| Description | This article demonstrates required settings for hosting a SAML authentication server on the same TCP port as IKE. |
| Scope |
FortiOS v7.6.1 and later. FortiClient v7.4.1 and later. |
| Solution |
In FortiOS v7.6.1 and later, it is possible to host a SAML server for IPsec user authentication on the same port as the one used for IKE TCP encapsulation. This can be necessary to support locked down environments where the only outgoing port allowed for clients is TCP 443.
IPsec dialup VPN over TCP also requires FortiClient v7.4.1 or later, see FortiClient 7.4.0 New Features Guide | IPsec VPN over TCP on Windows, macOS, and Linux.
Multiple resources exist demonstrating how to configure a SAML server for IKE. It is recommended to review the following and configure a test deployment using UDP transport for IPsec before integrating TCP transport.
Sample Configuration:
This example demonstrates some important settings to transition an existing working dialup tunnel to IKE TCP transport and is not complete.
Warning: changing ike-tcp-port flushes all existing IPsec tunnels, including site-to-site tunnels and those using UDP transport mode. This will cause some disruption for existing traffic traversing IPsec VPN.
config system setting set ike-tcp-port 20443 <-- will flush all IPsec tunnels end
When setting ike-tcp-port, FortiGate reserves TCP port 11443 internally for IKE traffic. If admin-sport is already configured as 11443, a port conflict exists and either admin GUI or IKE TCP encapsulation will not run correctly. See the article Technical Tip: Dial-up IPsec VPN connection fails when a non-default IKE TCP port is configured on F....
config system global set auth-ike-saml-port 1001 <----- There is no requirement to match ike-tcp-port. end
config user setting set auth-cert <certificate for FortiGate FQDN> <----- Certificate used for client connection to FortiGate as SAML SP. end
config user saml edit "IKE_SAML" set entity-id "http://<FortiGate FQDN>:20443/remote/saml/metadata/" set single-sign-on-url "https://<FortiGate FQDN>:20443/remote/saml/login" set single-logout-url "https://<FortiGate FQDN>:20443/remote/saml/logout" next end
config system interface edit "port1" set ike-saml-server "IKE_SAML" next end
config vpn ipsec phase1-interface edit "dialup_psk" set type dynamic set interface "port1" set ike-version 2 set transport tcp set fortinet-esp disable <-- default setting. fortinet-esp is used only for FortiGate-FortiGate site-to-site tunnels. next end
config user group edit "IKE SAML user group" set member "IKE_SAML" next end
config firewall policy edit <index> set name "RA VPN test" set srcintf "dialup_psk" set dstintf "port2" set action accept set srcaddr "IPsec VPN Admin Clients" set dstaddr "Test Address" set schedule "always" set service "PING" set groups "IKE SAML user group" next end
Verification:
On FortiClient, enable single-sign-on and configure single-sign-on port as 20443. Enable IPsec over TCP and configure TCP port as 20443.
FortiClient v7.4.3:
Connect to the IPsec VPN and attempt to access a resource behind the firewall.
If it is not possible to connect to the VPN, verify the TCP packets are reaching the FortiGate in a packet sniffer, and check the expected 'NOT IKETCP(), assign to AUTH' messages are visible in IKE diagnostics as shown below:
diagnose debug application ike -1 diagnose debug application authd 7 diagnose debug enable ike V=root:accepts ike tcp-transport(vd=0, vrf=0, intf=0:3, 10.250.255.27:20443->10.250.101.89:55059 sock=44 refcnt=2 ph1=(nil)) (2).
ike V=root:NOT IKETCP(), assign to AUTH authd_http: change state from 0 to 1
authd_http: change state from 1 to 2
To stop the debug:
diagnose debug reset
diagnose debug disable
If 'NOT IKETCP(), assign to AUTH' messages are seen and CPU usage is normal for the iked and authd processes, it is unlikely to be an issue specific to IPsec over TCP. In this case see FortiClient v7.4.3 EMS Administration Guide | Troubleshooting IPsec VPN IKEv2 with SAML authenticati... for further troubleshooting steps.
Note: IPsec over TCP does not support NPU offloading, see FortiOS Administration Guide | Encapsulate ESP packets within TCP headers. The IPsec VPN Throughput Specification recorded in the product datasheet assumes the use of NPU offloading, so a lower maximum throughput is expected when TCP encapsulation is in use.
Related articles: Technical Tip: FortiGate Hub with multiple IPsec Dial-up phase1 using IKEv2 and PSK authentication FortiOS v7.6.1 Administration Guide | Dialup IPsec VPN using custom TCP port |
