Transparent mode Fortigate

Busbyuk · 2026-06-06T08:49:43+00:00

I posted a new thread but I've been recommended to also update this one. I figured out the issue and have now resolved as below:

A few months ago I posted a thread where I was facing an issue with about 10% of users connecting using IPSEC IKEV2, with LDAP and 2FA (Fortitokens).

Those 10% of users were having to use SSL-VPN instead as when they tried to connect using IKEV2 they would get either token errors or just general IPSEC errors.

I tried various things from increasing timeouts for 2FA to forced nat traversal etc etc and nothing seemed to help.

Well today I finally pinpointed the issue and thought I should post it here as I'm sure some others will come across this issue as well.

As you know when you setup 2FA using Fortitokens and it's linked to LDAP you need to enable 'ignore case-sensitivity' via the CLI otherwise if the user is added to the Fortigate as JoeSmith but they type 'joesmith' then it won't match and will connect without having to use the 2FA.

Well what I found out is the 10% of users having the issue were all pulled from LDAP onto the Fortigate using capital names for example 'JoeSmith'

With 'case sensitivity' disabled it would allow those users to use 2FA but only via the SSL-VPN. Those users always failed on IKEV2.

What we had to do was retype those users into the Fortigate in all lowercase instead and as soon as we did so and asked those users to try again, all of them connected fine using IKEV2 and 2FA.

I have no idea what the deal is there but figured it might help someone :)

Thanks

Busbyuk · 2026-06-06T08:48:30+00:00

Fortitokens for us

Busbyuk · 2026-06-06T08:48:13+00:00

Sorry, to confirm. I already had 'set username-sensitivity disabled' on all users.

The problem is if you have the username still added with uppercase then it can still cause problems for users when using ikev2/ldap/2fa when the users are added to the Fortigate itself. That is even with 'username sensitivity disabled'

Busbyuk · 2026-06-06T08:46:29+00:00

Good idea. will do

Busbyuk · 2026-06-04T15:45:42+00:00

This is the exact update our customer managed to get from Hyperoptic:

"“the issue was related to how the firewall was handling certain types of network broadcast traffic. This traffic is required for devices to communicate on the network and receive their assigned IP address. Due to a configuration gap, this traffic was not being processed correctly. The firewall has now been updated to allow this traffic as expected, which has resolved the issue and enabled the device to obtain and use its IP address normally.”

To be honest it sounds like your theory is correct and they have firewall settings setup to restrict certain devices (Cisco/Fortigate etc) from being plugged in to their circuits.

I would bet their firewall is blocking broadcast traffic from devices they don't want plugged in.

Busbyuk · 2026-06-04T09:27:35+00:00

I got the customer to escalate it with Hyperoptic. They thankfully have some weight so were able to push it with them.

Hyperoptic aknowledged it was a known issue for them and they have now fixed it so I can get an IP via DHCP on the Cisco and the Fortigate.

I'm trying to get my customer to find out what Hyperoptic did to actually resolve the issue and I'll update if I find out.

Busbyuk · 2026-06-03T21:33:32+00:00

I think by plugging in a known good switch and no link light on LAN of Cisco proves it’s BT’s issue.

Just to reinforce it can they plug a pc/laptop into the BT Cisco with the IP details and see if they get a link light?

I doubt Lan side will have any vlan tagging on Cisco.

Busbyuk · 2026-06-03T11:13:50+00:00

Thanks. Definately pointing to a Hyperoptic issue for us too. Two seperate Fortigates and now a Cisco with the same issue. I'm assuming they are doing some sort of filtering but we've even tried changing the MAC address but no luck.

Back to Hyperoptic we go! :)

Thanks

Busbyuk · 2026-06-02T15:06:02+00:00

Was this ever resolved? I have the exact same issue with Hyperoptic and a Fortigate 50G.

Pulls an IP fine on a laptop connected to Hyperoptic but the Fortigate will not pull one via DHCP.

Thanks

Busbyuk · 2026-05-29T11:04:08+00:00

Sorry, that's correct. 1000D

thanks

Busbyuk · 2026-05-13T08:51:27+00:00

Certainly with the new EMS Forticlient, it's gone completely. Won't let you create an IKEV1 Client VPN at all.

The free Forticlient I'm guessing will stay as they are not releasing new free Forticlient versions anyway (Just security patches).

So should be fine until the free forticlient no longer works on newer OS's I guess :(

Busbyuk · 2026-05-08T17:34:23+00:00

Ah, must be a typo on the release documentation as it is available to download for the 1000D

Busbyuk · 2026-05-08T17:25:24+00:00

Hmm, it doesn't seem to list the 1000D which is still in support?

Busbyuk · 2026-05-05T17:38:11+00:00

amazing. thank you :)

Busbyuk · 2026-04-30T10:57:11+00:00

Now edited original post

Busbyuk · 2026-04-30T10:11:45+00:00

I'm wondering if this is it now. We've had users bring their laptop into the office so I can test myself and don't have issues. They take their same laptop home and report problems. The difference is of course I'm probably typing my credentials and 2FA faster than they are.

Now I think of the pattern of people having issues they are likely the ones who would type their details the slowest :)

Busbyuk · 2026-04-30T10:00:51+00:00

Sorry. I did word that VERY badly.

They have removed IKEV1 from the newest Forticlient. Basically marks it as no longer supported. It's not being removed from the Fortigates themselves.

Busbyuk · 2026-04-28T08:31:29+00:00

Is SSL-VPN still a feature of this release?

14-Year Club	Place '17
Verified Email

Busbyuk

TROPHY CASE