:IKE-v2:31239: out xxxx
ike 0:IKE-v2:31239: sent IKE msg (AUTH_RESPONSE): 20.30.40.50:4500->178.2.99.151:64916
ike 0: comes 178.2.99.151:64916->20.30.40.50:4500,ifindex=11....
ike 0: IKEv2 exchange=AUTH id=xxx

ike 0:IKE-v2:31239: responder received EAP msg
ike 0:IKE-v2:31239: send EAP message to FNBAM
ike 0:IKE-v2: EAP 1195273714 pending
ike 0:IKE-v2:31239 EAP 1195273714 result 1
ike 0:IKE-v2: EAP failed for user "testuser"
ike 0:IKE-v2:31239: responder preparing EAP pass through message
ike 0:IKE-v2:31239: enc xxx
ike 0:IKE-v2:31239: out xxx
ike 0:IKE-v2:31239: sent IKE msg (AUTH_RESPONSE): 20.30.40.50:4500->178.2.99.151:64916
ike 0:IKE-v2: connection expiring due to EAP failure
ike 0:IKE-v2: deleting
ike 0:IKE-v2: reset NAT-T
ike 0:IKE-v2: deleted



Apparently the EAP request goes through first without a problem, but then gets repeated, which I don't understand.
 
Here's the config from FortiGate VPN:
 
config vpn ipsec phase1-interface
    edit "IKE-v2"
        set type dynamic
        set interface "port3"
        set ike-version 2
        set peertype any
        set mode-cfg enable
        set ipv4-dns-server1 10.1.1.10
        set proposal aes256-sha256
        set dpd on-idle
        set dhgrp 20
        set eap enable
        set eap-identity send-request
        set authusrgrp "IKEv2-Users"
        set ipv4-start-ip 10.1.30.2
        set ipv4-end-ip 10.1.30.10
        set ipv4-netmask 255.255.224.0
        set ipv4-split-include "VPN-CFS-FG-Splitting"
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret ENC xxxx
        set dpd-retryinterval 60
    next
end

 
Does anyone have an idea where the problem could be? Many thanks already!
 
post edited by Fortiuser - 2021/10/12 07:14:59
#1
emnoc
Expert Member
  • Total Posts : 6224
  • Scores: 435
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Dial-Up with FortiClient and IKEv2 - EAP Problem 2021/10/12 14:01:17 (permalink) ☄ Helpfulby Fortiuser 2021/10/13 05:38:22
0
Does the NAS support EAP? I would start at that point and then continue your diagnostic but b4 you go down that rabbit test with a local-account and then if that works, you know to focus at the NAS
 
YMMV 
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#2
Fortiuser
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/03/02 01:37:21
  • Status: offline
Re: Dial-Up with FortiClient and IKEv2 - EAP Problem 2021/10/13 03:08:07 (permalink)
0
Hi Ken,
thanks for your reply, test with local user was a good idea! It worked right away.


So I took another look at the NPS and found, that only PEAP was enabled there, not EAP-MSCHAP-v2.
After I turned it on, it now works. Thanks a lot for your hints!
#3
Fortiuser
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/03/02 01:37:21
  • Status: offline
Re: Dial-Up with FortiClient and IKEv2 - EAP Problem 2021/10/14 01:43:14 (permalink)
0
Unfortunately, I now have another problem: IKEv2 connection only works if the user does not have 2-factor authentication enabled (via FortiToken).

Does anyone know if this is possible with a later FortiOS version? I have seen hints that this is only possible with OS 6.2 or 6.4. Can anyone confirm this?
#4
Jump to:
© 2021 APG vNext Commercial Version 5.5