Description
This article describes how to configure Dialup IPsec IKEv2 tunnel on FortiGate with OKTA as SAML IdP.
Scope
FortiGate v7.2.0 or later, v7.4.0 or later, OKTA, FortiClient v7.2.4 or later, FortiClient EMS.
Topology:
Solution
Step 1: Define a user IKE SAML authentication port:
config system global
set auth-ike-saml-port 2002
end
Step 2: Configure SAML authentication on OKTA:
- Go to Applications -> Applications, create App Integration, and Select SAML 2.0.
- Provide the App Name as required and select 'Next'.
- Configure SAML Settings. Make sure the URLs used below match the configuration done on the FortiGate in later steps.
- On the Feedback step, select 'I'm an Okta customer adding an internal app'.
- Create Users and User groups to be used for authentication.
User:
Go to Directory -> People, add a Person, enter Details, and Save.
Group:
Go to Directory -> Groups, add a Group, give a name, and save.
Open the newly created group and assign people.
- Assign the user group to the application: Go to Applications, open 'Created Application' -> Assignments -> Assign -> Assign to Groups.
- Obtain SAML setup Instructions from Okta to be used in the FortiGate configuration: Go to Applications, open Created Application, sign on, and view SAML setup Instructions.
Note down the Identity Provider Single Sign-On URL, Identity Provider Single Logout URL, and Identity Provider Issuer values and download the Okta certificate, as that will be uploaded on the FortiGate.
Step 3: SAML Configuration on FortiGate:
Note:
IPsec and SSL VPN can't share the SAML configuration, so please create a new SAML SP for IPsec.
- Upload the OKTA certificate on the FortiGate:
- In FortiOS, go to System -> Certificates.
- From the Create/Import dropdown list, select Remote Certificate.
- Select Upload and upload the downloaded Okta certificate.
- Configure the FortiGate as SAML SP:
edit "SAML-Dialup-IPsec"
set entity-id "http://172.17.97.169:2002/remote/saml/metadata/"
set single-sign-on-url "https://172.17.97.169:2002/remote/saml/login"
set single-logout-url "https://172.17.97.169:2002/remote/saml/logout"
set idp-entity-id "http://www.okta.com/xxxxxxxxxx"
set idp-single-sign-on-url "https://trial-xxxx.okta.com/app/trial-xxxxx_fgtdialupipsec_1/xxxxxx/sso/saml"
set idp-single-logout-url "https://trial-xxxxx.okta.com"
set idp-cert "Okta_certificate"
set user-name "username" <----- Should be same as configured in Step 2 -> Configure SAML setting.
set group-name "group" <----- Should be same as configured in Step 2 -> Configure SAML setting.
set digest-method sha1
next
end
Make sure the SP and IdP URL matches on both the FortiGate and OKTA portals.
- Configure User Group on the FortiGate: The group attribute value received must be locally matched with the group-name value.
edit "OKTA-SAML-IPsec"
set member "SAML-Dialup-IPsec"
config match
edit 1
set server-name "SAML-Dialup-IPsec"
set group-name "Lab--Dialup-IPsec" <----- This should exactly match the group name on OKTA.
next
end
next
end
- Create a dial-up IPsec VPN IKEv2 tunnel: Ensure that set eap enable and eap-identity send-request are correctly enabled:
config vpn ipsec phase1-interface
edit "SAML-IPsec"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 8.8.8.8
set ipv4-dns-server2 1.1.1.1
set proposal aes256-sha256
set dpd on-idle
set dhgrp 5
set eap enable <-
set eap-identity send-request <-
set authusrgrp "OKTA-SAML-IPsec" <----- Select the user group created above
set assign-ip-from name
set ipv4-split-include "10.0.0.201" <----- Configure the address group/object according to the internal network.
set ipv4-name "Test-Dialup_range"<----- Configure the IP range to give to the Dialup Clients.
set save-password enable
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret ENC xyaghjbjhfghr485885
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "SAML-IPsec"
set phase1name "SAML-IPsec"
set proposal aes256-sha256
set dhgrp 5
next
end
Note:
If required, instead of applying the user group in the VPN settings 'set authusrgrp', it is also possible to apply it to a firewall policy.
To unset the group from the IPsec VPN settings:
config vpn ipsec phase1-interface
edit SAML-IPsec
unset authusrgrp
end
- Configure the firewall policy as required:
config firewall policy
edit 54
set name "SAML-IPSEC"
set uuid dc0e83ea-1483-51ef-8b0d-7a401c211b21
set srcintf "SAML-IPsec"
set dstintf "internal2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set groups "OKTA-SAML-IPsec" <----- Set the user group only if the group is not defined in the VPN settings.
next
end
- Configure the IKE SAML server for the FortiOS interface used for the VPN connection:
config system interfaceedit "wan1"
set ike-saml-server "SAML-Dialup-IPsec"
next
end
- Configure the remote authentication timeout value as needed:
config system global
set remoteauthtimeout 120
end
- Configure the VPN certificate under user settings:
config user setting
set auth-cert "Fortinet_Factory"
end
Step 4: Configure a new Dialup IPsec IKEv2 tunnel on FortiClient:
1. Make sure to configure the SSO port accurately as configured in Step 1:
2. Make sure Authentication (EAP) is set because without that the authentication may fail.
3. Configure the Phase1 and Phase2 configuration as required.
Step 5: Connect to the VPN to test the connection.
To troubleshoot, collect the below debugs on FortiGate and analyze them:
diagnose debug reset
diagnose debug application samld -1
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug application eap_proxy -1
diagnose debug application fnbamd -1
diagnose debug enable
To stop the debug processes in the end, press 'Ctrl+C' and enter 'diagnose debug disable'.
Note:
Dial-up IPsec with SAML using an external browser for authentication is supported starting from v7.6.1, FortiClient v7.2.5 and v7.4.1 for Mac and Windows, and FortiClient v7.4.3 for Linux.
