1. IPsec VPN.

• Software requirements:
  • FortiClient EMS v7.4.1+.
  • FortiClient (endpoints): v7.4.2+.
  • FortiGate FortiOS: v7.4.4+ or v7.6.0+.

• Configuration guides: This is achieved by Fortinet implementation of RFC5723 IKEv2 session resumption:

• • IKEv2 session resumption 7.4.1
  • Resuming sessions for IPsec tunnel IKE version 2 7.4.4
  • IKE settings

• Configuration requirements:
  • IPsec: Just IKEv2 (based on RFC5723 https://datatracker.ietf.org/doc/html/rfc5723) 
  • Save username: Not required.
  • Save password: Not required.
  • Keep running (always up): Not required.
  • RADIUS MFA: compatible and will be asked just once during the first connection establishment
  • SAML Authentication: compatible and will be asked just once during the first connection establishment
  • Session timer: configurable on FortiOS with client-resume-interval under config vpn ipsec phase1-interface
  • Client (source) IP address changes: Supported (LAN interface changes or ISP switch).
  • Transport layer: tested and confirmed with IKEv2 UDP and TCP (FortiGate and FortiClient can establish IKEv2 tunnels over TCP IPsec VPN over TCP 7.4.1 | FortiClient 7.4.0 | Fortinet Document Library ).

• Sample FortiGate configuration:

config system settings
    set ike-session-resume enable
end

config vpn ipsec phase1-interface
    edit "MyTunnelName"
        set type dynamic
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set dpd on-idle
        set eap enable
        set eap-identity send-request
        set reauth enable
        set authusrgrp "VPN_RA_Group"
        set client-resume enable
        set client-resume-interval 7200
        set client-auto-negotiate enable
        set client-keep-alive enable
        set dpd-retryinterval 60
    next
end

config vpn ipsec phase2-interface
    edit "MyTunnelName"
        set phase1name "MyTunnelName"
        set keepalive enable
    next
end

2. SSL VPN.

• Software requirements:
  • FortiClient EMS v7.2.x or v7.4.x.
  • FortiClient (endpoints): v7.2.x or v7.4.x.
  • FortiGate: v7.2.10 or v7.4 or v7.6.

• Configuration guides: This is achieved by set tunnel-connect-without-reauth enable under config vpn ssl settings.
  • config vpn ssl settings
  • Technical Tip: Configuring SSL-VPN to allow tunnel reconnection without requiring reauthentication

• Configuration requirements:
  
  • Save username: Not required.
  • Save password: Not required.
  • Keep running (always up): Not required.
  • RADIUS MFA: compatible and will be asked just once during the first connection establishment.
  • SAML Authentication: compatible and will be asked just once during the first connection establishment.
  • Session timer: configurable on FortiOS with tunnel-user-session-timeout under config vpn ssl settings
  • Client (source) IP address changes: supported by set auth-session-check-source-ip disable under config vpn ssl settings
  • Transport layer: tested and confirmed with TCP and UDP (DTLS).

• Sample FortiGate configuration:

config vpn ssl settings
    set dtls-tunnel enable
    set auth-session-check-source-ip disable
    set tunnel-connect-without-reauth enable
    set tunnel-user-session-timeout 86400 <- This value has a limit of 255 seconds on old FortiOS versions.
end

3. 2FA/MFA/SAML implementation: `

To allow enough time for the remote authentication process to take place, the default value of the remote authentication timeout must be increased. This is mandatory for any kind of authentication that involves 2FA/MFA/Token or for SAML. Recommended minimum value is 60 seconds. Remote authentication timeout value should be adjusted according to the requirements of the environment. The value (60 seconds) may not work in some environments and higher values may be needed.

config system global

set remoteauthtimeout 60

end

Related documents:

• Save password, auto connect, and always up | FortiClient 7.4.2 | Fortinet Document Library
• Configuring autoconnect with username and password authentication | FortiClient 7.4.2 | Fortinet Doc...
• Enabling VPN always up | FortiClient 7.4.2 | Fortinet Document Library
• Enabling VPN autoconnect | FortiClient 7.4.2 | Fortinet Document Library
• IKE settings | FortiClient 7.4.2 | Fortinet Document Library
• IKEv2 session resumption 7.4.1 | FortiClient 7.4.0 | Fortinet Document Library
• Resuming sessions for IPsec tunnel IKE version 2 | FortiGate / FortiOS 7.6.1 | Fortinet Document Lib...
• Troubleshooting Tip: IKEv2 IPSec VPN on v7.4.1 and v7.4.2 has NAT-T disabled with default settings
• Increasing remote authentication timeout using FortiGate CLI | FortiAuthenticator 6.6.0 | Fortinet D...