- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dual WAN remote access IPSec VPN with SAML
I'm attempting to setup remote access VPN using IPSec and authentication with SAML using Entra ID. There are a couple of tricky parts about this setup:
1. Dual WAN for failover/redundancy
2. Different groups need be configured for different VPN access
I have been able to successfully configure and test the connection individually to a single WAN but having issues connecting individually to the 2nd WAN. The connection to the 2nd WAN gives a WAN1 cert error. I have verified that the WAN2 Entra enterprise app and the WAN2 IPSec VPN configs do not reference the WAN1 cert.
I also have not figured out how to sperate the different VPN access groups without building a bunch of enterprise apps in Entra the reference specific access groups. My hope is to have a single app for each WAN connection with different groups for access, then limit network access by the group membership in the policy.
I can find plenty of documentation on how to do this with SSL-VPN, but I'm trying to stay away from SSL-VPN if possible.
FortiGate 7.4.1
- Labels:
-
FortiClient
-
FortiGate
-
IPsec
-
SAML
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, i think this kb will help in your configuration:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @briansmith3615,
On the FortiGate, did you create 2 separate Single Sign-On for each wan IP addresses? You can create multiple SAML user groups and multiple Dialup tunnels for each group. You will also need to configure peer ID https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dia...
Regards,
