Hello,
We have been trying to setup a Dial-up IPSec connection for our remote user base (30-40 users) seeing as SSL-VPN is being/has been removed from FortiOS 7.4 and newer (we are currently on 7.2.11). I can get a single machine to connect and work as intended, but when I connect another user device, it connects but there is no traffic that returns to the user. It seems like only one connection works, all subsequent are denied.
I've "set add-route disabled" from the CLI on the interface, but that didn't help. So far none of my searches have turned up anything more than that.
If it matters, our working SSL-VPN uses SAML and I have a similarly configured SAML for the Dial-Up Ipsec.
Sorry in advance, I am very green when it comes to these FGT.
Phase1
edit "vpn_Dial-Up"
set type dynamic
set interface "port35"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 #.#.#.#
set ipv4-dns-server2 #.#.#.#
set proposal aes256-sha256 aes256-sha256
set add-route disable
set dpd on-idle
set comments "Scripted from FMG"
set dhgrp ##
set eap enable
set eap-identity send-request
set authusrgrp "Azure"
set ipv4-start-ip 192.168.70.1
set ipv4-end-ip 192.168.70.126
set ipv4-split-include "Local_Subnets"
set psksecret ***********
set dpd-retryinterval 60
next
end
Regards,
Matt
hi,
i would suggest going thru these guides if not already,
https://www.andrewtravis.com/blog/ipsec-vpn-with-saml
https://docs.fortinet.com/document/fortigate/7.4.7/administration-guide/951346
since you are doing split-tunnel, are the networks from Local_subnets ( need to be subnets and not ranges ) visible in the routing table of you computer after connecting ? e.g. if you have windows you could check with, route print -4 in cmd.
also, in the firewall rules you only need the 192.168.70.1-.126 object as source addr w/o the group and i would leave add-route enabled.
after you connect try doing a, diagnose firewall iprope flush , and see if traffic works.
Hello,
Local_Subnets is a subnet, not a range of IP's.
The route table on laptop 1 and laptop 2 both have the subnets in there, but I noticed something. On Laptop1 the gateway (G:) and interface (I:) on for the internal subnets are G: 192.168.70.2 and I: 192.168.70.1. On laptop 2 however, the G: 192.168.70.3 and I: 192.168.70.2.
So, the second laptop is trying to use the first laptop as an interface? and pic the next available IP as the Gateway? That doesn't seem to make sense.
As for the SAML config, that all works. I am able to authenticate both laptops... just the second one I connect with (via Hotspot so that it's not on the same internet source connection) connects but no traffic.
Thanks,
Matt
User | Count |
---|---|
2551 | |
1356 | |
795 | |
646 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.