Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
yderek
Staff
Staff

Created on ‎09-15-2024 10:19 PM Edited on ‎09-25-2024 11:38 PM By Moderator

Article Id 341338

Technical Tip: Configure Dialup IPsec with Azure SAML as IDP

 

Description This article describes how to configure Dialup IPsec VPN with SAML authentication.
Scope

FortiGate v7.2 and above, FortiClient  7.2.4 as minimum version or above 
Solution

SAML-based Authentication with Dialup IPsecv VPN is available for FortiGate v7.2 and above. This requires FortiClient v7.2.4 and above.

 

Configuration on Azure:

On the Azure site, Follow the link Configuring Microsoft Entra ID as SAML IdP and FortiGate as SAML SP to configure on Azure, and the below are SAML details that will be used:

 

Picture1.png

 

Note:

Replace the above IP with https://<WAN interface IP>: <port configure at step1>. This interface has to be Public accessible. There are related settings that need to be done on the FortiGate site with the above documentation.

 

On FortiGate configuration:

  1. Specify custom IKE with SAML authentication port configuration. This is only supported in CLI for now:

 

config system global

    set auth-ike-saml-port <0-65535, default = 1001>

end

 

Port 1111 is used. The port can be any custom port that is currently non-used:

 

Picture2.png

 

  1. Specify the public-facing interface associated with the SAML server. Below are the configurations necessary:
 

Picture3.png

 

User Group:

 

Picture4.png

 

Single Sign-On in GUI:

 

Picture5.png

 

CLI configuration of Single-Sing-On:

 

Picture6.png

 

  1. Configuration for Dialup VPN:

 

Picture7.png

 

Picture8.png

 

Picture9.png

 

Picture10.png

Output form CLI:

 

Picture11.png

 

For Dialup Ipsec with SAML configuration, there are extra commands that need to be enabled under Ipsec Phase 1 setting:

 

HUB # config vpn ipsec phase1-interface

HUB (phase1-interface) # edit FCT_SAML

HUB (FCT_SAML) # set eap enable

HUB (FCT_SAML) # set eap-identity send-request

HUB (FCT_SAML) # set authusrgrp SAML_Dial <----- This is a Firewall group associate with SAML.

HUB (FCT_SAML) # end

 

Picture12.png

 

Firewall policy:

 

Picture19.png

 

  • The incoming interface will be the Dialup IPsec tunnel interface.
  • The outgoing interface will be the LAN interface or any other ideal interface that the VPN user should access. For example, DMZ.
  • The source will be the source range defined in the Dialup Phase 1 setting.
  • NAT will be on/off based on the requirement.

 

Note:

Unlike the SSL VPN Firewall policy, there is no need to add a source user group as Dialup VPN authentication done via VPN connected. In the case the Firewall policy has a source user group for DialUP VPN, the user may not be able to access the internal network 

In the case the user group has been added as a source in the VPN connection policy, VPN is still able to connect however data traffic might interrupted, in the flow debug logs will show traffic not matching the policy.

 

Configuration on FortiClient site:

 

Basic setting

Picture13.png

 

Phase 1, local ID needs to be specified and can be custom any:

 

Picture14.png

Phase 2:

 

Picture15.png

 

The connection should be established as below after authentication with Microsoft successfully:

 

Picture16.png

 

On the FortiGate site, the command 'diagnose vpn ike gateway list' should be able to output the remote auth user:

 

Picture17.png

 

On the FortiGate GUI, go under Dashboard -> Network. The IPsec can also monitor the VPN connection user:

 

Picture18.png
498
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.