Skip to main content
systemgeek
systemgeek
Visitor III
June 13, 2025
Solved

Setting up dialuip ipsec using multiple saml groups

  • June 13, 2025
  • 1 reply
  • 2894 views

I have the following working Dialup IPsec config working for one of my SAML user groups and now I am trying to expand it to cover other SAML groups.

config firewall address
edit "OpsVPN-US2_range"
set type iprange
set start-ip 10.254.128.1
set end-ip 10.254.128.254
next
end

config firewall addrgrp
edit "OpsVPN-US2_split"
set member "Internal_10.0.0.0/8" "Internal_172.16.0.0/12" "Internal_192.168.0.0/16"
next
end

config vpn ipsec phase1-interface
edit "OpsVPN-US2"
set type dynamic
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set proposal aes256-sha512
set dhgrp 20
set eap enable
set eap-identity send-request
set wizard-type dialup-forticlient
set transport auto
set fortinet-esp enable
set assign-ip-from name
set dns-mode auto
set ipv4-split-include "OpsVPN-US2_split"
set ipv4-name "OpsVPN-US2_range"
set save-password enable
set psksecret ENC *******
next
end

config vpn ipsec phase2-interface
edit "OpsVPN-US2"
set phase1name "OpsVPN-US2"
set proposal aes256-sha512
set dhgrp 20
set keylife-type both
next
end

config system zone
edit "OpsVPN-US2_zone"
set interface "OpsVPN-US2"
next
end

config firewall policy
edit 0
set name "OpsVPN-US2_remote"
set srcintf "OpsVPN-US2_zone"
set dstintf "port2"
set action accept
set srcaddr "OpsVPN-US2_range"
set dstaddr "OpsVPN-US2_split"
set schedule "always"
set service "ALL"
set logtraffic all
set groups "FWSSO_IPsec_Operations"
set tcp-mss-sender 1300
set tcp-mss-receiver 1300
next
end

 

To make this work with a new SAML group do I need to create a whole new VPN tunnel and new FWSSO with a new port to login to my ADFS or can I just add the other groups to the above config and let the FW figure out which group SAML is returning from ADFS?

Best answer by rbraha

Hi @systemgeek 

If its the same IDP ADFS in this case and user have the same access to an destination no need for another vpn tunnel, you can map those multiple group pointing to the same SAML server and add them in the same firewall policy ,just make sure that attribute returned from IDP are correct for these user groups. If they have different access level then you will need different firewall policy.

1 reply

rbraha
Staff
rbrahaAnswer
Staff
June 13, 2025

Hi @systemgeek 

If its the same IDP ADFS in this case and user have the same access to an destination no need for another vpn tunnel, you can map those multiple group pointing to the same SAML server and add them in the same firewall policy ,just make sure that attribute returned from IDP are correct for these user groups. If they have different access level then you will need different firewall policy.

systemgeek
systemgeekAuthor
Visitor III
June 13, 2025

Summerizing so I understand.

Yes same IDP ADFS.  In this case same access level.

So Phase 1 and Phase 2 are unchanged.  System Zone unchanged.  I just add the extra groups to the Firewall Policy.

 

Since I might need this part.  If the IDP ADFS is the same but the groups and access level is different then I need a new VPN Tunnel.  But do I need a different SAML IDP config or can I still use the one in the example above?

rbraha
Staff
rbraha
Staff
June 13, 2025

Hi @systemgeek 

N, you can use the same vpn tunnel but put different user group in different firewall policies, please check the guide below it will help.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-multiple-groups-with-EAP-for-IKEv2-SAML/ta-p/334453

Terms & ConditionsAccessibility statement