Remote Access VPN using TCP 443 over IPSec with Entra ID SAML

1. Initial Configuration

Set the ike tcp port to 443:

config system settings

set ike-tcp-port 443

end

Set the ike saml port:

config system global

set auth-ike-saml-port 10428 < - note that this setting is not used and we are changing it to make sure it does not conflict with anything else we are configuring

end

Configure phase 1:

config vpn ipsec phase1-interface

edit "IPSEC_TCP"

set type dynamic

set interface "wan" < --- your internet port

set ike-version 2

set peertype any

set net-device disable

set mode-cfg enable

set ipv4-dns-server1 8.8.8.8 < --- DNS settings for the VPN client

set ipv4-dns-server2 1.1.1.1

set proposal aes256-sha256

set localid "IPSEC_TCP" <--- Ensures your VPN connects to this phase1 and not another phase1

set network-overlay enable

set network-id 0 <--- This will be 0 by default when you are using the free version of FortiClient. If you have EMS, you can set a different value. 

set dpd on-idle

set dhgrp 20

set eap enable

set eap-identity send-request

set transport tcp

set ipv4-start-ip 10.10.250.20 < --- Choose your desired IP addressing

set ipv4-end-ip 10.10.250.250

set client-auto-negotiate enable

set client-keep-alive enable

set psksecret yourpskgoeshere < --- Replace the shared secret with a secure secret

set dpd-retryinterval 60

next

end

Configure phase 2:

config vpn ipsec phase2-interface

edit "IPSEC_TCP"

set phase1name "IPSEC_TCP"

set proposal aes256-sha256

set pfs disable

set replay disable

next

end

2. Change FortiGate GUI admin from 443 to something else

FortiGate uses port 443 by default for the admin GUI. Since we are also using port 443 for VPN, change the admin GUI port to something other than 443.

• Go to System -> Settings -> change the HTTPS port to something other than 443. But don't forget what you change it to of course.

3. Import certificate into firewall for SAML SP

When your computer initiates a SAML connection to the firewall, the firewall will present a certificate back to the PC. You need to use a certificate issued from a publicly trusted Certification Authority, otherwise the computer won't trust it and you will see an error like ERR_CERT_AUTHORITY_INVALID.

For this demo I am going to use the FortiGate's built in Let's Encrypt certificate enrollment feature.

ADD DETAILS HERE 

Now that you have the SP certificate imported into the firewall, go to config user setting and set the auth-cert to the name of the certificate you just imported:

3. Create Enterprise Application in Azure

Click "New application" : 

Follow the steps below: 

1. Click "Create your own application"

2. Name the application

3. Select: "Integrate any other application you don't find in the gallery (Non-gallery)"

Click on the "Get started" link under "Set up single sign on" : 

Select SAML:

Edit Step 1:

and then enter the following values. 

I used vpn.shaunlab.com but you will need to use your own public DNS record A name and make sure the DNS record A name resolves to the public IP address on your WAN interface hosting the IPSec service. 

• Identifier (Entity ID): https://vpn.shaunlab.com/remote/saml/metadata /

• Reply URL (Assertion Consumer Service URL): https://vpn.shaunlab.com/remote/saml/login 

• Sign on URL:  https://vpn.shaunlab.com/remote/saml/login  

• Relay State: leave this blank

• Logout Url: https://vpn.shaunlab.com/remote/saml/logout

Edit Step 2 so we can add some custom Claims. 

Firstly let's add a group claim:

Select the groups you want to return. In my example I have selected All groups.

In the same area drop down the Advanced options:

and then tick the box "Customize the name of the group claim" and under the Name type in the word: group 

Save at the bottom:

Do the same for users. Click Add new claim:

For the name use: username

For the source attribute use: user.userprincipalname

Don't forget to Save.

Now on to step 3, click Edit:

Change the Signing Option to "Sign SAML response and assertion", and ensure Signing Algorithm is set to SHA-256:

Now download the Certificate (Base64):

Keep in mind if you change the SAML settings later on you may need to re-download the certificate and re-install it on FortiGate.

Finally, add 

4. Configure SAML settings on FortiGate

Stay logged in to Azure, and now let's log on to FortiGate. On FortiGate go to User & Authentication -> Single Sign-On -> Create new. 

• The name will be Entra-ID-SAML-VPN

• Address: vpn.shaunlab.com (but you will use your own domain name instead of mine)

• Identity Provider Configuration:

  • Type: Custom

  • IdP entity ID:  copied from Microsoft Entra Identifier

  • IdP single sign-on URL: copied from Login URL

  • IdP single logout URL: copied from Logout URL

Certificate -> Create. Choose the certificate you downloaded earlier in this procedure and ensure it is selected. It will appear as REMOTE_Cert_numberhere

At the bottom enter username and group as shown:

Then click OK to save all changes.

Attach the SP certificate to the config. See below how I have selected my certificate vpn.shaunlab.com. This is the certificate I obtained from Let's Encrypt earlier.

Then change the digest-method to sha256:

5. Define the IKE SAML server on the WAN port

Now that we have defined the SAML configuration, we need to enable the ike saml server on the internet facing port, the same port we connect to in order to establish the remote access VPN connection. If you don't do this, the FortiGate won't be listening for SAML connections coming in on port 443.

config system interface

    edit "wan" < - the same port you used under phase 1

        set ike-saml-server "Entra-ID-SAML-VPN"

    next

end

Loopback

If you are using a loopback interface to terminate your SAML and VPN connection, you will also need to add the same command to the underlying WAN interface IN ADDITION TO the loopback interface, which could be a physical interface or VLAN interface depending on how you have your firewall set up. For example, an underlying interface could be WAN1, or VLAN20 under WAN1.

i.e. ensure to add this command to the WAN facing port: set ike-saml-server  "Entra-ID-SAML-VPN"

If you don't do this, you will see the following error message later on when you try to connect your FortiClient:

6. Make some things neat

Now we are going to make some fine tune adjustments to make things neat. These are not mandatory changes however I like to do them:

1. Open a CLI window and rename the certificate:

2. Change the entity-id to https. Copy the existing entity id, and make it https. 

For example, mine was set to http://vpn.shaunlab.com/remote/saml/metatadata/ and I have changed it to https://vpn.shaunlab.com/remote/saml/metadata/

7. Configure Entra user groups on FortiGate and Azure Enterprise App

Go to Azure Entra ID and:

• Create a new user group (or choose an existing group)

• Add all of the users to that group whom needs VPN access

• Copy the Object ID:

On FortiGate go to User & Authentication -> User Groups -> Create New.

• Name: VPN_Users (or whatever name you want)

• Remote Groups -> Add -> 

  • drop-down for Remote Server -> Choose Entra-ID-SAML-VPN

  • Groups -> Specify, then paste in the Object ID from Azure which you copied in the previous step

• Now it should look something like this:

Go to the Enterprise App in Azure which you created, and add the VPN_Users group under here:

Firewall Policy

Create a firewall policy. It is best practice to lock down permitted destinations, ports and protocols.

8. FortiClient configuration

Configure FortiClient as shown below, using your own domain and psk values of course:

Configure VPN settings:

CHANGE SCREENSHOT TO SHOW MODE CONFIG

TO BE RESOLVED - ACME

It seems you can't have ike-tcp port and ike-saml-server enabled at the same time as ACME

TRY TO USE ACME ON PORT 80 INSTEAD! 

Here is the config I have removed temporarily for troubleshooting so far:

config system interface

    edit "wan" 

        set ike-saml-server "Entra-ID-SAML-VPN"

    next

end

config system settings

set ike-tcp-port 443

end

FW-01 (global) # show sys glo   (THIS HAD TO BE CHANGED TO 443 TO ALLOW ACME TO WORK)

config system global

    set admin-sport 8443

end

Things changed in the troubleshooting process

• forticlient ports used - now using port 500 udp 

• config vpn ipsec phase1-interface -> set transport (changed from tcp to udp)

• FW-01 (phase1-interface) # edit IPSEC_TCP 

  • FW-01 (IPSEC_TCP) # set network-id 0

  • FW-01 (IPSEC_TCP) # end

  • FW-01 (root) #

FW-01 # config global

FW-01 (global) # config sys global 

FW-01 (globl) # show full | grep saml

    set auth-ike-saml-port 10428

FW-01 (global) # set auth-ike-saml-port 443

FW-01 (global) # end

IT WORKED WHEN USING 443 FOR SAML AND 500 FOR IKE 

Now, back to trying 443 for everything. 

I am going to reverse this:

• forticlient ports used - now using port 500 udp  -> changed back to 443

• config vpn ipsec phase1-interface -> set transport (changed from tcp to udp) -> changed back to TCP now

• I decided to keep network 0 

  • FW-01 (phase1-interface) # edit IPSEC_TCP 

    • FW-01 (IPSEC_TCP) # set network-id 

    • network-id    Enter an integer value from <0> to <255>.

    • FW-01 (IPSEC_TCP) # set network-id 0 

    • FW-01 (IPSEC_TCP) # end

    • FW-01 (root) #

• I changed the port back to 10428

  • FW-01 # config global

  • FW-01 (global) # config sys global 

  • FW-01 (globl) # show full | grep saml

  •     set auth-ike-saml-port 10428

  • FW-01 (global) # set auth-ike-saml-port 443

  • FW-01 (global) # end

Round 2 troubleshooting changes:

• config sys glo - set auth ike saml port to 443

• set transport to udp

• removed network overlay and network id of 0

• Whenever you're done make sure you compare phase1 and phase2 on FortiGate to the top of this page