| Description | This article describes how to enable SAML authentication for dial-up IPsec VPN configured on the loopback interface with dual ISP connections. |
| Scope | FortiGate v7.2+ |
| Solution |
There might be an situation when FortiGate is configured with dual-homed ISP connections with BGP peers and it is required to configure dial-up IPsec VPN tunnel with SAML-based authentication on loopback interface.
When following the instructions in SAML-based authentication for FortiClient remote access dialup IPsec VPN clients, to enable SAML-based authentication on the FortiGate firewall, the 'ike-saml-server' settings must be configured on the interface that is the first point of contact for FortiClient traffic.
In the example below, wan1 and wan2 are two external interfaces that are the first point of contact for FortiClient traffic while the dial-up IPsec VPN tunnel is configured with loopback interface Lo-IPsecVPN.
config system interface edit "Lo-IPsecVPN" end
To make SAML-based authentication work for dial-up IPsec VPN clients, it is necessary to configure the 'ike-saml-server' settings on both external interfaces wan1 and wan2 as well as on the loopback interface Lo-IPsecVPN, which is where the dial-up IPsec VPN tunnel IP address configured.
config system interface edit "Lo-IPsecVPN" set ike-saml-server <saml_server>
If the 'ike-saml-server' settings shown above are missing, the following error message may appear on the FortiClient endpoint while trying to connect.
Note: It is important to follow this KB article Technical Tip: Best practice when IPSec VPN is bound to loopback interface when implementing the loopback interface. |
