|
SSL VPN tunnel mode is not supported in v7.6.3 and later. If this is in use, it is strongly recommended to migrate to another remote VPN method, such as dial-up IPsec, before upgrading.
Refer to SSL VPN to IPsec VPN Migration for general migration considerations and SAML-based authentication for FortiClient remote access dialup IPsec VPN clients, for configuration example.
Note:
- While the migration documentation assumes use of the IPsec Wizard, this article uses CLI to make the required settings clear and minimize required FortiClient configuration.
Assumptions:
- SSL VPN tunnel mode using SAML authentication was already correctly configured and in use on the same firewall/VDOM.
- No changes to SSL VPN configuration or function are permitted during IPsec remote access testing.
If one or both of these assumptions do not apply:
Treat the migration as a new VPN deployment and consider re-using previously configured SAML connector and firewall user groups for IPsec remote access VPN. Take a backup of the current configuration and refer to the SAML-based authentication for FortiClient remote access dialup IPsec VPN clients.
If no previous SAML connector exists, additional troubleshooting may be required to correct common SAML connector misconfigurations. See Troubleshooting Tip: Companion for troubleshooting SSL VPN with SAML Authentication.
SSL VPN to IPsec migration:
- If the firewall was upgraded to v7.6.3 or later and users lost remote VPN access after the upgrade, consider booting to the previous firmware and configuration following Technical Tip: Selecting an alternate firmware for the next reboot to restore access before migration.
- To simplify recovery in case of a misconfiguration, take a backup of the current configuration, see Configuration backups and reset.
- Configure the migrated SAML service in FortiOS.
Existing SSL VPN configuration:
config user saml
edit "SSL VPN SAML"
set entity-id "http://vpn.fgt-a.example.com:10443/remote/saml/metadata/"
set single-sign-on-url "https://vpn.fgt-a.example.com:10443/remote/saml/login"
set single-logout-url "https://vpn.fgt-a.example.com:10443/remote/saml/logout"
set idp-entity-id "https://sts.windows.net/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/"
set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"
set idp-cert "Entra IDP 1"
set user-name "username"
set group-name "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
set digest-method sha1
next
end
config vpn ssl settings
set servercert "fgt-a.example.com"
set source-interface "wan1"
set port 10443
end
Migrated IPsec configuration:
Configure a second SAML connector, updating the port number to the one that will be used by the IPsec SAML SP.
config user saml
edit "IPsec VPN SAML"
set entity-id "http://vpn.fgt-a.example.com:11443/remote/saml/metadata/"
set single-sign-on-url "https://vpn.fgt-a.example.com:11443/remote/saml/login"
set single-logout-url "https://vpn.fgt-a.example.com:11443/remote/saml/logout"
set idp-entity-id "https://sts.windows.net/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/"
set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"
set idp-cert "Entra IDP 1" <----- Bolded IDP settings are placeholders and will be updated in Step 5.
set user-name "username"
set group-name "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
set digest-method sha1
next
end
Configure a certificate to be used by the IKE SAML SP. In most cases, the existing SSL VPN certificate can be used. Note that the 'auth-cert' setting is shared between the FortiGate captive portal and the IKE SAML SP.
config user setting
set auth-cert "fgt-a.example.com"
end
Define a SAML port for IKE and apply the second SAML connector to the interface that will host the IPsec VPN. IKE with SAML authentication does not support multiple SAML servers on the same external interface.
config system global
set auth-ike-saml-port 11443
end
config system interface
edit "wan1"
set ike-saml-server "IPsec VPN SAML"
next
end
Note:
- IDP configuration applied to the migrated SAML service is a placeholder and will be updated in step 5.
- If SSL VPN will remain in use during testing, the auth-ike-saml-port should be different from both the FortiOS GUI admin-sport (default 443) and SSL VPN port (default 10443).
- If the services are hosted on the same domain and IP address, the local SSL certificate used by the FortiGate as SAML SP for IPsec authentication may be the same as the one used for SSL VPN.
- Configure a new SSO custom application on the remote IDP.
This is done on the IDP. The exact configuration required varies depending on the provider, but in most cases, the existing SSO application can be used as a template, only changing the following:
- Service provider entity ID.
- Service provider assertion consumer service URL.
- Service provider single logout URL.
See Configuring Microsoft Entra ID as SAML IdP and FortiGate as SAML SP for an example which uses Entra ID as the SAML IdP.
- Import the new IdP certificate to FortiGate as a remote certificate and update the migrated SAML connector configuration. This step may not be necessary for all IDP's. For example, most migrations using Entra as an IDP would reuse the same Entra tenant, so the IDP entity information would be the same.
IPsec configuration:
Update the placeholder settings to match the new certificate and other settings given in Step 4.
config user saml
edit "IPsec VPN SAML"
set idp-entity-id "https://sts.windows.net/yyyyy-yyyyy-yyyyy-yyyyy-yyyyy/"
set idp-single-sign-on-url "https://login.microsoftonline.com/yyyyy-yyyyy-yyyyy-yyyyy-yyyyy/saml2"
set idp-single-logout-url "https://login.microsoftonline.com/yyyyy-yyyyy-yyyyy-yyyyy-yyyyy/saml2"
set idp-cert "Entra IDP 2"
next
end
- Configure IPsec phase1-interface and phase2-interface in the CLI.
IPsec configuration:
config vpn ipsec phase1-interface
edit "IPsec RA - SAML"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes256-sha256
set dpd on-idle
set dhgrp 20
set psksecret <cleartext preshared key>
set eap enable
set eap-identity send-request
set transport udp
set authusergrp '' <----- authusrgrp should be blank.
next
end
config vpn ipsec phase2-interface
edit "IPsec RA - SAML"
set phase1name "IPsec RA - SAML"
set proposal aes256-sha256
set dhgrp 20
next
end
If the IKEv2 dial-up gateway is already in use on this device for another function, such as ADVPN, the administrator must specify a network-id on FortiGate and FortiClient so FortiGate can assign incoming dial-up requests to the correct IPsec gateway based on the first initiator message. This is similar to the use of Peer ID and Local ID for IKEv1.
config vpn ipsec phase1-interface
edit "IPsec RA - SAML"
set network-overlay enable
set network-id [0-255]
next
end
Network ID is configurable on FortiClient using EMS or by editing the XML configuration. See 'Network ID' in FortiClient 7.4.4 EMS Administration Guide and FortiClient 7.4.4 XML Reference Guide.
- Configure mode-cfg to assign connecting clients a similar network configuration to the existing SSL VPN.
Existing SSL VPN configuration:
config vpn ssl settings
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set dns-suffix "internal.example.com"
set dns-server1 10.0.0.11
set dns-server2 10.0.0.12
end
config firewall address
edit "SSLVPN_TUNNEL_ADDR1"
set type iprange
set start-ip 10.212.134.200
set end-ip 10.212.134.210
next
end
Migrated IPsec configuration:
Most SSL VPN network settings have analogues in ipsec phase1-interface configuration.
config vpn ipsec phase1-interface
edit "IPsec RA - SAML"
set mode-cfg enable
set ipv4-dns-server1 10.0.0.11
set ipv4-dns-server2 10.0.0.12
set internal-domain-list "internal.example.com"
set ipv4-start-ip 10.212.134.100
set ipv4-end-ip 10.212.134.199
set ipv4-split-include "Internal Networks"
next
end
Note:
ipv4-split-include should be a firewall address or address group that includes all local networks reachable over the tunnel. Unlike SSL VPN, IPsec does not support dynamic split-tunnel routing based on firewall policy destination.
- Create a migrated user group referencing the new SAML connector.
Existing SSL VPN configuration:
config user group
edit "Previous VPN User Group"
set member "SSL VPN SAML"
config match
edit 1
set server-name "SSL VPN SAML"
set group-name <IDP group identifier>
next
end
next
end
Migrated IPsec configuration:
Configure a second user group and reference the IPsec SAML connector created in Steps 4 and 5. In most cases, the IDP group identifier can be reused.
config user group
edit "Migrated VPN User Group"
set member "IPsec VPN SAML"
config match
edit 1
set server-name "IPsec VPN SAML"
set group-name <IDP group identifier>
next
end
next
end
Note:
If using the same group-name on both the existing and migrated user group, each IdP connector must be configured to return the same set of groups to FortiGate.
- Clone an existing SSL VPN firewall policy and modify the copy with an IPsec tunnel as the source interface and the migrated user group as the source user. Cloning the SSL VPN policy can be done in GUI or CLI, following Technical Tip: How to configure clone policy from the CLI and GUI of the FortiGate.
Edit the new policy to reference the IPsec tunnel and enable the policy.
- Configure FortiClient on a test endpoint to match the new IPsec tunnel. FortiClient configuration is kept as close to default settings as possible to assist in testing.
SAML and Remote Gateway configuration:
Advanced Settings configuration:
If a Peer ID was entered in Step 6, enter the same value as LocalID under FortiClient Phase1 configuration.
Note:
- IKE Version 2 is required for SAML authentication.
- If FortiGate has v7.4 firmware, FortiClient must use the internal browser for SAML authentication. External SAML browser support is added in v7.6.1
- Make sure the user group is added either in the IPsec tunnel phase 1 configuration or in the firewall policy. If added in both, the user will authenticate, but the IPsec tunnel will not connect.
- Test connecting to the IPsec tunnel and troubleshoot if there are any issues.
For troubleshooting authentication issues, see Troubleshooting Tip: Companion for troubleshooting SSL VPN with SAML Authentication and Technical Tip: Troubleshoot IPsec SAML Dial UP tunnel.
For general IPsec VPN troubleshooting, see Troubleshooting Tip: IPsec VPN tunnels.
- Configure any additional requirements for the IPsec tunnel. When ready, users can be migrated to the new tunnel by updating the FortiClient configuration on their endpoint.
- Once all users have been migrated and testing is complete, disable SSL VPN.
get vpn ssl monitor
SSL-VPN Login Users:
|Index|User|Group|Auth Type|Idle-Timeout|Auth-Timeout|From|HTTP in/out|HTTPS in/out|Two-factor Auth|
SSL-VPN sessions:
|Index|User|Group|Source IP|Duration|I/O Bytes|Tunnel/Dest IP| <----- no users are currently connected.
config vpn ssl setting
set status disable
end
Note:
In case of issues persisting, the following troubleshooting commands can be run to gather more information while reproducing the issue.
IPsec-related debugs:
diagnose vpn ike log-filter dst-addr4 <Remote_GW_IP>
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable
Starting from FortiOS v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.
Authentication-related debugs:
diagnose debug app fnbamd -1
diagnose debug app samld -1
diagnose debug console timestamp enable
diagnose debug enable
To disable the debugs:
diagnose debug disable
diagnose debug reset
Related documents:
|
