Dual WAN remote access IPSec VPN with SAML

briansmith3615 · ‎05-17-2024

I'm attempting to setup remote access VPN using IPSec and authentication with SAML using Entra ID. There are a couple of tricky parts about this setup:

1. Dual WAN for failover/redundancy

2. Different groups need be configured for different VPN access

I have been able to successfully configure and test the connection individually to a single WAN but having issues connecting individually to the 2nd WAN. The connection to the 2nd WAN gives a WAN1 cert error. I have verified that the WAN2 Entra enterprise app and the WAN2 IPSec VPN configs do not reference the WAN1 cert.

I also have not figured out how to sperate the different VPN access groups without building a bunch of enterprise apps in Entra the reference specific access groups. My hope is to have a single app for each WAN connection with different groups for access, then limit network access by the group membership in the policy.

I can find plenty of documentation on how to do this with SSL-VPN, but I'm trying to stay away from SSL-VPN if possible.

FortiGate 7.4.1

sahmed_FTNT · ‎05-18-2024

Hello, i think this kb will help in your configuration:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dual-WAN-SSL-VPN-with-Azure-SAML-SSO/ta-p/...

Security all we want

hbac · ‎05-18-2024

Hi @briansmith3615,

On the FortiGate, did you create 2 separate Single Sign-On for each wan IP addresses? You can create multiple SAML user groups and multiple Dialup tunnels for each group. You will also need to configure peer ID https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dia...

Regards,

Dual WAN remote access IPSec VPN with SAML

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website