Configuring authentication of remote IPsec VPN users
An IPsec VPN on a FortiGate unit can authenticate remote users through a dialup group. The user account name is the peer ID and the password is the pre-shared key.
Authentication through user groups is supported for groups containing only local users. To authenticate users using a RADIUS or LDAP server, you must configure XAUTH settings. See
“Configuring XAuth authentication”.
To configure user group authentication for dialup IPsec - web-based manager
1. Configure the dialup users who are permitted to use this VPN. Create a user group with Type:Firewall and add them to it.
For more information, see
“Users and user groups”.
2. Go to VPN > IPsec > Auto Key (IKE), select Create Phase 1 and enter the following information.
Name | Name for group of dialup users using the VPN for authentication. |
Remote Gateway | List of the types of remote gateways for VPN. Select Dialup User. |
Authentication Method | List of authentication methods available for users. Select Preshared Key and enter the preshared key. |
Peer Options | Select Accept peer ID in dialup group. Select the user group that is to be allowed access to the VPN. The listed user groups contain only users with passwords on the FortiGate unit. |
3. Select Advanced to reveal additional parameters and configure other VPN gateway parameters as needed.
4. Select OK.
To configure user group authentication for dialup IPsec - CLI example
The peertype and usrgrp options configure user group-based authentication.
config vpn ipsec phase1
edit office_vpn
set interface port1
set type dynamic
set psksecret yORRAzltNGhzgtV32jend
set proposal 3des-sha1 aes128-sha1
set peertype dialup
set usrgrp Group1
end