Technical Tip: Using the same TCP port for IPsec SAML authentication and IKE TCP encapsulation in FortiOS v7.6.1

In FortiOS v7.6.1 and later, it is possible to host a SAML SP server for IPsec user authentication on the same port as the one used for IKE TCP encapsulation. This can be necessary to support locked-down environments where the only certain outgoing ports are allowed for clients.

IPsec dial-up VPN over TCP also requires FortiClient v7.4.1 or later; see the FortiClient 7.4.0 New Features Guide for details on IPsec VPN over TCP support on Windows, macOS, and Linux.

Multiple resources exist demonstrating how to configure a SAML server for IKE. It is recommended to review the following documents and configure a test deployment using UDP transport for IPsec before integrating TCP transport.

• SAML-based authentication for FortiClient remote access dialup IPsec VPN clients
• Technical Tip: Recommended basic configuration for SSL VPN to IPsec VPN migration with SAML authentication

Example 1: FortiOS configuration using TCP port 20443.

This example demonstrates some important settings for transitioning an existing working dial-up tunnel to IKE TCP transport, but is not comprehensive.

config system setting

    set ike-tcp-port 20443 <----- Changing ike-tcp-port flushes all existing IPsec tunnels on the VDOM.

end

config system global

    set auth-ike-saml-port 1001 <----- Any port except ike-tcp-port.

end

Warning:

Changing the ike-tcp-port flushes all existing IPsec tunnels, including site-to-site tunnels and those using UDP transport mode. This will cause some disruption for existing traffic traversing IPsec VPN tunnels.

When IPsec SAML authentication and IKE TCP encapsulation use the same port, the 'auth-ike-saml-port' setting is not used. The 'ike-tcp-port' should be configured to match the single TCP port that will handle both SAML authentication and IPsec traffic.

config user setting

    set auth-cert <certificate for FortiGate FQDN> <----- Certificate used for client connection to FortiGate as SAML SP.

end

Ensure the SAML SP information includes the intended TCP port in the URL.

config user saml

    edit "IKE_SAML"

        set entity-id "http://<FortiGate FQDN>:20443/remote/saml/metadata/"

        set single-sign-on-url "https://<FortiGate FQDN>:20443/remote/saml/login"

        set single-logout-url "https://<FortiGate FQDN>:20443/remote/saml/logout"

        set idp-entity-id <IDP identifier URL>
        set idp-single-sign-on-url <IDP sign-on URL>
        set idp-single-logout-url <IDP logout URL>
        set idp-cert <Remote IDP certificate imported to FortiGate>

    next

end

Note: entity-id, single-sign-on-url, and single-logout-url including port must mirror the Enterprise Application or SAML Service Provider settings configured on the SAML IDP (Entra ID, Google Workspaces, FortiIdentity Cloud etc.)

config system interface

    edit "port1"

        set ike-saml-server "IKE_SAML"

    next

end

config vpn ipsec phase1-interface

    edit "dialup_psk"

        set type dynamic

        set interface "port1"

        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set dpd on-idle
        set dhgrp 14 5 20
        set eap enable
        set eap-identity send-request

        set transport auto

        set fortinet-esp disable <----- Default setting. fortinet-esp is a legacy protocol used only for FortiGate-FortiGate tunnels.

        set ipv4-start-ip 10.253.0.100
        set ipv4-end-ip 10.253.0.200
        set dns-mode auto
        set ipv4-split-include "Admin Split Tunnel Addresses"

        set psksecret <psk>

        set dpd-retryinterval 60

    next

end

config user group

    edit "IKE SAML user group"

        set member "IKE_SAML"

    next

end

config firewall policy

    edit <index>

        set name "RA VPN test"

        set srcintf "dialup_psk"

        set dstintf "port2"

        set action accept

        set srcaddr "IPsec VPN Admin Clients"

        set dstaddr "Test Address"

        set schedule "always"

        set service "PING" <-- test policy only allowing ICMP ECHO Request. Can be expanded to include additional services.

        set groups "IKE SAML user group"

    next

end

On FortiClient, enable single-sign-on and configure the single-sign-on port as 20443. Enable IPsec over TCP and configure TCP port as 20443.

FortiClient v7.4.3 configuration using TCP port 20443:

Example 2: FortiOS configuration using TCP port 443.

This is a repeat of example 1, but with the following differences:

config system setting

    set ike-tcp-port 443 <----- Default value on FortiOS v7.6.1 and later. If the firewall was upgraded from a previous version, the ike-tcp-port may still be configured as the old default value 4500.

end

config user saml

    edit "IKE_SAML"

        set entity-id "http://<FortiGate FQDN>/remote/saml/metadata/"

        set single-sign-on-url "https://<FortiGate FQDN>/remote/saml/login"

        set single-logout-url "https://<FortiGate FQDN>/remote/saml/logout"

        set idp-entity-id <IDP identifier URL>
        set idp-single-sign-on-url <IDP sign-on URL>
        set idp-single-logout-url <IDP logout URL>
        set idp-cert <Remote IDP certificate imported to FortiGate>

    next

end

Notes:

• changing the ike-tcp-port flushes all existing IPsec tunnels and can cause tunnel traffic disruption.
• The default HTTPS management port is TCP 443. Updating the ike-tcp-port to 443 may prevent GUI management access if an IPsec tunnel is configured on the same interface(s) used for firewall management.
• Firewall 'config user saml' settings must mirror the Enterprise Application or SAML Service Provider settings configured on the SAML IDP (Entra ID, Google Workspace, FortiIdentity Cloud etc.)

FortiClient v7.4.3 configuration using TCP port 443:

Potential port conflicts:

• ike-tcp-port and auth-ike-saml-port: since the same port is used for both SAML authentication and IPsec transport, this relies on the iked process initially receiving both the SAML and IPsec traffic. The single FortiOS setting controlling this is 'ike-tcp-port'. The 'auth-ike-saml-port' should remain different since this setting is not used. Configuring the same value for 'ike-tcp-port' and 'auth-ike-saml-port' will cause the iked process to miss TCP IPsec traffic, preventing tunnel establishment over TCP.
• TCP 11443 and admin-sport: When setting ike-tcp-port, FortiGate reserves TCP port 11443 internally for IKE traffic. If admin-sport is already configured as 11443, a port conflict exists, and either the admin GUI or IKE TCP encapsulation will not run correctly. See the article Technical Tip: Dial-up IPsec VPN connection fails when a non-default IKE TCP port is configured on FortiGate.
• ike-tcp-port and admin-sport: forbidden by configuration check.
• ike-tcp-port and external virtual IP: TCP port should not overlap with an existing Virtual IP. For example, if the FortiGate is configured to allow remote HTTPS traffic on TCP port 443 as forward traffic to a local web server, TCP port 443 is not available to host IPsec/SAML.
• ike-tcp-port and SSL VPN port: While SSL VPN tunnel mode is removed in v7.6.3 and later, SSL VPN web mode remains as 'Agentless VPN'. To prevent a port conflict, disable Agentless VPN or use a different port, see the article: Technical Tip: How to disable SSL VPN functionality on FortiGate.
  

Verification:

1. On a test VPN client, configure FortiClient to use 'IPSec over TCP' encapsulation to force the client to use TCP only:
   
   
   

Note: In most environments, it is recommended to configure FortiClient IPsec Encapsulation as 'Auto(UDP fallback TCP)'.

2. Connect to the IPsec VPN and attempt to access a resource behind the firewall.
   
   
3. Verify the TCP packets are reaching the FortiGate in a packet sniffer, and check the expected 'NOT IKETCP(), assign to AUTH' messages are visible in IKE diagnostics as shown below:

diagnose debug application ike -1

diagnose debug application authd 7

diagnose debug enable

If 'NOT IKETCP(), assign to AUTH' messages are seen and CPU usage is normal for the iked and authd processes, it is unlikely to be an issue specific to IPsec over TCP. In this case, see Troubleshooting IPsec VPN IKEv2 with SAML authentication for further troubleshooting steps.

Notes:

• IPsec over TCP does not support NPU offloading of ESP (data) packets; see the FortiOS Administration Guide: Encapsulate ESP packets within TCP headers. The IPsec VPN Throughput Specification recorded in the product datasheet assumes the use of NPU offloading, so a lower maximum throughput is expected when TCP encapsulation is in use.
• Starting from FortiOS 7.6.5, IPsec VPN supports configuring UDP port 443 as a custom UDP IKE port. If the UDP IKE port is changed, this takes effect for all IPsec tunnels, not just remote access dialup tunnels. For additional details, refer to Allow UDP port 443 for dialup IPsec VPN.

Related documents:

• Technical Tip: FortiGate Hub with multiple IPsec Dial-up phase1 using IKEv2 and PSK authentication
• TCP encapsulation of IKE and IPsec packets across multiple vendors
• Dialup IPsec VPN using custom TCP port