Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dydy77
New Contributor

Created on ‎04-28-2025 06:44 AM

SSLVPN to IPSEC with multi realms

Hello everybody

In order to anticipate futur end of life of VPNSSL function, i try to make working VPN acces by IPSEC.

 

Actually :

 

1 fortigate 100f

1 wan fiber

2 SSO connexions, for 2 different  Microsoft tenants

2 VPN SSL REALMS

2 SSL PORTAL in tunnel mode

In SSL Settings, i use SSL portal mapping

 

Capture d’écran 2025-04-28 151822.png

 

In forticlient 2 configurations, one per realms, both pointing to the same wan ip/port, juste realms is different.

 

I would like to make the same configuration but with IPSEC.

 

 

nowday i make working IPSEC with SAML, but only for 1 tenant.

following this guide : https://docs.fortinet.com/document/fortigate/7.4.7/administration-guide/951346/saml-based-authentica...

 

I don't know how to do this, as my wan link is configured to listen and transfer to a single SSO configuration (saml server).

config system global
    set auth-ike-saml-port <integer>
end

config system interface
    edit <name>
        set ike-saml-server <saml_server>
    next
end

 

Thanks for your futur help

 

Labels:
1421
0 Kudos
8 REPLIES 8
Stephen_G
Moderator
Moderator

Created on ‎05-01-2025 05:51 PM

Hello,

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

If anyone viewing this topic has any knowledge on this, I encourage you to reply.

 

Thanks,

Stephen - Fortinet Community Team
1357
Stephen_G
Moderator
Moderator

Created on ‎05-06-2025 04:13 AM

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

Once more, if anyone has any advice, please feel free to share it.

 

Thanks,

Stephen - Fortinet Community Team
1312
Toshi_Esumi
SuperUser
SuperUser
In response to Stephen_G

Created on ‎05-11-2025 09:46 PM Edited on ‎05-11-2025 09:50 PM

As far as I know SSL VPN wouldn't go away any time soon if your FGT is 100F, a rack-mountable model with 7.6GB memory. Two of our customers are using 100F for their HQ with SSL VPN, and we're assuring them they can keep using it.

First I have to tell you I never made, or even tried, implementing Entra ID groups with dialup IPsec VPN on any FGTs. So this is just based on my on-line research.

You already made Entra ID work for dialup ipsec over SAML so you already cleared this part. But this is what I could find in FTNT's KBs:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-Microsoft-Entra-ID-SAML/t...

For the multiple groups on the Entra ID side, it's a question to Microsoft and I couldn't find any FTNT KB about that. So you have to figure it out by yourself. Or you might be able to ask MS Azure support for how to.

But I found a third party article how to incorporation groups over SAML on the FGT side by policies:
https://www.andrewtravis.com/blog/ipsec-vpn-with-saml
This guy uses FortiAuthenticator(FAC) as IdP, not Entra ID, and set groups there. But I'm assuming the FGT side should be similar if not identical.

So try combining those and let all the rest know how it went. If you could figure this out, this thread would become one of those KB equivalent articles helping all other FGT users, which I'm sure I would give you kudos.

Good luck.

Toshi

1235
dydy77
New Contributor
In response to Toshi_Esumi

Created on ‎05-12-2025 03:44 AM

Thanks for our help.

 

The main problem is with 2 realms (2 tenants).

Just with one like your article, it is working fine, and i validate than groups in policy can be use to filter users acces.

This point is good and replacing weel SSL solution.

 

In the initial SSL case :

  1. User connexion with forticlient by select realms
  2. Fortigate is waiting on SSL port
  3. Fortigate redirects the connection to the correct SAML (Microsoft tenant) using the realms association and validates the connection.
  4. Groups in the policy end user access validation.
  5. All is OK

 

In the new IPSEC case :

  1. User connexion with forticlient (no realms possibility as i know)
  2. Fortigate is waiting on auth-ike-saml-port
  3. Fortigate's wan link is connected to a single SAML connection ( ike-saml-server), so Fortigate doesn't check which tenant needs to be contacted..... With 2 wan links, I think (not try) it's possible (one per tenant, each wan link configured to a different ike-saml server).

 

I don't know if my request (problem) is clear, or if i don't understand somethings.... but with all informations i knows, i don't see how to make working that in my case.

 

1203
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to dydy77

Created on ‎05-12-2025 10:26 AM Edited on ‎05-12-2025 10:29 AM

I would suggest just open a ticket at TAC and call in. So that a TAC person who has expertise in this operation can take a look inside the FGT to troubleshoot.

 

One of those two 100F customers I mentioned uses Entra ID groups to separate two user groups for their SSL VPN WITHOUT using realms. We just configured two different user groups with the group ID infomation the customer provided from Entra ID but both groups are referring to the same SAML. And they're working as expected to separate them via policies.
So I naturally assume the same way would work for dialup IPsec.

Toshi

1168
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎05-12-2025 10:48 AM Edited on ‎05-12-2025 10:49 AM

Probably I should have showed for other readers of this post (I know you already know this) how the group is configured:

config user group
     edit "first_group/second_group"
        set member "azure-saml"      <-- this is the same SAML for both groups
        config match
            edit 1
                set server-name "azure-saml"
                set group-name "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"   <-- this is the unique group ID
            next

        end

    next

end

Toshi

1154
mritchey
New Contributor
In response to Stephen_G

Created on ‎08-12-2025 07:55 PM

Similar setup and the issue is not with the hardware, its when 7.4.x is finally forced as the supported version.  

I have a client with 4 realms each going to a separate Azure Tenant. 
A > Azure 1 
B > Azure 2 
C > Azure 3
D > Azure 4 

right now its controlled by adding /A,B,C,D to the URL to select the correct Tenant.  How can we do the same with IKE DU.  

some customers have multiple IPs but Others only have a Single WAN IP. 

is it possible to have mutiple listening ports for SAML IKE ? 

344
Toshi_Esumi
SuperUser
SuperUser
In response to mritchey

Created on ‎08-14-2025 03:40 PM

The last comment of this thread is describing how "peer ID"(FGT side) and "local ID"(FortiClient side) work to have multiple dialup config on the FGT with separate user groups on the ForitiClient side. 
https://community.spiceworks.com/t/second-dialup-ipsec-forticlient-tunnel-does-not-work/653924/8

Toshi

302
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.