Skip to main content
MZBZ
Staff
MZBZ
Staff
December 27, 2024

Troubleshooting Tip: Bulletproofing SSL and IPsec Dial-Up VPN Connections Against Disconnection

  • December 27, 2024
  • 0 replies
  • 7669 views
Description This article provides solutions to increase the resiliency of road warrior and dial-up VPN connections against disconnection, without the need to save usernames and passwords or re-enter 2FA/MFA tokens.
Scope FortiClient SSL and IKEv2 dialup VPN with FortiGate as VPN gateway.
Solution
  1. IPsec VPN.
  • Software requirements:
    • FortiClient EMS v7.4.1+.
    • FortiClient (endpoints): v7.4.2+.
    • FortiGate FortiOS: v7.4.4+ or v7.6.0+.

 

  • Configuration guides: This is achieved by Fortinet implementation of RFC5723 IKEv2 session resumption:

IKEv2 session resumption 7.4.1

Resuming sessions for IPsec tunnel IKE version 2 7.4.4

IKE settings

 

  • Configuration requirements:
    • IPsec: Just IKEv2 (based on RFC5723 https://datatracker.ietf.org/doc/html/rfc5723
    • Save username: Not required.
    • Save password: Not required.
    • Keep running (always up): Not required.
    • RADIUS MFA: compatible and will be asked just once during the first connection establishment
    • SAML Authentication: compatible and will be asked just once during the first connection establishment
    • Session timer: configurable on FortiOS with client-resume-interval under config vpn ipsec phase1-interface
    • Client (source) IP address changes: Supported (LAN interface changes or ISP switch).
    • Transport layer: tested and confirmed with IKEv2 UDP and TCP (FortiGate and FortiClient can establish IKEv2 tunnels over TCP IPsec VPN over TCP 7.4.1 | FortiClient 7.4.0 | Fortinet Document Library ).

 

  • Sample FortiGate configuration:

 

config system settings 
    set ike-session-resume enable <----- Per-vdom CLI option that affect all STATIC IKEv2 phase1s in the VDOM.
end

 

config vpn ipsec phase1-interface
    edit "MyTunnelName"
        set type dynamic
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set dpd on-idle
        set eap enable
        set eap-identity send-request
        set reauth enable
        set authusrgrp "VPN_RA_Group"
        set client-resume enable
        set client-resume-interval 7200
        set client-auto-negotiate enable
        set client-keep-alive enable
        set dpd-retryinterval 60
    next
end

 

config vpn ipsec phase2-interface
    edit "MyTunnelName"
        set phase1name "MyTunnelName"
        set keepalive enable
    next
end

 

  1. SSL VPN.
  • Software requirements:
    • FortiClient EMS v7.2.x or v7.4.x.
    • FortiClient (endpoints): v7.2.x or v7.4.x.
    • FortiGate: v7.2.10 or v7.4 or v7.6.

 

  • Configuration guides: This is achieved by 'set tunnel-connect-without-reauth enable under config vpn ssl settings'.

config vpn ssl settings

Technical Tip: Configuring SSL-VPN to allow tunnel reconnection without requiring reauthentication

 

  • Configuration requirements:
    • Save username: Not required.
    • Save password: Not required.
    • Keep running (always up): Not required.
    • RADIUS MFA: compatible and will be asked just once during the first connection establishment.
    • SAML Authentication: compatible and will be asked just once during the first connection establishment.
    • Session timer: configurable on FortiOS with tunnel-user-session-timeout under config vpn ssl settings
    • Client (source) IP address changes: supported by set auth-session-check-source-ip disable under config vpn ssl settings
    • Transport layer: tested and confirmed with TCP and UDP (DTLS).

 

  • Sample FortiGate configuration:

 

config vpn ssl settings
    set dtls-tunnel enable
    set auth-session-check-source-ip disable
    set tunnel-connect-without-reauth enable
    set tunnel-user-session-timeout 86400 <- This value has a limit of 255 seconds on old FortiOS versions.
end

 

  1. 2FA/MFA/SAML implementation: `

To allow enough time for the remote authentication process to take place, the default value of the remote authentication timeout must be increased. This is mandatory for any kind of authentication that involves 2FA/MFA/Token or for SAML. Recommended minimum value is 60 seconds. Remote authentication timeout value should be adjusted according to the requirements of the environment. The value (60 seconds) may not work in some environments and higher values may be needed.

 

config system global

set remoteauthtimeout 60

end

 

Note:
Starting v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN'.

 

Related documents:

Save password, auto connect, and always up | FortiClient 7.4.2 | Fortinet Document Library

Configuring autoconnect with username and password authentication | FortiClient 7.4.2 | Fortinet Document Library

Enabling VPN always up | FortiClient 7.4.2 | Fortinet Document Library

Enabling VPN autoconnect | FortiClient 7.4.2 | Fortinet Document Library

IKE settings | FortiClient 7.4.2 | Fortinet Document Library

IKEv2 session resumption 7.4.1 | FortiClient 7.4.0 | Fortinet Document Library

Resuming sessions for IPsec tunnel IKE version 2 | FortiGate / FortiOS 7.6.1 | Fortinet Document Library

Troubleshooting Tip: IKEv2 IPSec VPN on v7.4.1 and v7.4.2 has NAT-T disabled with default settings

Increasing remote authentication timeout using FortiGate CLI | FortiAuthenticator 6.6.0 | Fortinet Document Library
    Terms & ConditionsAccessibility statement