Thursday, July 10, 2025

Things to know before migrate from SSLVPN to IPSec for FortiGate


Since FortiOS  going to obsolete SSLVPN from 7.6 onward,

Information

  1. Ditch away the idea user group, it unable support user grouping like SSL VPN did. 
  2. FSSO is a must for user grouping except local database!!!
  3. FSSO deploy with DC agent mode 
  4. Please test with your own mobile data, example I connect my office wifi and the office WAN IP  is use to peer with DC via IPSec, when test this remote access I always matched with the office IPSec profile.
  5. If you have multiple IPSec dailup profile,  it could be matched to other IPsec profile that contain same phase-1 variable, especially the NAT-T option. Example, your Remote Access profile name F, FortiGate will try match the proposed variable from top to bottom (Profile A-F), let say the proposed proposal profile match variable at Profile C, firewall will take the NAT-T value at Profile C and negotiated based on it, but your remote user Profile F is without NAT-T but FortiGate will keep communicate with NAT-T 4500, so configure the propose profile wisely else will keep troubleshoot here and there. 
  6. Pray to god for mobile phone setup, going be a nightmare, wrong pre-sharekey key in, wrong proposal selected and more.
*note
mobile phone - iOS 

ikev1
  1. If you have mobile user unable set the phase 1 and phase 2, herewith the phase 1 proposed by mobile phone
  2. Phase 2

ikev2
  1. GCM unable support by phone, example FortiGate only allow to configure but it not support by phone
FortiGate Config

 

          Mobile Phone config

 


Local User Database
  1. Grouping user only option is to configure multiple dailup profile with different peer id and different profile has different assigned ip to group the user.

LDAP information

  1. Support ikev1, stick to ikev1 if you have mobile phone user.
  2. I will say partially support ikev2 , you can amended the xml and restore the amended xml file on desktop  but mobile phone setup there is no option to select EAP TLS(EAP-TTLS support for IPsec VPN)

Radius

  1. Didn't test lazy to setup, more or less the same

SAML  information

  1. No object group id is allow, else will face EAP error issue (Technical Tip: Error 'EAP failure' with IPsec Dial-Up VPN using remote groups)
  2. Object Group ID wont work for Azure
Related document for SAML
Technical Tip: Configuring IPsec VPN client-to-site with Azure SAML authentication


BYOD
  1. Bye, if a domain environment, netlogon details doesn't send to AD so FSSO wont work.

    To conclude, migrating from SSL VPN to IPsec VPN is PAIN and takes time for users to adapt. There are many restrictions and challenges along the way. It feels like Fortinet is trying to push users toward SASE, but not everyone can afford it—especially SME business.
     

    Other site information
    Forti VM with FortiOS 7.4.8
    diagnose debug application authd -1 when turn on this debug the SAML wont work till disable debug