Skip to main content
Dhruvin_patel
Staff
Staff
February 3, 2025

Technical Tip: Implementing IPsec VPN SAML-based authentication using loopback Interface

  • February 3, 2025
  • 0 replies
  • 7892 views

Description

This article indicates the options that must be enabled while configuring IPsec VPN SAML-based authentication using loopback Interface.

Scope

FortiGate v7.2.4 and later.

Solution

The configuration of IPsec VPN SAML-based authentication is based on the document IPsec VPN SAML-based authentication.

 

The configuration with a loopback interface only works if 'set ike-saml-server' is also enabled on the ingress interface. 

 

The following tunnel has been configured with a lookback interface:

config vpn ipsec phase1-interface
    edit "v4-PSK-IKEv2"
        set type dynamic
        set interface "Loopback"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 172.17.60.6
        set ipv4-dns-server2 8.8.8.8
        set proposal aes128-sha1 aes256-sha256
        set dpd on-idle
        set dhgrp 5
        set eap enable
        set eap-identity send-request
        set assign-ip-from name
        set ipv4-split-include "LAN2-192.168.235.0"
        set ipv4-name "IPSec_Tunnel_Addr1" 
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret 11111111
        set dpd-retryinterval 60
   next
end

 

The Loopback interface configuration is as follows, where it requires a set 'set ike-saml-server'.


Important note:


Using virtual IP for loopback interface is not supported in IPsec remote access.

config system interface
    edit "Loopback"
        set ike-saml-server "IPsec-SAML"
    next
end


Additionally, the option also needed to be set on the ingress interface. Otherwise, the connection will terminate at the TLS handshake with an 'Encrypted Alert', and there will be no SAML debug output. 

In this case, assume the traffic is ingress on the interface wan2, where the option 'set ike-saml-server' needs to be set.

config system interface 
    edit "wan2"
        set ike-saml-server "IPsec-SAML"
    next
end

 

Debug logs to be taken if any issue occurs:

diagnose vpn ike log filter clear
diagnose vpn ike log filter rem-addr4 <remote_public_IP>
diagnose debug application ike -1
diagnose debug application samld -1
diagnose debug application fnbamd -1
diagnose debug application eap_proxy -1
diagnose debug console timestamp enable
diagnose debug enable

 

To disable: 

diagnose debug disable
diagnose vpn ike log filter clear

 

IKE Debug commands reference: Troubleshooting Tip: IPsec Tunnel (debugging IKE).

 

Note:
IKE with SAML authentication does not support multiple SAML servers on the same interface, as the SAML server is directly bound to the interface and allows only one instance to be configured.

Dial-up IPsec with SAML using an external browser for authentication is supported starting from v7.4.9 and v7.6.1, FortiClient v7.2.5 and v7.4.1 for Mac and Windows, and FortiClient v7.4.3 for Linux: Technical Tip: FortiClient SAML Authentication Configuration Demystified.

Starting from FortiGate v7.2.12, v7.4.9, and v7.6.4, the device verifies the signature of SAML response messages.

This enhancement is detailed in the SAML certificate verification section of the Release Notes: SAML certificate verification.


This enhancement also applies to FIPS-CC CVE-Patched builds for v7.2 (for example, builds beginning with FIPS-CC-72-5 and later).

 

After upgrading, SAML authentication may fail when FortiGate is configured as the Service Provider, such as in IPsec/SSL VPN, administrator SSO login, or SAML captive portal scenarios.

 

To comply with the updated verification requirement, both the SAML assertion and the SAML response must be signed.

 

For detailed troubleshooting steps and configuration guidance, refer to the following article: Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4.

 

Related documents: