IPSec VPN with SAML and Certificates - Implicit deny on FW groups

cpynch · ‎08-27-2025

Hey all, I recently setup an IPSec VPN to replkace our SSL VPN using Entra and SAML. I had an issue with setting an authusrgrp in the phase1-interface and getting it to work with the user groups that are SAML based. Unset authusrgrp in Phase-1 fixed the issue, and the FW groups starting mathcing on the traffic, but since I moved away from PSK and onto Certificates for IPSec VPN the same behaviour came back, but the authusrgrp knob is gone now due to the certificates.

Can I use SAML based FW groups to segregate traffic while using certs?

More specifics;
We have departmental groups setup in the Entra application, and we need to make sure their access is restricted as such. I'd prefer to only have a single Phase-1 interface that's a 'catch all' for all SAML users (single IP range for all) and let the FW determine who can access what by the SAML groups, if possible.

Any thoughts on what might be causing the FW groups to not match on traffic?

cpynch · ‎09-04-2025

Ended up creating multiple Phase-1 interfaces for each dept\group with unique DH groups for each. Created PKI groups with unique subjects for each OU\dept, and unique IP pools for each P1 interface - now IPSec with SAML and certificates is working perfectly. FW traffic segregation is done via subnet now with no need to use EAP for FW groups.

View solution in original post

Anthony_E · ‎08-31-2025

Hello,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Anthony-Fortinet Community Team.

Anthony_E · ‎09-04-2025

Hello,

We are still looking for someone to help you.

We will come back to you ASAP.

Thanks,

Anthony-Fortinet Community Team.

cpynch · ‎09-04-2025

Ended up creating multiple Phase-1 interfaces for each dept\group with unique DH groups for each. Created PKI groups with unique subjects for each OU\dept, and unique IP pools for each P1 interface - now IPSec with SAML and certificates is working perfectly. FW traffic segregation is done via subnet now with no need to use EAP for FW groups.

funkylicious · ‎09-04-2025

can you please share a sanitized config of your setup that works?

it sounds really interesting and would like to have it as a future reference :)

"jack of all trades, master of none"

cpynch · ‎09-04-2025

# show full vpn ipsec phase1-interface
config vpn ipsec phase1-interface
    edit "<P1-1>"
        set type dynamic
        set interface "wan1"
        set ip-version 4
        set ike-version 2
        set local-gw <IP_REDACTED>
        set keylife 86400
        set authmethod psk
        unset authmethod-remote
        set peertype any
        set monitor-min 0
        set net-device disable
        set exchange-ip-addr4 <IP_REDACTED>
        set exchange-ip-addr6 ::
        set packet-redistribution disable
        set mode-cfg disable
        set proposal aes256-sha256
        set add-route disable
        set localid ''
        set localid-type auto
        set negotiate-timeout 30
        set fragmentation enable
        set ip-fragmentation post-encapsulation
        set dpd on-idle
        set comments ''
        set npu-offload enable
        set dhgrp 14
        set suite-b disable
        set eap disable
        set ppk disable
        set wizard-type custom
        set reauth disable
        set group-authentication disable
        set idle-timeout disable
        set ha-sync-esp-seqno enable
        set fgsp-sync disable
        set inbound-dscp-copy disable
        set auto-discovery-sender enable
        set auto-discovery-receiver disable
        set auto-discovery-forwarder disable
        set auto-discovery-crossover allow
        set auto-discovery-offer-interval 5
        set encapsulation none
        set nattraversal enable
        set fragmentation-mtu 1200
        set childless-ike disable
        set azure-ad-autoconnect disable
        set client-resume disable
        set rekey enable
        set enforce-unique-id disable
        set fec-egress disable
        set fec-ingress disable
        set network-overlay enable
        set network-id 3
        set dev-id-notification disable
        set link-cost 0
        set kms ''
        set exchange-fgt-device-id disable
        set ems-sn-check disable
        set qkd disable
        set transport udp
        set remote-gw-match any
        set default-gw <IP_REDACTED>
        set default-gw-priority 0
        set psksecret <SECRET_REDACTED>
        set keepalive 10
        set distance 15
        set priority 100
        set dpd-retrycount 3
        set dpd-retryinterval 10
    next
    edit "<P1-2>"
        set type dynamic
        set interface "wan1"
        set ip-version 4
        set ike-version 2
        set local-gw <IP_REDACTED>
        set keylife 86400
        set authmethod signature
        unset authmethod-remote
        set peertype peer
        set monitor-min 0
        set net-device disable
        set exchange-interface-ip disable
        set aggregate-member disable
        set packet-redistribution disable
        set mode-cfg enable
        set ipv4-wins-server1 <IP_REDACTED>
        set ipv4-wins-server2 <IP_REDACTED>
        set proposal aes256-sha256
        set add-route enable
        set localid "<FQDN_REDACTED>"
        set localid-type fqdn
        set negotiate-timeout 30
        set fragmentation enable
        set ip-fragmentation post-encapsulation
        set dpd on-idle
        set comments ''
        set npu-offload enable
        set send-cert-chain enable
        set dhgrp 20
        set suite-b disable
        set eap disable
        set ppk disable
        set wizard-type custom
        set reauth disable
        set group-authentication disable
        set idle-timeout disable
        set ha-sync-esp-seqno enable
        set fgsp-sync disable
        set inbound-dscp-copy disable
        set auto-discovery-sender disable
        set auto-discovery-receiver disable
        set auto-discovery-forwarder disable
        set encapsulation none
        set nattraversal enable
        set fragmentation-mtu 1200
        set childless-ike disable
        set azure-ad-autoconnect disable
        set client-resume disable
        set rekey enable
        set digital-signature-auth disable
        set rsa-signature-hash-override disable
        set enforce-unique-id disable
        set cert-id-validation enable
        set fec-egress disable
        set fec-ingress disable
        set network-overlay disable
        set dev-id-notification disable
        set link-cost 0
        set kms ''
        set exchange-fgt-device-id disable
        set ems-sn-check disable
        set cert-trust-store local
        set qkd disable
        set transport udp
        set remote-gw-match any
        set certificate "<FQDN_REDACTED>"
        set default-gw <IP_REDACTED>
        set default-gw-priority 0
        set peer "<PEER_REDACTED_1>"
        set assign-ip enable
        set assign-ip-from range
        set ipv4-start-ip <IP_REDACTED>
        set ipv4-end-ip <IP_REDACTED>
        set ipv4-netmask <IP_REDACTED>
        set dns-mode auto
        set ipv4-split-include "<ADDRGRP_REDACTED>"
        set split-include-service ''
        set ipv6-start-ip ::
        set ipv6-end-ip ::
        set ipv6-prefix 128
        set ipv6-split-include ''
        set ip-delay-interval 0
        set ipv4-split-exclude ''
        set save-password enable
        set client-auto-negotiate disable
        set client-keep-alive disable
        set keepalive 5
        set distance 15
        set priority 1
        set dpd-retrycount 3
        set dpd-retryinterval 20
    next
    edit "<P1-3>"
        set type dynamic
        set interface "wan1"
        set ip-version 4
        set ike-version 2
        set local-gw <IP_REDACTED>
        set keylife 86400
        set authmethod signature
        unset authmethod-remote
        set peertype peer
        set monitor-min 0
        set net-device disable
        set exchange-interface-ip disable
        set aggregate-member disable
        set packet-redistribution disable
        set mode-cfg enable
        set ipv4-wins-server1 <IP_REDACTED>
        set ipv4-wins-server2 <IP_REDACTED>
        set proposal aes256-sha256
        set add-route enable
        set localid "<NAME_REDACTED>"
        set localid-type auto
        set negotiate-timeout 30
        set fragmentation enable
        set ip-fragmentation post-encapsulation
        set dpd on-idle
        set comments ''
        set npu-offload enable
        set send-cert-chain enable
        set dhgrp 16
        set suite-b disable
        set eap disable
        set ppk disable
        set wizard-type custom
        set reauth disable
        set group-authentication disable
        set idle-timeout disable
        set ha-sync-esp-seqno enable
        set fgsp-sync disable
        set inbound-dscp-copy disable
        set auto-discovery-sender disable
        set auto-discovery-receiver disable
        set auto-discovery-forwarder disable
        set encapsulation none
        set nattraversal enable
        set fragmentation-mtu 1200
        set childless-ike disable
        set azure-ad-autoconnect disable
        set client-resume disable
        set rekey enable
        set digital-signature-auth disable
        set rsa-signature-hash-override disable
        set enforce-unique-id disable
        set cert-id-validation enable
        set fec-egress disable
        set fec-ingress disable
        set network-overlay disable
        set dev-id-notification disable
        set link-cost 0
        set kms ''
        set exchange-fgt-device-id disable
        set ems-sn-check disable
        set cert-trust-store local
        set qkd disable
        set transport udp
        set remote-gw-match any
        set certificate "<FQDN_REDACTED>"
        set default-gw <IP_REDACTED>
        set default-gw-priority 0
        set peer "<PEER_REDACTED_2>"
        set assign-ip enable
        set assign-ip-from range
        set ipv4-start-ip <IP_REDACTED>
        set ipv4-end-ip <IP_REDACTED>
        set ipv4-netmask <IP_REDACTED>
        set dns-mode auto
        set ipv4-split-include "<ADDRGRP_REDACTED>"
        set split-include-service ''
        set ipv6-start-ip ::
        set ipv6-end-ip ::
        set ipv6-prefix 128
        set ipv6-split-include ''
        set ip-delay-interval 0
        set ipv4-split-exclude ''
        set save-password enable
        set client-auto-negotiate disable
        set client-keep-alive disable
        set keepalive 5
        set distance 15
        set priority 1
        set dpd-retrycount 3
        set dpd-retryinterval 20
    next
    edit "<P1-4>"
        set type dynamic
        set interface "wan1"
        set ip-version 4
        set ike-version 2
        set local-gw <IP_REDACTED>
        set keylife 86400
        set authmethod signature
        unset authmethod-remote
        set peertype peer
        set monitor-min 0
        set net-device disable
        set exchange-interface-ip disable
        set aggregate-member disable
        set packet-redistribution disable
        set mode-cfg enable
        set ipv4-wins-server1 <IP_REDACTED>
        set ipv4-wins-server2 <IP_REDACTED>
        set proposal aes256-sha256
        set add-route enable
        set localid "<FQDN_REDACTED>"
        set localid-type fqdn
        set negotiate-timeout 30
        set fragmentation enable
        set ip-fragmentation post-encapsulation
        set dpd on-idle
        set comments ''
        set npu-offload enable
        set send-cert-chain enable
        set dhgrp 19
        set suite-b disable
        set eap disable
        set ppk disable
        set wizard-type custom
        set reauth disable
        set group-authentication disable
        set idle-timeout disable
        set ha-sync-esp-seqno enable
        set fgsp-sync disable
        set inbound-dscp-copy disable
        set auto-discovery-sender disable
        set auto-discovery-receiver disable
        set auto-discovery-forwarder disable
        set encapsulation none
        set nattraversal enable
        set fragmentation-mtu 1200
        set childless-ike disable
        set azure-ad-autoconnect disable
        set client-resume disable
        set rekey enable
        set digital-signature-auth disable
        set rsa-signature-hash-override disable
        set enforce-unique-id disable
        set cert-id-validation enable
        set fec-egress disable
        set fec-ingress disable
        set network-overlay disable
        set dev-id-notification disable
        set link-cost 0
        set kms ''
        set exchange-fgt-device-id disable
        set ems-sn-check disable
        set cert-trust-store local
        set qkd disable
        set transport udp
        set remote-gw-match any
        set certificate "<FQDN_REDACTED>"
        set default-gw <IP_REDACTED>
        set default-gw-priority 0
        set peer "<PEER_REDACTED_3>"
        set assign-ip enable
        set assign-ip-from range
        set ipv4-start-ip <IP_REDACTED>
        set ipv4-end-ip <IP_REDACTED>
        set ipv4-netmask <IP_REDACTED>
        set dns-mode auto
        set ipv4-split-include "<ADDRGRP_REDACTED>"
        set split-include-service ''
        set ipv6-start-ip ::
        set ipv6-end-ip ::
        set ipv6-prefix 128
        set ipv6-split-include ''
        set ip-delay-interval 0
        set ipv4-split-exclude ''
        set save-password enable
        set client-auto-negotiate disable
        set client-keep-alive disable
        set keepalive 5
        set distance 15
        set priority 1
        set dpd-retrycount 3
        set dpd-retryinterval 20
    next
    edit "<P1-5>"
        set type dynamic
        set interface "wan1"
        set ip-version 4
        set ike-version 2
        set local-gw <IP_REDACTED>
        set keylife 86400
        set authmethod signature
        unset authmethod-remote
        set peertype peer
        set monitor-min 0
        set net-device disable
        set exchange-interface-ip disable
        set aggregate-member disable
        set packet-redistribution disable
        set mode-cfg enable
        set ipv4-wins-server1 <IP_REDACTED>
        set ipv4-wins-server2 <IP_REDACTED>
        set proposal aes256-sha256
        set add-route enable
        set localid "<NAME_REDACTED>"
        set localid-type auto
        set negotiate-timeout 30
        set fragmentation enable
        set ip-fragmentation post-encapsulation
        set dpd on-idle
        set comments ''
        set npu-offload enable
        set send-cert-chain enable
        set dhgrp 17
        set suite-b disable
        set eap disable
        set ppk disable
        set wizard-type custom
        set reauth disable
        set group-authentication disable
        set idle-timeout disable
        set ha-sync-esp-seqno enable
        set fgsp-sync disable
        set inbound-dscp-copy disable
        set auto-discovery-sender disable
        set auto-discovery-receiver disable
        set auto-discovery-forwarder disable
        set encapsulation none
        set nattraversal enable
        set fragmentation-mtu 1200
        set childless-ike disable
        set azure-ad-autoconnect disable
        set client-resume disable
        set rekey enable
        set digital-signature-auth disable
        set rsa-signature-hash-override disable
        set enforce-unique-id disable
        set cert-id-validation enable
        set fec-egress disable
        set fec-ingress disable
        set network-overlay disable
        set dev-id-notification disable
        set link-cost 0
        set kms ''
        set exchange-fgt-device-id disable
        set ems-sn-check disable
        set cert-trust-store local
        set qkd disable
        set transport udp
        set remote-gw-match any
        set certificate "<FQDN_REDACTED>"
        set default-gw <IP_REDACTED>
        set default-gw-priority 0
        set peer "<PEER_REDACTED_4>"
        set assign-ip enable
        set assign-ip-from range
        set ipv4-start-ip <IP_REDACTED>
        set ipv4-end-ip <IP_REDACTED>
        set ipv4-netmask <IP_REDACTED>
        set dns-mode auto
        set ipv4-split-include "<ADDRGRP_REDACTED>"
        set split-include-service ''
        set ipv6-start-ip ::
        set ipv6-end-ip ::
        set ipv6-prefix 128
        set ipv6-split-include ''
        set ip-delay-interval 0
        set ipv4-split-exclude ''
        set save-password enable
        set client-auto-negotiate disable
        set client-keep-alive disable
        set keepalive 5
        set distance 15
        set priority 1
        set dpd-retrycount 3
        set dpd-retryinterval 20
    next
end

# show user saml
name
<ALIAS_1>
<ALIAS_2>

# show full user saml
config user saml
    edit "<SAML_SERVER_ALIAS>"
        set cert "<CERT_ALIAS_REDACTED>"
        set entity-id "https://<FQDN_REDACTED>/remote/saml/metadata"
        set single-sign-on-url "https://<FQDN_REDACTED>/remote/saml/login"
        set single-logout-url "https://<FQDN_REDACTED>/remote/saml/logout"
        set idp-entity-id "https://sts.windows.net/<TENANT_GUID>/"
        set idp-single-sign-on-url "https://login.microsoftonline.com/<TENANT_GUID>/saml2"
        set idp-single-logout-url "https://login.microsoftonline.com/<TENANT_GUID>/saml2"
        set idp-cert "<IDP_CERT_ALIAS_REDACTED>"
        set user-name "username"
        set group-name "group"
        set digest-method sha1
        set limit-relaystate disable
        set clock-tolerance 15
        set adfs-claim disable
        set reauth disable
    next
    edit "<SAML_SERVER_ALIAS_2>"
        set cert "<CERT_ALIAS_REDACTED>"
        set entity-id "http://<FQDN_REDACTED>/remote/saml/metadata/"
        set single-sign-on-url "https://<FQDN_REDACTED>/remote/saml/login"
        set single-logout-url "https://<FQDN_REDACTED>/remote/saml/login/logout"
        set idp-entity-id "https://sts.windows.net/<TENANT_GUID>/"
        set idp-single-sign-on-url "https://login.microsoftonline.com/<TENANT_GUID>/saml2"
        set idp-single-logout-url "https://login.microsoftonline.com/<TENANT_GUID>/saml2"
        set idp-cert "<IDP_CERT_ALIAS_REDACTED>"
        set user-name "username"
        set group-name "group"
        set digest-method sha1
        set limit-relaystate disable
        set clock-tolerance 15
        set adfs-claim disable
        set reauth disable
    next
end

# show full user peer
config user peer
    edit "<PEER_REDACTED_1>"
        set mandatory-ca-verify enable
        set ca "<CA_ALIAS_REDACTED>"
        set subject "OU=<OU_REDACTED>"
        set cn ''
        set cn-type string
        set mfa-mode none
        set ocsp-override-server ''
        set two-factor disable
    next
    edit "<PEER_REDACTED_2>"
        set mandatory-ca-verify enable
        set ca "<CA_ALIAS_REDACTED>"
        set subject "OU=<OU_REDACTED>"
        set cn ''
        set cn-type string
        set mfa-mode none
        set ocsp-override-server ''
        set two-factor disable
    next
    edit "<PEER_REDACTED_3>"
        set mandatory-ca-verify enable
        set ca "<CA_ALIAS_REDACTED>"
        set subject "OU=<OU_REDACTED>"
        set cn ''
        set cn-type string
        set mfa-mode none
        set ocsp-override-server ''
        set two-factor disable
    next
    edit "<PEER_REDACTED_4>"
        set mandatory-ca-verify enable
        set ca "<CA_ALIAS_REDACTED>"
        set subject "OU=<OU_REDACTED>"
        set cn ''
        set cn-type string
        set mfa-mode none
        set ocsp-override-server ''
        set two-factor disable
    next
    edit "<PEER_REDACTED_5>"
        set mandatory-ca-verify enable
        set ca "<CA_ALIAS_REDACTED>"
        set subject "OU=<OU_REDACTED>"
        set cn ''
        set cn-type string
        set mfa-mode none
        set ocsp-override-server ''
        set two-factor disable
    next
end

Created a custom Fortinet-User-Cert template on Local Windows CA, and obviously had to upload Root CA to Fortigate as Remote CA cert, but it all works perfectly. No PSK, can auto push user certs to Azure\AD PC's with policy, prompts for email\PW then MFA for SAML, then uses the certificate subject field and individual DH groups to identify the PKI group the user belongs to. Each P1 has it's own unique subnet, so FW rules are simply done by IP.

FYI we're also using SSL VPN on 7.4.8 right now, so this was to get us clear so we could use 7.6.x

It's about as secure as an IPSec VPN can be... I think. lol

IPSec VPN with SAML and Certificates - Implicit deny on FW groups

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website