Example Topology:

Note: X.509 certificates are often referred to as 'SSL certificates', but they are not restricted to use in SSL. If a FortiGate local certificate was in use for SSL VPN before, it can, in many cases, be reused for IPsec VPN.

1. Configure the FortiGate as an SAML SP for IPsec.

    

See Fortinet documentation SAML-based authentication for FortiClient remote access dialup IPsec VPN clients, or Technical Tip: Recommended basic configuration for SSL VPN to IPsec VPN migration with SAML authenti... for more on this step.

Verify SAML authentication is working as expected using a pre-shared key VPN before configuring signature authentication. The remainder of this article assumes a SAML SP for IPsec VPN users is already correctly configured and deployed.

2. Import the Private CA certificate to FortiGate.

Import the Certificate of the CA that signs VPN client certificates. From the GUI, Navigate to System -> Certificate -> Create/Import -> CA Certificate -> Upload File.

After import, the CA certificate will have a name like 'CA_Cert_1'. Optionally, rename the certificate.

config vpn certificate ca

    rename CA_Cert_1 to 'Private CA'

end

• If the Private PKI infrastructure has a Root CA and one or more intermediate CAs, any CA in the chain can be used with default certificate settings. If 'check-ca-chain' is enabled in 'config vpn certificate setting', all CAs must be imported.
• Since the FortiGate will not be signing any certificates with the imported certificate, the certificate should not include the private key.
• If the FortiGate’s server certificate is signed by a private CA, ensure this private CA is imported to the workstation certificate store. For an example using GPO, see Technical Tip: How to distribute a Fortinet CA SSL certificate on a local domain on a Windows Server.

3. Configure a user peer referencing the imported CA.

    

This configuration will be used for authenticating the client device in IKEv2 phase1 authentication. The client devices must have certificates signed by the referenced CA.

config user peer

    edit "peer_admin-ou"

        set mandatory-ca-verify enable <-- default setting

        set ca "Private User CA"  <--imported CA

    next

end

If multiple CAs are used to sign client certificates, multiple peers can be configured and included in a peergrp.

config user peergrp

    edit "IKE peers"

        set member "peer1" "peer2"

    next

end

4. Configure an IPsec tunnel using IKEv2.

Note the settings in bold.

config vpn ipsec phase1-interface

    edit "dialup_admin"

        set type dynamic

        set interface "port1"

        set ike-version 2

        set authmethod signature

        set peertype peer

        set net-device disable

        set mode-cfg enable

        set proposal aes256-sha256

        set dpd on-idle

        set dhgrp 20 14 5

        set eap enable

        set eap-identity send-request

        set eap-cert-auth enable

        set certificate "vpn.sitea.example.com"

        set peer "peer_admin-ou"

        set ipv4-start-ip 10.253.0.100

        set ipv4-end-ip 10.253.0.200

        set dns-mode auto

        set ipv4-split-include "Admin Split Tunnel Addresses"

        set dpd-retryinterval 60

    next

end

config vpn ipsec phase2-interface

    edit "dialup_admin"

        set phase1name "dialup_admin"
        set proposal aes256-sha256
        set dhgrp 20 14 5

    next

end

5. Configure one or more user groups referencing the SAML connector.

The SAML server used must be the same one configured on the interface hosting the dial-up IPsec tunnels.

config user group

    edit "VPN Admin General Access"

        set member "IKE_SAML" <-- SAML SP configuration in 'config user saml'.

    next

end

If users require different access depending on groups returned in the SAML assertion, additionally configure a group match.

config user group

    edit "VPN Admin General Access"

        set member "IKE_SAML"

            config match

                edit 1

                    set server-name "IKE_SAML"

                    set group-name "LAB_org_admin_unpriv"

                next

            end

    next

end

6. Configure a firewall policy referencing the IPsec tunnel and user group.

config firewall policy

    edit <index>

        set name "IPsec RA Admin General Access"

        set srcintf "dialup_admin"

        set dstintf "port2"

        set action accept

        set srcaddr "IPsec RA Admin Clients"

        set dstaddr "Admin General Access"

        set schedule "always"

        set service "PING"

        set logtraffic all

        set groups "VPN Admin General Access"

    next

end

Note: The user group referencing the SAML SP configuration must be configured on the tunnel firewall policy or in the phase1-interface configuration. It must not be configured on both.

7. Provision and import the client certificate to endpoints.

For domain-joined endpoints, this may be done automatically via GPO. For an example of how to manually import a certificate using Windows, see Importing user certificate into Windows 10.

8. Configure the FortiClient VPN connection.

The FortiClient SSO port must match the configured auth-ike-saml-port, and the remote gateway should match the CN or SAN in the FortiGate's server certificate.

config system global

    set auth-ike-saml-port 20443

end

The IKE version must be 2. If visible, NAT Traversal must be enabled in most deployments.

9. (Optional) Configure cert_subjectcheck in FortiClient XML.

By default, FortiClient accepts any server certificate from FortiGate for authenticating the remote gateway, as long as it is signed by a trusted CA. It is recommended to enable Certificate subject checking to verify that the FQDN of the remote gateway matches the CN or SAN in the subject field.

This setting is supported by both EMS-managed and VPN-only FortiClients. See 'cert_subjectcheck' in IKE settings.

In future EMS versions, a toggle will be added to allow configuring this setting from the FortiClient EMS GUI for VPN connections using signature authentication.

10. (Optional) Configure multiple Dial-up tunnels and remote peers.

config user peer

    edit "peer_admin-ou"

        set ca "Private CA"

        set subject "OU=IT"

    next

    edit "peer_sales-ou"

        set ca "Private CA"

        set subject "OU=SALES"

    next

end

After configuring each additional peer, configure a matching IPsec tunnel and required firewall policies.

The principal advantage of configuring multiple remote access IPsec gateways is the ability to assign different VPN configurations to different client groups, such as different address pools, split-tunnel routes, and DNS servers.

Alternatively, a single IPsec gateway can be used, and access control applied based on matching groups in the firewall policy.

If using PSK authentication for IKEv2, network-id is required to support multiple dial-up gateways on the same IP address, see Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication.

Expected behavior:

1. Using the configured SSO port, the FortiClient establishes a connection to the FortiGate acting as SAML SP.
2. The FortiClient is redirected to the SAML IDP, where the user can enter their credential.

    

   

    

3. Using the SSO port, FortiClient presents the SAML response to FortiGate for validation.
4. FortiClient establishes an IKEv2 connection to FortiGate and performs certificate authentication.
5. FortiClient and FortiOS use an IKEv2 AUTH exchange to match the IKE connection attempt to the previously received SAML response.
6. If this is successful, authentication is complete, and the connection proceeds to mode-cfg exchange and phase2 SA negotiation.

Related article:
Technical Tip: FortiGate SAML authentication resource list