Created on 05-12-2025 09:54 PM Edited on 09-17-2025 10:55 AM
Description |
This article provides some recommended configuration changes for migrating from an existing SSL VPN with SAML authentication to dialup IPsec, where a working IPsec configuration with SAML authentication must be achieved quickly for testing with minimal FortiClient changes.
This article does not seek to replicate the function of all possible SSL VPN configurations in IPsec, but to provide a base for migration testing, to which additional configuration can be added if required. |
Scope | FortiGate v7.4 and v7.6, FortiClient v7.4.3 and later. |
Solution |
SSL VPN tunnel mode is not supported in v7.6.3 and later. If this is in use, it is strongly recommended to migrate to another remote VPN method, such as dial-up IPsec, before upgrading.
Refer to SSL VPN to IPsec VPN Migration for general migration considerations and SAML-based authentication for FortiClient remote access dialup IPsec VPN clients, for configuration example.
Note:
Assumptions:
If one or both of these assumptions do not apply: Treat the migration as a new VPN deployment and consider re-using previously configured SAML connector and firewall user groups for IPsec remote access VPN. Take a backup of the current configuration and refer to the SAML-based authentication for FortiClient remote access dialup IPsec VPN clients.
SSL VPN to IPsec migration:
Existing SSL VPN configuration:
config user saml edit "SSL VPN SAML" set entity-id "http://vpn.fgt-a.example.com:10443/remote/saml/metadata/" set idp-entity-id "https://sts.windows.net/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/" set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2" set idp-single-logout-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2" set idp-cert "Entra IDP 1" set user-name "username" set digest-method sha1 next end
config vpn ssl settings set servercert "fgt-a.example.com" set port 10443 end
config user saml edit "IPsec VPN SAML" set entity-id "http://vpn.fgt-a.example.com:11443/remote/saml/metadata/" set idp-entity-id "https://sts.windows.net/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/" set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2" set idp-single-logout-url "https://login.microsoftonline.com/xxxxx-xxxxx-xxxxx-xxxxx-xxxxx/saml2" set idp-cert "Entra IDP 1" <----- Bolded IDP settings are placeholders and will be updated in Step 5. set user-name "username" set group-name "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" set digest-method sha1 next end
config user setting set auth-cert "fgt-a.example.com" end Define a SAML port for IKE and apply the second SAML connector to the interface that will host the IPsec VPN. IKE with SAML authentication does not support multiple SAML servers on the same external interface.
config system global set auth-ike-saml-port 11443 end config system interface edit "wan1" set ike-saml-server "IPsec VPN SAML" next end
IPsec configuration:
config user saml edit "IPsec VPN SAML" set idp-entity-id "https://sts.windows.net/yyyyy-yyyyy-yyyyy-yyyyy-yyyyy/" set idp-single-sign-on-url "https://login.microsoftonline.com/yyyyy-yyyyy-yyyyy-yyyyy-yyyyy/saml2" set idp-single-logout-url "https://login.microsoftonline.com/yyyyy-yyyyy-yyyyy-yyyyy-yyyyy/saml2" set idp-cert "Entra IDP 2" next end
IPsec configuration: config vpn ipsec phase1-interface edit "IPsec RA - SAML" set type dynamic set eap enable next end
config vpn ipsec phase2-interface edit "IPsec RA - SAML" set phase1name "IPsec RA - SAML" next end
config vpn ipsec phase1-interface edit "IPsec RA - SAML" set network-overlay enable set network-id [0-255] next end
Network ID is configurable on FortiClient using EMS or by editing the XML configuration. See 'Network ID' in FortiClient 7.4.4 EMS Administration Guide and FortiClient 7.4.4 XML Reference Guide.
config vpn ssl settings set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" end
config firewall address edit "SSLVPN_TUNNEL_ADDR1" set type iprange next end config vpn ipsec phase1-interface edit "IPsec RA - SAML" set mode-cfg enable set ipv4-split-include "Internal Networks" next end ipv4-split-include should be a firewall address or address group that includes all local networks reachable over the tunnel. Unlike SSL VPN, IPsec does not support dynamic split-tunnel routing based on firewall policy destination.
Existing SSL VPN configuration: config user group edit "Previous VPN User Group" set member "SSL VPN SAML" config match edit 1 set server-name "SSL VPN SAML" next end next end config user group edit "Migrated VPN User Group" set member "IPsec VPN SAML" config match edit 1 set server-name "IPsec VPN SAML" next end next end If using the same group-name on both the existing and migrated user group, each IdP connector must be configured to return the same set of groups to FortiGate.
Edit the new policy to reference the IPsec tunnel and enable the policy.
SAML and Remote Gateway configuration:
For troubleshooting authentication issues, see Troubleshooting Tip: Companion for troubleshooting SSL VPN with SAML Authentication and Technical Tip: Troubleshoot IPsec SAML Dial UP tunnel.
get vpn ssl monitor
SSL-VPN sessions:
config vpn ssl setting set status disable end
Note:
IPsec-related debugs:
Starting from FortiOS v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'. Authentication-related debugs: diagnose debug app fnbamd -1 diagnose debug app samld -1
To disable the debugs:
diagnose debug disable diagnose debug reset
Related documents: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.