Since FortiOS going to obsolete SSLVPN from 7.6 onward,
Information
- Ditch away the idea user group, it unable support user grouping like SSL VPN did.
- FSSO is a must for user grouping except local database!!!
- FSSO deploy with DC agent mode
- Please test with your own mobile data, example I connect my office wifi and the office WAN IP is use to peer with DC via IPSec, when test this remote access I always matched with the office IPSec profile.
- If you have multiple IPSec dailup profile, it could be matched to other IPsec profile that contain same phase-1 variable, especially the NAT-T option. Example, your Remote Access profile name F, FortiGate will try match the proposed variable from top to bottom (Profile A-F), let say the proposed proposal profile match variable at Profile C, firewall will take the NAT-T value at Profile C and negotiated based on it, but your remote user Profile F is without NAT-T but FortiGate will keep communicate with NAT-T 4500, so configure the propose profile wisely else will keep troubleshoot here and there.
- Pray to god for mobile phone setup, going be a nightmare, wrong pre-sharekey key in, wrong proposal selected and more.
mobile phone - iOS
ikev1
- If you have mobile user unable set the phase 1 and phase 2, herewith the phase 1 proposed by mobile phone
- Phase 2
ikev2
- GCM unable support by phone, example FortiGate only allow to configure but it not support by phone
FortiGate Config
Mobile Phone config
- Grouping user only option is to configure multiple dailup profile with different peer id and different profile has different assigned ip to group the user.
LDAP information
- Support ikev1, stick to ikev1 if you have mobile phone user.
- I will say partially support ikev2 , you can amended the xml and restore the amended xml file on desktop but mobile phone setup there is no option to select EAP TLS(EAP-TTLS support for IPsec VPN)
Radius
- Didn't test lazy to setup, more or less the same
SAML information
- No object group id is allow, else will face EAP error issue (Technical Tip: Error 'EAP failure' with IPsec Dial-Up VPN using remote groups)
- Object Group ID wont work for Azure
Technical Tip: Configuring IPsec VPN client-to-site with Azure SAML authentication
BYOD
- Bye, if a domain environment, netlogon details doesn't send to AD so FSSO wont work.
To conclude, migrating from SSL VPN to IPsec VPN is PAIN and takes time for users to adapt. There are many restrictions and challenges along the way. It feels like Fortinet is trying to push users toward SASE, but not everyone can afford it—especially SME business.
Other site information
Forti VM with FortiOS 7.4.8
diagnose debug application authd -1 when turn on this debug the SAML wont work till disable debug