FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
MZBZ
Staff
Staff
Article Id 366682
Description This article provides solutions to increase the resiliency of road warrior and dial-up VPN connections against disconnection, without the need to save usernames and passwords or re-enter 2FA/MFA tokens.
Scope FortiClient SSL and IKEv2 dialup VPN with FortiGate as VPN gateway.
Solution
  1. IPsec VPN.
  • Software requirements:
    • FortiClient EMS v7.4.1+.
    • FortiClient (endpoints): v7.4.2+.
    • FortiGate FortiOS: v7.4.4+ or v7.6.0+.

 

  • Configuration guides: This is achieved by Fortinet implementation of RFC5723 IKEv2 session resumption:

 

  • Configuration requirements:
    • IPsec: Just IKEv2 (based on RFC5723 https://datatracker.ietf.org/doc/html/rfc5723
    • Save username: Not required.
    • Save password: Not required.
    • Keep running (always up): Not required.
    • RADIUS MFA: compatible and will be asked just once during the first connection establishment
    • SAML Authentication: compatible and will be asked just once during the first connection establishment
    • Session timer: configurable on FortiOS with client-resume-interval under config vpn ipsec phase1-interface
    • Client (source) IP address changes: Supported (LAN interface changes or ISP switch).
    • Transport layer: tested and confirmed with IKEv2 UDP and TCP (FortiGate and FortiClient can establish IKEv2 tunnels over TCP IPsec VPN over TCP 7.4.1 | FortiClient 7.4.0 | Fortinet Document Library ).

 

  • Sample FortiGate configuration:

 

config system settings
    set ike-session-resume enable
end

 

config vpn ipsec phase1-interface
    edit "MyTunnelName"
        set type dynamic
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set dpd on-idle
        set eap enable
        set eap-identity send-request
        set reauth enable
        set authusrgrp "VPN_RA_Group"
        set client-resume enable
        set client-resume-interval 7200
        set client-auto-negotiate enable
        set client-keep-alive enable
        set dpd-retryinterval 60
    next
end

 

config vpn ipsec phase2-interface
    edit "MyTunnelName"
        set phase1name "MyTunnelName"
        set keepalive enable
    next
end

 

  1. SSL VPN.
  • Software requirements:
    • FortiClient EMS v7.2.x or v7.4.x.
    • FortiClient (endpoints): v7.2.x or v7.4.x.
    • FortiGate: v7.2.10 or v7.4 or v7.6.

 

 

  • Configuration requirements:
    • Save username: Not required.
    • Save password: Not required.
    • Keep running (always up): Not required.
    • RADIUS MFA: compatible and will be asked just once during the first connection establishment.
    • SAML Authentication: compatible and will be asked just once during the first connection establishment.
    • Session timer: configurable on FortiOS with tunnel-user-session-timeout under config vpn ssl settings
    • Client (source) IP address changes: supported by set auth-session-check-source-ip disable under config vpn ssl settings
    • Transport layer: tested and confirmed with TCP and UDP (DTLS).

 

  • Sample FortiGate configuration:

 

config vpn ssl settings
    set dtls-tunnel enable
    set auth-session-check-source-ip disable
    set tunnel-connect-without-reauth enable
    set tunnel-user-session-timeout 86400 <- This value has a limit of 255 seconds on old FortiOS versions.
end

 

  1. 2FA/MFA/SAML implementation: `

 

To allow enough time for the remote authentication process to take place, the default value of the remote authentication timeout must be increased. This is mandatory for any kind of authentication that involves 2FA/MFA/Token or for SAML. Recommended minimum value is 60 seconds. Remote authentication timeout value should be adjusted according to the requirements of the environment. The value (60 seconds) may not work in some environments and higher values may be needed.

 

config system global

set remoteauthtimeout 60

end

 

Related documents: