FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Matt_B
Staff & Editor
Staff & Editor
Article Id 391192
Description

This article provides some recommended configuration changes for migrating from an existing SSL VPN with SAML authentication to dialup IPsec, where a working IPsec configuration with SAML authentication must be achieved quickly for testing with minimal FortiClient changes.

 

This article does not seek to replicate the function of all possible SSL VPN configurations in IPsec, but to provide a base for migration testing, to which additional configuration can be added if required.

Scope FortiGate v7.4 and v7.6, FortiClient v7.4.3 and later.
Solution

SSL VPN tunnel mode is not supported in v7.6.3 and later. If this is in use, it is strongly recommended to migrate to another remote VPN method, such as dial-up IPsec, before upgrading.

 

Refer to SSL VPN to IPsec VPN Migration for general migration considerations and SAML-based authentication for FortiClient remote access dialup IPsec VPN clients, for configuration example.

 

Note: 

  • While the migration documentation assumes use of the IPsec Wizard, this article uses CLI to make the required settings clear and minimize required FortiClient configuration.

 

Assumptions:

  • SSL VPN tunnel mode using SAML authentication was already correctly configured and in use on the same firewall/VDOM.
  • No changes to SSL VPN configuration or function are permitted during IPsec remote access testing.
     

If one or both of these assumptions do not apply:

Treat the migration as a new VPN deployment and consider re-using previously configured SAML connector and firewall user groups for IPsec remote access VPN. Take a backup of the current configuration and refer to the SAML-based authentication for FortiClient remote access dialup IPsec VPN clients.

If no previous SAML connector exists, additional troubleshooting may be required to correct common SAML connector misconfigurations. See Troubleshooting Tip: Companion for troubleshooting SSL VPN with SAML Authentication.

 

SSL VPN to IPsec migration:

  1. If the firewall was upgraded to v7.6.3 or later and users lost remote VPN access after the upgrade, consider booting to the previous firmware and configuration following Technical Tip: Selecting an alternate firmware for the next reboot to restore access before migration.

  2. To simplify recovery in case of a misconfiguration, take a backup of the current configuration, see Configuration backups and reset.

     

  3. Configure the migrated SAML service in FortiOS.

 

Existing SSL VPN configuration:

 

config user saml

    edit "SSL VPN SAML"

        set entity-id "http://vpn.fgt-a.example.com:10443/remote/saml/metadata/"
        set single-sign-on-url "https://vpn.fgt-a.example.com:10443/remote/saml/login"
        set single-logout-url "https://vpn.fgt-a.example.com:10443/remote/saml/logout"

        set idp-entity-id "https://sts.windows.net/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/"

        set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"

        set idp-single-logout-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"

        set idp-cert "Entra IDP 1"

        set user-name "username"
        set group-name "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"

        set digest-method sha1

    next

end

 

config vpn ssl settings

    set servercert "fgt-a.example.com"
    set source-interface "wan1"

    set port 10443

end


Migrated IPsec configuration:
Configure a second SAML connector, updating the port number to the one that will be used by the IPsec SAML SP.

config user saml

    edit "IPsec VPN SAML"

        set entity-id "http://vpn.fgt-a.example.com:11443/remote/saml/metadata/"
        set single-sign-on-url "https://vpn.fgt-a.example.com:11443/remote/saml/login"
        set single-logout-url "https://vpn.fgt-a.example.com:11443/remote/saml/logout"

        set idp-entity-id "https://sts.windows.net/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/"

        set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"

        set idp-single-logout-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2"

        set idp-cert "Entra IDP 1"  <----- Bolded IDP settings are placeholders and will be updated in Step 5.

        set user-name "username"

        set group-name "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"

        set digest-method sha1

    next

end


Configure a certificate to be used by the IKE SAML SP. In most cases, the existing SSL VPN certificate can be used. Note that the 'auth-cert' setting is shared between the FortiGate captive portal and the IKE SAML SP.

config user setting

    set auth-cert "fgt-a.example.com"

end

Define a SAML port for IKE and apply the second SAML connector to the interface that will host the IPsec VPN. IKE with SAML authentication does not support multiple SAML servers on the same external interface.

 

config system global

    set auth-ike-saml-port 11443

end

config system interface

    edit "wan1"

        set ike-saml-server "IPsec VPN SAML"

    next

end


Note:

  • IDP configuration applied to the migrated SAML service is a placeholder and will be updated in step 5.
  • If SSL VPN will remain in use during testing, the auth-ike-saml-port should be different from both the FortiOS GUI admin-sport (default 443) and SSL VPN port (default 10443).
  • If the services are hosted on the same domain and IP address, the local SSL certificate used by the FortiGate as SAML SP for IPsec authentication may be the same as the one used for SSL VPN.
     
  1. Configure a new SSO custom application on the remote IDP.
    This is done on the IDP. The exact configuration required varies depending on the provider, but in most cases, the existing SSO application can be used as a template, only changing the following:
  • Service provider entity ID.
  • Service provider assertion consumer service URL.
  • Service provider single logout URL.


See Configuring Microsoft Entra ID as SAML IdP and FortiGate as SAML SP for an example which uses Entra ID as the SAML IdP.
 

  1. Import the new IdP certificate to FortiGate as a remote certificate and update the migrated SAML connector configuration. This step may not be necessary for all IDP's. For example, most migrations using Entra as an IDP would reuse the same Entra tenant, so the IDP entity information would be the same.

 

IPsec configuration:
Update the placeholder settings to match the new certificate and other settings given in Step 4.

 

config user saml

    edit "IPsec VPN SAML"

        set idp-entity-id "https://sts.windows.net/yyyyy-yyyyy-yyyyy-yyyyy-yyyyy/"

        set idp-single-sign-on-url "https://login.microsoftonline.com/yyyyy-yyyyy-yyyyy-yyyyy-yyyyy/saml2"

        set idp-single-logout-url "https://login.microsoftonline.com/yyyyy-yyyyy-yyyyy-yyyyy-yyyyy/saml2"

        set idp-cert "Entra IDP 2"

    next

end
 

  1. Configure IPsec phase1-interface and phase2-interface in the CLI.

IPsec configuration:

config vpn ipsec phase1-interface

    edit "IPsec RA - SAML"

        set type dynamic
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes256-sha256
        set dpd on-idle
        set dhgrp 20
        set psksecret <cleartext preshared key>

        set eap enable
        set eap-identity send-request
        set transport udp

        set authusergrp '' <----- authusrgrp should be blank.

    next

end

 

config vpn ipsec phase2-interface

    edit "IPsec RA - SAML"

        set phase1name "IPsec RA - SAML"
        set proposal aes256-sha256
        set dhgrp 20

    next

end


If the IKEv2 dial-up gateway is already in use on this device for another function, such as ADVPN, the administrator must specify a network-id on FortiGate and FortiClient so FortiGate can assign incoming dial-up requests to the correct IPsec gateway based on the first initiator message. This is similar to the use of Peer ID and Local ID for IKEv1.

config vpn ipsec phase1-interface

edit "IPsec RA - SAML"

set network-overlay enable

set network-id [0-255]

next

end

 

Network ID is configurable on FortiClient using EMS or by editing the XML configuration. See 'Network ID' in FortiClient 7.4.4 EMS Administration Guide and FortiClient 7.4.4 XML Reference Guide.
 

  1. Configure mode-cfg to assign connecting clients a similar network configuration to the existing SSL VPN.
    Existing SSL VPN configuration:
     

config vpn ssl settings

    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set dns-suffix "internal.example.com"
    set dns-server1 10.0.0.11
    set dns-server2 10.0.0.12

end

 

config firewall address

    edit "SSLVPN_TUNNEL_ADDR1"

        set type iprange
        set start-ip 10.212.134.200
        set end-ip 10.212.134.210

    next

end

 
Migrated IPsec configuration:
Most SSL VPN network settings have analogues in ipsec phase1-interface configuration.

config vpn ipsec phase1-interface

    edit "IPsec RA - SAML"

        set mode-cfg enable
        set ipv4-dns-server1 10.0.0.11
        set ipv4-dns-server2 10.0.0.12
        set internal-domain-list "internal.example.com"
        set ipv4-start-ip 10.212.134.100
        set ipv4-end-ip 10.212.134.199

        set ipv4-split-include "Internal Networks"

    next

end

 
Note:

ipv4-split-include should be a firewall address or address group that includes all local networks reachable over the tunnel. Unlike SSL VPN, IPsec does not support dynamic split-tunnel routing based on firewall policy destination.
 

  1. Create a migrated user group referencing the new SAML connector.

Existing SSL VPN configuration:
 

config user group

    edit "Previous VPN User Group"

        set member "SSL VPN SAML"

            config match

                edit 1

                    set server-name "SSL VPN SAML"
                    set group-name <IDP group identifier>

                next

            end

    next

end

 
Migrated IPsec configuration:
Configure a second user group and reference the IPsec SAML connector created in Steps 4 and 5. In most cases, the IDP group identifier can be reused.

config user group

    edit "Migrated VPN User Group"

         set member "IPsec VPN SAML"

            config match

                edit 1

                    set server-name "IPsec VPN SAML"
                    set group-name <IDP group identifier>

                next

            end

    next

end

 
Note: 

If using the same group-name on both the existing and migrated user group, each IdP connector must be configured to return the same set of groups to FortiGate.
 

  1. Clone an existing SSL VPN firewall policy and modify the copy with an IPsec tunnel as the source interface and the migrated user group as the source user. Cloning the SSL VPN policy can be done in GUI or CLI, following Technical Tip: How to configure clone policy from the CLI and GUI of the FortiGate.
     
    Edit-policy_1_mod.png 

Edit the new policy to reference the IPsec tunnel and enable the policy.
 
Edit policy_2_mod.png 

  1. Configure FortiClient on a test endpoint to match the new IPsec tunnel. FortiClient configuration is kept as close to default settings as possible to assist in testing.

 

SAML and Remote Gateway configuration:
 
sec4_crop.png
Advanced Settings configuration:
 
sec5_crop.png
If a Peer ID was entered in Step 6, enter the same value as LocalID under FortiClient Phase1 configuration.

localid_mod.png
Note:

  • IKE Version 2 is required for SAML authentication.
  • If FortiGate has v7.4 firmware, FortiClient must use the internal browser for SAML authentication. External SAML browser support is added in v7.6.1
  • Make sure the user group is added either in the IPsec tunnel phase 1 configuration or in the firewall policy. If added in both, the user will authenticate, but the IPsec tunnel will not connect. 

 

  1. Test connecting to the IPsec tunnel and troubleshoot if there are any issues.

    FCT verification.PNG 

For troubleshooting authentication issues, see Troubleshooting Tip: Companion for troubleshooting SSL VPN with SAML Authentication and Technical Tip: Troubleshoot IPsec SAML Dial UP tunnel.

For general IPsec VPN troubleshooting, see Troubleshooting Tip: IPsec VPN tunnels.
 

  1. Configure any additional requirements for the IPsec tunnel. When ready, users can be migrated to the new tunnel by updating the FortiClient configuration on their endpoint.
  2. Once all users have been migrated and testing is complete, disable SSL VPN.

get vpn ssl monitor
SSL-VPN Login Users:
|Index|User|Group|Auth Type|Idle-Timeout|Auth-Timeout|From|HTTP in/out|HTTPS in/out|Two-factor Auth|

 

SSL-VPN sessions:
|Index|User|Group|Source IP|Duration|I/O Bytes|Tunnel/Dest IP| <----- no users are currently connected.

 

config vpn ssl setting

    set status disable

end

 

Note:
In case of issues persisting, the following troubleshooting commands can be run to gather more information while reproducing the issue.

 

IPsec-related debugs:


diagnose vpn ike log-filter dst-addr4 <Remote_GW_IP>
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

 

Starting from FortiOS v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

Authentication-related debugs:

diagnose debug app fnbamd -1

diagnose debug app samld -1
diagnose debug console timestamp enable
diagnose debug enable

 

To disable the debugs:

 

diagnose debug disable

diagnose debug reset

 

Related documents: