Technical Tip: Configure Dialup IPsec IKEv2 VPN tunnel with OKTA SAML SSO Authentication

Description

 

This article describes how to configure Dialup IPsec IKEv2 tunnel on FortiGate with OKTA as SAML IdP.

 

Scope

 

FortiGate v7.2.0 or later, v7.4.0 or later, OKTA, FortiClient v7.2.4 or later, FortiClient EMS.

 

Topology:

 

 

Solution

 

Step 1: Define a user IKE SAML authentication port:

 

config system global

    set auth-ike-saml-port 2002

end

 

Step 2: Configure SAML authentication on OKTA:

 

1. Go to Applications -> Applications, create App Integration, and Select SAML 2.0.

 

2. Provide the App Name as required and select 'Next'.

 

 

3. Configure SAML Settings. Make sure the URLs used below match with the configuration done on the FortiGate in later steps.

 

 

 

4. On the Feedback step, select 'I'm an Okta customer adding an internal app'.

 

 

5. Create Users and User groups to be used for authentication.

User:

Go to Directory -> People, add a Person, enter Details, and Save.

 

 

 

Group:
Go to Directory -> Groups, add Group, give a name, and Save.

 

 

 

Open the newly created group and assign people.

 

 

 

6. Assign the user group to the application:

Go to Applications, open 'Created Application' -> Assignments -> Assign -> Assign to Groups.

 

 

7. Obtain SAML setup Instructions from Okta to be used in the FortiGate configuration:

Go to Applications, open Created Application, sign on, and View SAML setup Instructions.

 

 

Note down the Identity Provider Single Sign-On URL, Identity Provider Single Logout URL, and Identity Provider Issuer values and download the Okta certificate as that will be uploaded on the FortiGate.

 

Step 3: SAML Configuration on FortiGate:

 

1. Upload the OKTA certificate on the FortiGate:

• In FortiOS, go to System -> Certificates.
• From the Create/Import dropdown list, select Remote Certificate.
• Select Upload and upload the downloaded Okta certificate.

 

2. Configure the FortiGate as SAML SP:

 

    edit "SAML-Dialup-IPsec"

        set entity-id "http://172.17.97.169:2002/remote/saml/metadata/"

        set single-sign-on-url "https://172.17.97.169:2002/remote/saml/login"

        set single-logout-url "https://172.17.97.169:2002/remote/saml/logout"

        set idp-entity-id "http://www.okta.com/xxxxxxxxxx"

        set idp-single-sign-on-url "https://trial-xxxx.okta.com/app/trial-xxxxx_fgtdialupipsec_1/xxxxxx/sso/saml"

        set idp-single-logout-url "https://trial-xxxxx.okta.com"

        set idp-cert "Okta_certificate"

        set user-name "username"  <----- Should be same as configured in Step 2 -> Configure SAML setting.

        set group-name "group"  <----- Should be same as configured in Step 2 -> Configure SAML setting.

        set digest-method sha1

    next

end

 

Make sure the SP and IdP URL matches on both the FortiGate and OKTA portals.

 

3. Configure User Group on the FortiGate: The group attribute value received must be locally matched with the group-name value.

 

    edit "OKTA-SAML-IPsec"

        set member "SAML-Dialup-IPsec"

            config match

                edit 1

                    set server-name "SAML-Dialup-IPsec"

                    set group-name "Lab--Dialup-IPsec"  <----- This should exactly match the group name on OKTA.

                next

            end

    next

end

 

4. Create dialup IPsec VPN IKEv2 tunnel: Ensure that set eap enable and eap-identity send-request are correctly enabled:

 

config vpn ipsec phase1-interface

    edit "SAML-IPsec"

        set type dynamic

        set interface "wan1"

        set ike-version 2

        set peertype any

        set net-device disable

        set mode-cfg enable

        set ipv4-dns-server1 8.8.8.8

        set ipv4-dns-server2 1.1.1.1

        set proposal aes256-sha256

        set dpd on-idle

        set dhgrp 5

        set eap enable <-

        set eap-identity send-request  <-

        set authusrgrp "OKTA-SAML-IPsec" <----- Select the user group created above

        set assign-ip-from name

        set ipv4-split-include "10.0.0.201" <----- Configure the address group/object according to the internal network.

        set ipv4-name "Test-Dialup_range"<----- Configure the IP range to give to the Dialup Clients.

        set save-password enable

        set client-auto-negotiate enable

        set client-keep-alive enable

        set psksecret ENC xyaghjbjhfghr485885

        set dpd-retryinterval 60

    next

end

 

config vpn ipsec phase2-interface

    edit "SAML-IPsec"

        set phase1name "SAML-IPsec"

        set proposal aes256-sha256

        set dhgrp 5

    next

end

 

5. Configure the firewall policy with the user group as required:

 

config firewall policy

    edit 54

        set name "SAML-IPSEC"

        set uuid dc0e83ea-1483-51ef-8b0d-7a401c211b21

        set srcintf "SAML-IPsec"

        set dstintf "internal2"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

    next

end

 

6. Configure the IKE SAML server for the FortiOS interface used for the VPN connection:

 

config system interface

    edit "wan1"

        set ike-saml-server "SAML-Dialup-IPsec"

    next

end

 

 

Step 4: Configure new Dialup IPsec IKEv2 tunnel on FortiClient:

 

1. Make sure to configure the SSO port accurately as configured in Step 1:

 

 

2. Make sure Authentication (EAP) is set because without that the authentication may fail.

3. Configure the Phase1 and Phase2 configuration as required.

 

Step 5: Connect to the VPN to test the connection.

 

To troubleshoot, collect the below debugs on FortiGate and analyze them:

 

diagnose debug reset
diagnose debug application samld -1
diag debug console timestamp enable
diag debug application ike -1

diag debug application fnbamd -1
diag debug enable