I have setup an IPsec tunnel on our FortiGate 51E (FortiOS v6.2.10 build1263 (GA)) and I am able to connect via my Windows native client, however when I am asked for a username and password, I am getting the error "The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server."
I have tried different combinations of my username from the username on Active Directory, email address, domain\username, [email protected], and the FortiGate user name. None of these seem to want to authenticate. Perhaps I have a configuration issue on the Windows client or on the FortiGate?
Also worth noting that I have the FortiGate SSL-VPN setup and using FortiClient correctly and authenticating via LDAP. So LDAP authentication between the FortiGate and Active Directory is working.
Configurations below:
config vpn l2tp
set eip 10.0.100.199
set sip 10.0.100.1
set status enable
set usrgrp "FortiClient Users"
end
config user group
edit "FortiClient Users"
set member "DC1.domain.tld" "User 1"
config match
edit 1
set server-name "DC1.domain.tld"
set group-name "CN=FortiClient.Users,OU=Security.Groups,OU=CORP,DC=domain,DC=tld"
next
end
next
end
config vpn ipsec phase1
edit "WIN-IPsec_p1"
set type dynamic
set interface "wan1"
set peertype any
set proposal aes256-md5 3des-sha1 aes192-sha1
set dhgrp 2
set psksecret ENC base64
set dpd-retryinterval 60
next
end
config vpn ipsec phase2
edit "WIN-IPsec_p2"
set phase1name "WIN-IPsec_p1"
set proposal aes256-md5 3des-sha1 aes192-sha1
set pfs disable
set encapsulation transport-mode
set keylifeseconds 3600
next
end
config firewall policy
edit 27
set name "WIN-IPsec to Internet"
set uuid ac74e9cc-6fed-51ec-7ad2-0df13b167bbe
set srcintf "vsw.FortiSwitch"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action ipsec
set schedule "always"
set service "ALL"
set fsso disable
set vpntunnel "WIN-IPsec_p1"
next
edit 28
set name "WIN-IPsec to LAN"
set uuid aea950b0-6fee-51ec-2e71-63ba80754538
set srcintf "wan1"
set dstintf "vsw.FortiSwitch"
set srcaddr "IPsec.VPNRange"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set nat enable
next
config firewall address
edit "IPsec.VPNRange"
set uuid 34cf43d0-6fee-51ec-5dc2-71b54eac4587
set type iprange
set start-ip 10.0.100.1
set end-ip 10.0.100.199
next
Windows native client:
PowerShell: Get-VpnConnection -Name IPsec
Name : IPsec
ServerAddress : 1.2.3.4
AllUserConnection : False
Guid : {6DF154C4-82FB-4E4C-BE77-2908FBE2E646}
TunnelType : L2tp
AuthenticationMethod : {Eap, MsChapv2}
EncryptionLevel : Optional
L2tpIPsecAuth : Psk
UseWinlogonCredential : False
EapConfigXmlStream :
ConnectionStatus : Disconnected
RememberCredential : True
SplitTunneling : False
DnsSuffix :
IdleDisconnectSeconds : 0
Windows 10 IPsec is set to allow these security methods which are also defined in my phase 1/2 proposal:
I was able to make some headway by changing the Windows native VPN client to use this configuration but it still fails:
After checking the event viewer in Windows I see the following events in this sequence:
CoId={CC3D0ED6-03D3-0002-7493-48CCD303D801}: The user domain\user has started dialing a VPN connection using a per-user connection profile named IPsec. The connection settings are: Dial-in User = VpnStrategy = L2TP DataEncryption = Requested PrerequisiteEntry = AutoLogon = No UseRasCredentials = Yes Authentication Type = PAP Ipv4DefaultGateway = Yes Ipv4AddressAssignment = By Server Ipv4DNSServerAssignment = By Server Ipv6DefaultGateway = Yes Ipv6AddressAssignment = By Server Ipv6DNSServerAssignment = By Server IpDnsFlags = IpNBTEnabled = Yes UseFlags = Private Connection ConnectOnWinlogon = No IPsec authentication for L2TP = Pre-shared key.
CoId={CC3D0ED6-03D3-0002-7493-48CCD303D801}: The user domain\user is trying to establish a link to the Remote Access Server for the connection named IPsec using the following device: Server address/Phone Number = 1.2.3.4 Device = WAN Miniport (L2TP) Port = VPN4-1 MediaType = VPN.
CoId={CC3D0ED6-03D3-0002-7493-48CCD303D801}: The user domain\user has successfully established a link to the Remote Access Server using the following device: Server address/Phone Number = 1.2.3.4 Device = WAN Miniport (L2TP) Port = VPN4-1 MediaType = VPN.
CoId={CC3D0ED6-03D3-0002-7493-48CCD303D801}: The link to the Remote Access Server has been established by user domain\user.
Event ID: 20291, Rasclient IPsec requires attention.
CoId={CC3D0ED6-03D3-0002-7493-48CCD303D801}: The user domain\user dialed a connection named IPsec which has failed. The error code returned on failure is 0.
The connection is failing with event Event ID: 20291, Rasclient - IPsec requires attention.
คนส่วนใหญ่ไม่เข้าใจว่าการถามคำถามมากมายจะปลดล็อกการเรียนรู้และปรับปรุงความสัมพันธ์ระหว่างบุคคล ตัวอย่างเช่น ในการศึกษาของ Alison แม้ว่าผู้คนจะจำได้อย่างแม่นยำว่ามีคำถามกี่ข้อที่ถูกถามในการสนทนา แต่พวกเขาไม่เข้าใจความเชื่อมโยงระหว่างคำถามและความชอบ จากการศึกษาทั้ง 4 เรื่องที่ผู้เข้าร่วมมีส่วนร่วมในการสนทนาด้วยตนเองหรืออ่านบันทึกการสนทนาของผู้อื่น ผู้คนมักไม่ตระหนักว่าการถามคำถามจะมีอิทธิพลหรือมีอิทธิพลต่อระดับมิตรภาพระหว่างผู้สนทนา
