Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
briansmith3615
New Contributor

Dual WAN remote access IPSec VPN with SAML

I'm attempting to setup remote access VPN using IPSec and authentication with SAML using Entra ID. There are a couple of tricky parts about this setup:

1. Dual WAN for failover/redundancy

2. Different groups need be configured for different VPN access

 

I have been able to successfully configure and test the connection individually to a single WAN but having issues connecting individually to the 2nd WAN. The connection to the 2nd WAN gives a WAN1 cert error. I have verified that the WAN2 Entra enterprise app and the WAN2 IPSec VPN configs do not reference the WAN1 cert.

I also have not figured out how to sperate the different VPN access groups without building a bunch of enterprise apps in Entra the reference specific access groups. My hope is to have a single app for each WAN connection with different groups for access, then limit network access by the group membership in the policy.

 

I can find plenty of documentation on how to do this with SSL-VPN, but I'm trying to stay away from SSL-VPN if possible.

 

FortiGate 7.4.1

2 REPLIES 2
sahmed_FTNT
Staff
Staff

Hello, i think this kb will help in your configuration:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dual-WAN-SSL-VPN-with-Azure-SAML-SSO/ta-p/...

Security all we want
hbac
Staff
Staff

Hi @briansmith3615,

 

On the FortiGate, did you create 2 separate Single Sign-On for each wan IP addresses? You can create multiple SAML user groups and multiple Dialup tunnels for each group. You will also need to configure peer ID https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dia...

 

Regards, 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors