In v7.6.1 and later, it is possible to host a SAML SP server for IPsec user authentication on the same port as the one used for IKE TCP encapsulation. This can be necessary to support locked-down environments where the only outgoing port allowed for clients is TCP 443.

IPsec dial-up VPN over TCP also requires FortiClient v7.4.1 or later; see the FortiClient 7.4.0 New Features Guide for details on IPsec VPN over TCP support on Windows, macOS, and Linux.

Multiple resources exist demonstrating how to configure a SAML server for IKE. It is recommended to review the following documents and configure a test deployment using UDP transport for IPsec before integrating TCP transport.

• SAML-based authentication for FortiClient remote access dialup IPsec VPN clients
• Technical Tip: Recommended basic configuration for SSL VPN to IPsec VPN migration with SAML authenti...

Sample Configuration:

This example demonstrates some important settings for transitioning an existing working dial-up tunnel to IKE TCP transport, but is not comprehensive. It uses TCP port 20443, but could be modified for any desired TCP port.

Warning:

Changing the ike-tcp-port flushes all existing IPsec tunnels, including site-to-site tunnels and those using UDP transport mode. This will cause some disruption for existing traffic traversing the IPsec VPN.

When IPsec SAML authentication and IKE TCP encapsulation use the same port, the 'auth-ike-saml-port' setting is not used. The 'ike-tcp-port' should be configured to match the single TCP port that will handle both SAML authentication and IPsec traffic.

config system setting

    set ike-tcp-port 20443 <----- Changing ike-tcp-port flushes all IPsec tunnels, including UDP.

end

config system global

    set auth-ike-saml-port 1001 <----- Unchanged. Must not match ike-tcp-port.

end

config user setting

    set auth-cert <certificate for FortiGate FQDN> <----- Certificate used for client connection to FortiGate as SAML SP.

end

Ensure the SAML SP information includes the intended TCP port in the URL, except when using port 443.

config user saml

    edit "IKE_SAML"

        set entity-id "http://<FortiGate FQDN>:20443/remote/saml/metadata/"

        set single-sign-on-url "https://<FortiGate FQDN>:20443/remote/saml/login"

        set single-logout-url "https://<FortiGate FQDN>:20443/remote/saml/logout"

        set idp-entity-id <IDP identifier URL>
        set idp-single-sign-on-url <IDP sign-on URL>
        set idp-single-logout-url <IDP logout URL>
        set idp-cert <Remote IDP certificate imported to FortiGate>

    next

end

If 'set ike-tcp-port 443' is configured:

config user saml

    edit "IKE_SAML"

        set entity-id "http://<FortiGate FQDN>/remote/saml/metadata/"

        set single-sign-on-url "https://<FortiGate FQDN>/remote/saml/login"

        set single-logout-url "https://<FortiGate FQDN>/remote/saml/logout"

    next

end

config system interface

    edit "port1"

        set ike-saml-server "IKE_SAML"

    next

end

config vpn ipsec phase1-interface

    edit "dialup_psk"

        set type dynamic

        set interface "port1"

        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set dpd on-idle
        set dhgrp 14 5 20
        set eap enable
        set eap-identity send-request

        set transport tcp

        set fortinet-esp disable <----- Default setting. fortinet-esp is used only for FortiGate-FortiGate site-to-site tunnels.

        set ipv4-start-ip 10.253.0.100
        set ipv4-end-ip 10.253.0.200
        set dns-mode auto
        set ipv4-split-include "Admin Split Tunnel Addresses"

        set psksecret <psk>

        set dpd-retryinterval 60

    next

end

config user group

    edit "IKE SAML user group"

        set member "IKE_SAML"

    next

end

config firewall policy

    edit <index>

        set name "RA VPN test"

        set srcintf "dialup_psk"

        set dstintf "port2"

        set action accept

        set srcaddr "IPsec VPN Admin Clients"

        set dstaddr "Test Address"

        set schedule "always"

        set service "PING"

        set groups "IKE SAML user group"

    next

end

Potential port conflicts:

• ike-tcp-port and auth-ike-saml-port: since the same port is used for both SAML authentication and IPsec transport, this relies on the iked process initially receiving both the SAML and IPsec traffic. The single FortiOS setting controlling this is 'ike-tcp-port'. The 'auth-ike-saml-port' should remain different since this setting is not used. Configuring the same value for 'ike-tcp-port' and 'auth-ike-saml-port' will cause the iked process to miss TCP IPsec traffic, preventing tunnel establishment.
• TCP 11443 and admin-sport: When setting ike-tcp-port, FortiGate reserves TCP port 11443 internally for IKE traffic. If admin-sport is already configured as 11443, a port conflict exists, and either the admin GUI or IKE TCP encapsulation will not run correctly. See the article Technical Tip: Dial-up IPsec VPN connection fails when a non-default IKE TCP port is configured on F....
• ike-tcp-port and admin-sport: forbidden by configuration check.
• ike-tcp-port and external virtual IP: TCP port should not overlap with an existing Virtual IP. For example, if the FortiGate is configured to allow remote HTTPS traffic on TCP port 443 as forward traffic to a local web server, TCP port 443 is not available to host IPsec/SAML.
• ike-tcp-port and SSL VPN port: While SSL VPN tunnel mode is removed in v7.6.3 and later, SSL VPN web mode remains as 'Agentless VPN'. Disable Agentless VPN or use a different port, see the article: Technical Tip: How to disable SSL VPN functionality on FortiGate.
  

Verification:

On FortiClient, enable single-sign-on and configure the single-sign-on port as 20443. Enable IPsec over TCP and configure TCP port as 20443.

FortiClient v7.4.3:

Connect to the IPsec VPN and attempt to access a resource behind the firewall.

If it is not possible to connect to the VPN, verify the TCP packets are reaching the FortiGate in a packet sniffer, and check the expected 'NOT IKETCP(), assign to AUTH' messages are visible in IKE diagnostics as shown below:

diagnose debug application ike -1

diagnose debug application authd 7

diagnose debug enable

If 'NOT IKETCP(), assign to AUTH' messages are seen and CPU usage is normal for the iked and authd processes, it is unlikely to be an issue specific to IPsec over TCP. In this case, see this article: Troubleshooting IPsec VPN IKEv2 with SAML authentication for further troubleshooting steps.

Note:

IPsec over TCP does not support NPU offloading; see the FortiOS Administration Guide: Encapsulate ESP packets within TCP headers. The IPsec VPN Throughput Specification recorded in the product datasheet assumes the use of NPU offloading, so a lower maximum throughput is expected when TCP encapsulation is in use.

Related documents:

Technical Tip: FortiGate Hub with multiple IPsec Dial-up phase1 using IKEv2 and PSK authentication

TCP encapsulation of IKE and IPsec packets across multiple vendors

Dialup IPsec VPN using custom TCP port