Situation

Use FortiClient to connect to the dial-up IPsec VPN (IKEv2) and authenticate with your local username and password.

Solution

[1]
# 建立User
Log in Fortigate WebUI > User & Authentication > User Definition

[2]
Create New > Local User > "Username/Password"

[3]
# 建立User Group
Fortigate WebUI > User & Authentication > User Groups

[4]
Create New > "Name" > Members

[5]
# 輸入指令啟用驗證User的帳號密碼
Open FortiGate CMD > config vpn ipsec phase1-interface > edit "tunnel_phase1"

[6]
set eap enable
set eap-identity send-request
set authusrgrp "User_Group_Name"

[7]
# 輸入指令啟用idle timeout並設定timeout時間
set idle-time enable
set idle-timeoutinterval 20

TroubleShooting

[1]
# 確認參數
get vpn ike gateway

[2]
# 確認phase 1有沒有起來
diagnose vpn ike gateway list name "Your_Tunnel_Name"
> status: Established(Phase1 Success)
> status: Connecting(Phase1 Fail)

[3]
# 清除舊的 debug 設定
diagnose debug reset                    

# 增加debug時間戳記
diagnose debug console timestamp enable

# 開啟 IKE 模組 debug (所有資訊)
diagnose debug application ike -1       

# 打開 debug 輸出
diagnose debug enable              

# 清除舊的 debug 設定
diagnose debug reset

# 關閉 debug 輸出
diagnose debug disable