FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
auppal
Staff
Staff
Article Id 317244
Description

 

This article describes how to configure Dialup IPsec IKEv2 tunnel on FortiGate with OKTA as SAML IdP.

 

Scope

 

FortiGate v7.2.0 or later, v7.4.0 or later, OKTA, FortiClient v7.2.4 or later, FortiClient EMS.

 

Topology:

 

topo.png

 

Solution

 

Step 1: Define a user IKE SAML authentication port:

 

config system global

    set auth-ike-saml-port 2002

end

 

Step 2: Configure SAML authentication on OKTA:

  1. Go to Applications -> Applications, create App Integration, and Select SAML 2.0.


2.png

 

  1. Provide the App Name as required and select 'Next'.

 

3.png

 

  1. Configure SAML Settings. Make sure the URLs used below match the configuration done on the FortiGate in later steps.

 

4.png

 

5.png

 

  1. On the Feedback step, select 'I'm an Okta customer adding an internal app'.

 

6.png

 

  1. Create Users and User groups to be used for authentication.

 

User:

Go to Directory -> People, add a Person, enter Details, and Save.

 

7.png

 

8.png

 

Group:
Go to Directory -> Groups, add a Group, give a name, and save.

 

9.png

 

group-name.png

 

Open the newly created group and assign people.

 

10.png

 

 

  1. Assign the user group to the application: Go to Applications, open 'Created Application' -> Assignments -> Assign -> Assign to Groups.

 

11.png

 

  1. Obtain SAML setup Instructions from Okta to be used in the FortiGate configuration: Go to Applications, open Created Application, sign on, and view SAML setup Instructions.

 

12.png

 

Note down the Identity Provider Single Sign-On URLIdentity Provider Single Logout URL, and Identity Provider Issuer values and download the Okta certificate, as that will be uploaded on the FortiGate.

 

Step 3: SAML Configuration on FortiGate:

 

Note:

IPsec and SSL VPN can't share the SAML configuration, so please create a new SAML SP for IPsec.

 

  1. Upload the OKTA certificate on the FortiGate:
  • In FortiOS, go to System -> Certificates.
  • From the Create/Import dropdown list, select Remote Certificate.
  • Select Upload and upload the downloaded Okta certificate.

 

  1. Configure the FortiGate as SAML SP:

 

    edit "SAML-Dialup-IPsec"

        set entity-id "http://172.17.97.169:2002/remote/saml/metadata/"

        set single-sign-on-url "https://172.17.97.169:2002/remote/saml/login"

        set single-logout-url "https://172.17.97.169:2002/remote/saml/logout"

        set idp-entity-id "http://www.okta.com/xxxxxxxxxx"

        set idp-single-sign-on-url "https://trial-xxxx.okta.com/app/trial-xxxxx_fgtdialupipsec_1/xxxxxx/sso/saml"

        set idp-single-logout-url "https://trial-xxxxx.okta.com"

        set idp-cert "Okta_certificate"

        set user-name "username"  <----- Should be same as configured in Step 2 -> Configure SAML setting.

        set group-name "group"  <----- Should be same as configured in Step 2 -> Configure SAML setting.

        set digest-method sha1

    next

end

 

Make sure the SP and IdP URL matches on both the FortiGate and OKTA portals.

 

  1. Configure User Group on the FortiGate: The group attribute value received must be locally matched with the group-name value.

 

    edit "OKTA-SAML-IPsec"

        set member "SAML-Dialup-IPsec"

            config match

                edit 1

                    set server-name "SAML-Dialup-IPsec"

                    set group-name "Lab--Dialup-IPsec"  <----- This should exactly match the group name on OKTA.

                next

            end

    next

end

 

  1. Create a dial-up IPsec VPN IKEv2 tunnel: Ensure that set eap enable and eap-identity send-request are correctly enabled:

 

config vpn ipsec phase1-interface

    edit "SAML-IPsec"

        set type dynamic

        set interface "wan1"

        set ike-version 2

        set peertype any

        set net-device disable

        set mode-cfg enable

        set ipv4-dns-server1 8.8.8.8

        set ipv4-dns-server2 1.1.1.1

        set proposal aes256-sha256

        set dpd on-idle

        set dhgrp 5

        set eap enable <-

        set eap-identity send-request  <-

        set authusrgrp "OKTA-SAML-IPsec" <----- Select the user group created above

        set assign-ip-from name

        set ipv4-split-include "10.0.0.201" <----- Configure the address group/object according to the internal network.

        set ipv4-name "Test-Dialup_range"<----- Configure the IP range to give to the Dialup Clients.

        set save-password enable

        set client-auto-negotiate enable

        set client-keep-alive enable

        set psksecret ENC xyaghjbjhfghr485885

        set dpd-retryinterval 60

    next

end

 

config vpn ipsec phase2-interface

    edit "SAML-IPsec"

        set phase1name "SAML-IPsec"

        set proposal aes256-sha256

        set dhgrp 5

    next

end

 

Note:

If required, instead of applying the user group in the VPN settings 'set authusrgrp', it is also possible to apply it to a firewall policy.

 

To unset the group from the IPsec VPN settings:

 

config vpn ipsec phase1-interface

    edit SAML-IPsec

        unset authusrgrp 

end

 

  1. Configure the firewall policy as required:

 

config firewall policy

    edit 54

        set name "SAML-IPSEC"

        set uuid dc0e83ea-1483-51ef-8b0d-7a401c211b21

        set srcintf "SAML-IPsec"

        set dstintf "internal2"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set groups "OKTA-SAML-IPsec" <----- Set the user group only if the group is not defined in the VPN settings.

    next

end

 

  1. Configure the IKE SAML server for the FortiOS interface used for the VPN connection:

    config system interface

        edit "wan1"

            set ike-saml-server "SAML-Dialup-IPsec"

        next

    end

     

  2. Configure the remote authentication timeout value as needed:

    config system global
        set remoteauthtimeout 120
    end

 

  1. Configure the VPN certificate under user settings:

 

config user setting
    set auth-cert "Fortinet_Factory"
end

Step 4: Configure a new Dialup IPsec IKEv2 tunnel on FortiClient:

1. Make sure to configure the SSO port accurately as configured in Step 1:

 

13.png

 

2. Make sure Authentication (EAP) is set because without that the authentication may fail.

3. Configure the Phase1 and Phase2 configuration as required.

 

Step 5: Connect to the VPN to test the connection.

 

To troubleshoot, collect the below debugs on FortiGate and analyze them:

 

diagnose debug reset
diagnose debug application samld -1
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug application eap_proxy -1

diagnose debug application fnbamd -1
diagnose debug enable

 

To stop the debug processes in the end, press 'Ctrl+C' and enter 'diagnose debug disable'.

Note:

Dial-up IPsec with SAML using an external browser for authentication is supported starting from v7.6.1, FortiClient v7.2.5 and v7.4.1 for Mac and Windows, and FortiClient v7.4.3 for Linux.