Thursday, July 10, 2025

Things to know before migrate from SSLVPN to IPSec for FortiGate


Since FortiOS  going to obsolete SSLVPN from 7.6 onward,

Information

  1. Ditch away the idea user group, it unable support user grouping like SSL VPN did. 
  2. FSSO is a must for user grouping except local database, but FSSO has some restriction 
  3. FSSO deploy with DC agent mode for better performance
  4. Please test with your own mobile data, example I connect my office wifi and the office WAN IP  is use to peer with DC via IPSec, when test this remote access I always matched with the office IPSec profile.
  5. If you have multiple IPSec dailup profile,  it could be matched to other IPsec profile that contain same phase-1 variable, especially the NAT-T option. Example, your Remote Access profile name F, FortiGate will try match the proposed variable from top to bottom (Profile A-F), let say the proposed proposal profile match variable at Profile C, firewall will take the NAT-T value at Profile C and negotiated based on it, but your remote user Profile F is without NAT-T but FortiGate will keep communicate with NAT-T 4500, so configure the propose profile wisely else will keep troubleshoot here and there. 
  6. Pray to god for mobile phone setup, going be a nightmare, wrong pre-sharekey key in by user, wrong proposal selected and more. 
  7. Azure Group object wont work for BYOD.
*note
mobile phone - iOS 

ikev1
  1. If you have mobile user unable set the phase 1 and phase 2, herewith the phase 1 proposed by mobile phone
  2. Phase 2

ikev2
  1. FortiGate Config

 

          Mobile Phone config

 


Local User Database
  1. Grouping user only option is to configure multiple dailup profile with different peer id and different profile has different assigned ip to group the user.

LDAP information

  1. Support ikev1, stick to ikev1 if you have mobile phone user.
  2. I will say partially support ikev2 , you can amended the xml and restore the amended xml file on desktop but mobile phone setup there is no option to select EAP TLS, not sure it support ot not (EAP-TTLS support for IPsec VPN)

Radius

  1. Didn't test lazy to setup, more or less the same

SAML  information

  1. No object group id is allow, else will face EAP error issue (Technical Tip: Error 'EAP failure' with IPsec Dial-Up VPN using remote groups)
  2. Object Group ID wont work for Azure
  3. Even integrated with FSSO DC agent, it need user to lock and relogin to trigger the netlogon update quite troublesome.
  4. Saly
Related document for SAML
Technical Tip: Configuring IPsec VPN client-to-site with Azure SAML authentication


BYOD
  1. Bye, if a domain environment, netlogon details doesn't send to AD so FSSO wont work.

    Other site information
    Forti VM with FortiOS 7.4.8
    diagnose debug application authd -1 when turn on this debug the SAML wont work till disable debug 


    To conclude, migrating from SSL VPN to IPsec VPN is PAIN and takes time for users to adapt. There are many restrictions and challenges along the way. It feels like Fortinet is trying to push users toward SASE, but not everyone can afford it—especially SME business.

    Update 17 July 2025,
    FSSO
    Due to AD behavior, FSSO also has some limitation on user identification, BYOD doesnt work and RDP with domain user,  example IPSEC success with limvuihan (IP 192.168.10.1) but I remote desktop with domain admin pbbadmin to another server  due to AD behavior, the logon event id will be update that pbbadmin IP address as your IPSEC IP which is 192.168.10.1. So all the defined rules based on your grouping wont work and unable access. Alternative is to ignore the pbbadmin user list  at collector agent.

    Update 1st August 2025

    So when there is user connect the FortiClient IPsec, cant change the Split Tunnel Parameter as shown here in use, is not flexible as SSL VPN Tunnel request user to reconnect the VPN to get the new route.