SSL VPN to IPsec VPN Migration

FortiOS 7.4.4
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdoc@fortinet.com

July 10, 2024

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration
01-744-1018190-20240710
 TABLE OF CONTENTS

Change Log 4
Introduction 5
Migration background 6
Security Comparison 6
IKEv1 or IKEv2? 6
Tunneling protocol and encapsulation 7
Migration basics 8
Design considerations 8
Authentication method 9
Multiple user groups 9
Full tunneling versus split tunneling 10
Client address assignments 10
Policy configurations 10
FortiClient or endpoint configurations 10
Migrate VPNs before or after upgrade? 13
FortiOS SSL VPN to dial-up VPN migration 13
Topology 14
Part 1: Identifying user authentication methods 14
Part 2: Configuring IPsec tunnels using the IPsec wizard 22
FortiClient endpoint configuration migration 31

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 3

Fortinet Inc.
Change Log

Date Change Description

2024-06-13 Initial release.

2024-07-10 Updated FortiOS SSL VPN to dial-up VPN migration on page 13.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 4

Fortinet Inc.
Introduction

Virtual Private Network (VPN) technology allows users, devices, and sites to securely connect to each other over the
internet in an otherwise insecure medium. SSL VPN and IPsec VPN in particular are well used technologies that are
easy to configure and deploy.
Each technology has its advantages and common use cases. SSL VPN, for example, is typically tailored towards secure
remote access from individual users and endpoints. It is generally easy to set up, and because connections are secured
over TLS on TCP/443, few ISPs will restrict SSL VPN connections. It also offers two modes (tunnel and web mode) that
can be provisioned in agent and agentless deployments.
On the other hand, IPsec VPN is typically associated with site-to-site connections, and is especially convenient in multi-
site hub and spoke deployments using ADVPN (Auto Discovery VPN). Complex multi-site deployments are simplified, as
ADVPN incorporates automatic tunnel establishment between sites, dynamic routing, and mass provisioning using an
orchestrator such as FortiManager.
On a smaller scale, IPsec VPN is just as capable of supporting remote users using dial-up VPN connections. Protocols,
encryption algorithms, and authentication methods can all be customized to suit a company’s needs.
Finally, as an alternative to VPN—and especially SSL VPN web-based VPN—ZTNA (Zero Trust Network Access) can
also be used to secure remote access. ZTNA offers a seamless connection secured over TLS between the endpoints
and Zero Trust Application Gateway. A Zero Trust approach assumes devices cannot be trusted until they have passed
required security posture checks, such as client certificate verification and vulnerability scans. See the SSL VPN to
ZTNA Migration Guide for more information.
This document explores SSL VPN and IPsec VPN a little deeper, as well as things to consider while migrating from SSL
VPN to IPsec VPN. Additionally, we will review examples of common SSL VPN use cases and demonstrate steps to
migrate these setups to IPsec VPN.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 5

Fortinet Inc.
Migration background

To understand how to migrate from SSL VPN to IPsec VPN, we first examine a few aspects of each VPN technology:
l Security Comparison on page 6
l IKEv1 or IKEv2? on page 6
l Tunneling protocol and encapsulation on page 7

Security Comparison

SSL VPN offers security through TLS in the following ways:

l By encrypting the data transmitted between the client and the VPN gateway using cryptographic algorithms to
ensure data in transit has not been tampered
l By providing an authentication mechanism for client and server to verify the identify of each other
l By using secure key exchanges such as Diffie-Hellman to establish shared secrets between client and server
l By using X.509 certificates to authenticate servers and optionally clients
IPsec offers security through the ISAKMP (Internet Security Association and Key Exchange Management Protocol)
framework:
l By using the IKE (Internet Key Exchange) protocol to negotiate the parameters of secure communication, generate
and manage keys, and establish SAs (Security Associations) between the communicating parties
l By encrypting data packets using symmetric encryption algorithms, such as AES, 3DES, CHACHA, that are
negotiated by IKE with keys that are generated by IKE. See Phase 1 Configurations.
l By using HMAC (Hash-based Message Authentication Code) to verify the integrity of the message and ensure data
in transit has not been tempered. See Phase 1 Configurations.
l By specifying key lifetimes and other security settings used in the SAs
IPsec offers flexibility in choosing the encryption and hashing algorithm as well as key lifetime intervals as opposed to
SSL VPN, which negotiates the cipher suite between the client and server.

IKEv1 or IKEv2?

FortiGate supports IKEv1 and IKEv2, and both are configured similarly. The underlying protocol for IKEv2 is more
streamlined, requiring fewer message exchanges to negotiate the SAs compared to IKEv1. The major difference is
IKEv1 uses XAuth (Extended Authentication) for user authentication, and IKEv2 uses EAP (Extensible Authentication
Protocol). IKEv1 is generally well used and well understood, with a more rigid protocol that is simpler to troubleshoot.
Whereas IKEv2 offers more flexibility, resulting in more variations when troubleshooting.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 6

Fortinet Inc.
Migration background

Tunneling protocol and encapsulation

SSL VPN uses the TLS protocol for tunneling.

However Fortinet’s IPsec VPN offers the following options for tunneling and encapsulation:
l Native ESP
l UDP encapsulation
l TCP encapsulation with Fortinet proprietary extension to allow inline ASIC offloading
l TCP encapsulation using RFC 8229
When ESP is used without encapsulation, it connects directly over IP Protocol 50. When ESP is encapsulated within
UDP, it uses UDP/500 and UDP/4500 for NAT traversal, which are the options for dial-up IPsec VPN.
In IPsec site-to-site tunnels, the UDP port can be customized. See Configurable IKE port.
In IPsec site-to-site tunnels using IKEv2, the TCP port can also be customized. See Encapsulate ESP packets within
TCP headers.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 7

Fortinet Inc.
Migration basics

Once you understand the differences between SSL VPN and IPsec VPN technologies, it is time to plan the migration.
This section describes the following:
l Design considerations on page 8
l FortiOS SSL VPN to dial-up VPN migration on page 13
l FortiClient endpoint configuration migration on page 31

Design considerations

The following example diagram represents a common SSL VPN tunnel-mode topology:

Individual users connect from the internet to the WAN interface of the FortiGate. Each user must authenticate to be
granted access and establish an SSL VPN tunnel. Once connected, traffic is encrypted and secured by TLS between the
endpoint and the FortiGate WAN interface. Users can access internal resources based on the configured firewall policy
for their user group.
In a dial-up IPsec VPN scenario, the topology is generally the same:

Individual users connect to the WAN interface of the VPN gateway and will authenticate using the chosen method. Once
the IPsec tunnel is established, traffic is encrypted and secured by the ISAKMP protocol between the endpoint and the
FortiGate WAN interface. Users can access internal resources based on the configured firewall policy for their user
group.
In conclusion, no topology design changes are needed to migrate from SSL VPN to IPsec VPN.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 8

Fortinet Inc.
 Migration basics

Authentication method

In order to establish an SSL VPN tunnel, users must authenticate to a user group that is associated with SSL VPN in a
user group to portal mapping. Authentication can be any of the following methods supported by the FortiGate:

SSL VPN Authentication Methods Requirement

l PKI Required to configure at least one of these user
l Local authentication methods
l LDAP
l RADIUS
l SAML
l Two-factor authentication Optional

Two-factor authentication using FortiToken is also supported, and can work in combination with Local, LDAP, RADIUS
or SAML authentication.
For IPsec tunnels, users can authenticate using pre-shared keys or certificates or through XAuth (Extended
Authentication) in IKEv1 tunnels and EAP in IKEv2 tunnels. Authentication can be any of the following methods
supported by the FortiGate:

Authentication Methods IKE Version Requirement

l Pre-shared key IKEv1 and IKEv2 Required to configure one of these
l PKI (Signature) user authentication methods

l LDAP IKEv1 Optional user authentication

methods.
l Local IKEv1 and IKEv2 (IPsec IKEv1 uses XAUTH, and
l RADIUS IPsec IKEv2 uses EAP for user
authentication.)
l SAML IKEv2

l Two-factor authentication IKEv1 and IKEv2 Optional

Pre-shared key and PKI authentication can be paired with any of the other user authentication methods. Two-factor
authentication using FortiToken is also supported and can work in combination with Local, LDAP, RADIUS, or SAML
authentication.
In conclusion, when migrating from SSL VPN to IPsec VPN, all authentication methods are supported and can be
migrated. Users and user groups can be reused in the new IPsec configurations. Administrators must choose a pre-
shared key or PKI certificate while configuring the IPsec tunnel as it is a required setting.

Multiple user groups

SSL VPN configurations use only one SSL VPN settings page and one SSL VPN interface. Multiple user groups can be
configured and mapped to different portals, and granular access is controlled by the firewall policy.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 9

Fortinet Inc.
 Migration basics

In IPsec VPN, one dial-up VPN tunnel setting can accommodate one or more user groups by defining the group within
the VPN settings or inheriting the groups from the firewall policy. Unlike SSL VPN, administrators can also create
individual dial-up VPN tunnels for each group.
When using multiple dial-up VPN tunnels, each tunnel with the same settings requires a unique peer ID in order for dial-
up clients to engage the right tunnel when initiating a connection to the VPN gateway. In IKEv1, it is recommended to use
aggressive mode to accommodate the peer ID field within the phase1 tunnel.
When migrating from SSL VPN to IPsec VPN, use one of these methods to define your group settings.

Full tunneling versus split tunneling

Full tunneling forces all remote user traffic to go through the VPN; whereas, split tunneling allows administrators to
specify the traffic destinations that go through VPN.
Both SSL VPN and IPsec VPN support split tunneling. By default, SSL VPN enables split tunneling based on the
destination configured in the firewall policy. By default, IPsec disables split tunneling in custom configurations, but
enables it in wizard configurations. When enabled, you must configure the network(s) to be included or excluded from
routing through the tunnel.

Client address assignments

SSL VPN assigns addresses out of a pre-defined or custom IP range. Dialup IPsec VPN has many methods of address
assignments. However, it is recommended to use mode config where the FortiGate acts as the IP addressing server.
The mode config setting has many options for address assignments, ranging from manual IP address range to
integration with a DHCP server.
Migrating from SSL VPN to IPsec VPN provides added flexibility in IP addressing. Use mode config and one of the
addressing options that it provides.

Policy configurations

SSL VPN uses a single ssl.root tunnel interface as source within a firewall policy to control inbound access from
endpoint clients. User groups must be defined within the policy to control user groups that are allowed access to the
internal resources.
Conversely, IPsec VPN creates a virtual VPN interface using the name of each IPsec tunnel. The virtual tunnel interface
(s) can be chosen as a source within a firewall policy to control inbound access from endpoint clients. User groups can
be defined in the policy and inherited by the VPN tunnel configurations, or they can be defined individually in each tunnel
configuration.
When migrating from SSL VPN to IPsec VPN, consider the changes to the firewall policies needed to accommodate user
group configurations.

FortiClient or endpoint configurations

When connecting to SSL VPN in tunnel mode, endpoints must have FortiClient installed. Same is the case for IPsec
tunnels.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 10

Fortinet Inc.
Migration basics

FortiClient can be installed individually on endpoints or managed by FortiClient EMS. Using FortiClient EMS is preferred
because it allows administrators to centrally manage their clients and easily scale their deployments. See FortiClient
endpoint configuration migration on page 31 for more information.
A basic FortiClient SSL VPN configuration consists of:

Connection name Local name to identify the tunnel.

Remote Gateway The address of the FortiGate SSL VPN interface.

Port The listening port on the FortiGate. Defaults to TCP/443. Can be customized to
another port.

Authentication Supports manual entry of username/password each time to authenticate or a

saved login.
When single sign-on is enabled, users can perform SAML authentication using
the embedded browser or through an external browser.

Client Certificate When SSL VPN server requires a client certificate, FortiClient must supply the
certificate to be used.

A basic FortiClient IPsec VPN configuration consists of:

Connection name Local name to identify the tunnel.

Remote Gateway The address of the FortiGate IPsec VPN gateway.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 11

Fortinet Inc.
Migration basics

Authentication Method Either a pre-shared key or X.509 client certificate.

Authentication (XAuth or EAP) Supports manual entry of username/password each time to authenticate or a
saved login.

Failover SSL VPN Relevant only when using SSL VPN for redundancy. Set to None otherwise.

Single Sign On Enable to use SAML authentication.

This feature is available on FortiClient 7.2.4 and later.

Advanced Settings Additional IPsec VPN settings such as:

l IKE version

l Main/Aggressive mode (for IKEv1)

l Addressing mode
l Phase1 options
l Phase2 options

The Advanced Settings options include granular settings such as:

VPN Settings l IKE version

l Main/Aggressive mode (for IKEv1)
l Addressing mode
l Phase1 options
l Phase2 options

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 12

Fortinet Inc.
 Migration basics

Phase 1 l IKE proposal – Encryption and Authentication algorithms

l DH Group
l Key Life
l Local ID
l Dead Peer Detection
l NAT Traversal
l Local LAN

Phase 2 l IKE proposal – Encryption and Authentication algorithms

l Key Life
l Replay Detection
l Perfect Forward Secrecy (PFS)
l DH Group

These settings must match the VPN settings configured on the FortiGate. For example, when multiple dial-up tunnels
are configured on the FortiGate with peer ID enabled, the client must configure a local ID to match. On FortiClient,
configure a local ID under Phase 1 options.
VPN settings should be configured and centrally managed by FortiClient EMS and pushed to each endpoint when
possible. From FortiClient EMS, create a new remote access profile for the IPsec tunnel to match the FortiGate tunnel
setting. See FortiClient or endpoint configurations on page 10 for more information about IPsec configuration using
FortiClient EMS.

Migrate VPNs before or after upgrade?

Deciding whether to migrate VPNs before or after an upgrade is a choice that administrators should make based on their
company policies, best practices, and business impact. One consideration is to evaluate the potential downtime for
remote users in either scenario.
Another factor to consider is whether the current firmware impacts security. If a security patch is critical, administrators
may decide to upgrade before migrating their VPN.
Finally, it takes time to carefully assess the design considerations, create a plan, execute and test configurations in a
controlled manner, and then deploy changes to users. Give yourself time to plan accordingly. Schedule your upgrade
and maintenance only after you decide on an approach.

FortiOS SSL VPN to dial-up VPN migration

Once you understand the design considerations, you can migrate the configurations based on your preferences. We
recommend taking a two-part approach:
l First, analyze the user authentication method(s) that are used in your current SSL VPN setup. Understand any
conditions that may require you to choose between different IPsec VPN implementations.
l Next, configure your IPsec tunnel settings using the IPsec wizard. Further customization may be needed to
complete the configuration for specific setups.
The following sections will guide you through these steps:

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 13

Fortinet Inc.
 Migration basics

l Topology on page 14
l Part 1: Identifying user authentication methods on page 14
l Part 2: Configuring IPsec tunnels using the IPsec wizard on page 22

Topology

The examples in this migration guide use the following topology:

It is assumed that SSL VPN is preconfigured on the WAN interface of the FortiGate, and the remote users connect to the
WAN interface to access internal resources hosted behind the FortiGate’s LAN interface.
This SSL VPN configuration will be migrated to IPsec using the same basic topology.

Part 1: Identifying user authentication methods

In Part 1, we identify the user authentication methods currently used in your SSL VPN configuration. For each method,
we outline any restrictions and limitations related to using those methods for IPsec.
User authentication methods on FortiGate require configuration of either users or user groups. These user groups make
use of different authentication servers, such as RADIUS, LDAP, and SAML inside their configuration. These
preconfigured objects can generally be used in the IPsec VPN configurations without further modifications.
Follow these steps to identify the user authentication method currently used in your SSL VPN configuration. If you
already know the authentication method, you can skip these steps and go to Next steps after identifying the
authentication method on page 15.

To identify the user authentication method currently used in SSL VPN configurations:

1. Locate the user group(s) used in SSL VPN firewall policies:

a. Go to Policy & Object > Firewall Policy.
b. Edit the firewall policy that has SSL-VPN tunnel interface (ssl.root) in the Incoming interface field.
c. Note the user groups used in the Source field inside the firewall policy.
d. Perform the same step for all SSL VPN firewall policies to get a list of user groups used for SSL VPN user
authentication.
2. Identify the configured authentication method for SSL VPN:
a. Go to User & Authentication > User Groups, and edit the group(s).
b. Use the following statements to help you identify the configured authentication method:

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 14

Fortinet Inc.
Migration basics

If the configuration shows Your authentication method is

Local users configured under Member with no Local user authentication

configuration under Remote Groups > Remote
Server

Remote Groups > Remote Server, uses LDAP LDAP-based user authentication
Server

Remote Groups > Remote Server, uses RADIUS RADIUS-based user authentication
Server

Remote Groups > Remote Server, uses SAML SSO SAML-based user authentication
Server

PKI users are configured under Member, and if Certificate-based user authentication
Remote Groups > Remote Server uses LDAP Server Note: This guide does not demonstrate how to
l If Remote Group > Remote Server uses LDAP
migrate certificate-based user authentication.
Server, then you are using Certificate-based
user authentication with LDAP as two-factor
authentication.
l If Remote Group > Remote Server uses
RADIUS Server, then you are using Certificate-
based user authentication with RADIUS as two-
factor authentication.

Next steps after identifying the authentication method

Based on the identified authentication method, go to the following topics to find more information about migrating the
authentication method to IPsec VPN as well as specific IPsec IKE version support requirements, if any:
l Local user authentication on page 15
l LDAP-based user authentication on page 16
l RADIUS-based user authentication on page 18
l SAML-based user authentication on page 19
After reviewing the authentication method, move to Part 2, which outlines configuring IPsec tunnel using IPsec wizard
and makes use of user groups discussed in Part 1.

Local user authentication

In local user authentication, username and password are configured locally on FortiGate for each user. You can then
configure local user groups to contain multiple local users. See Users to configure a local user, and see User groups to
configure user groups.
This example configuration shows a local user with username johnlocus added to local user group named Local user
group.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 15

Fortinet Inc.
Migration basics

To view the configuration in the GUI:

1. Go to User & Authentication > User Groups.

2. Find the user group that you previously identified in the policy configuration, and double-click to see the details.
In this example, the member johnlocus is displayed.

To view the configuration in the CLI:

config user group

edit "Local user group"
set member "johnlocus"
next
end

Applying the user group

The user group named Local user group can be used inside the IPsec tunnel configuration, if you have a single user
group. If you have multiple user groups, they can be used inside firewall policies, after configuring Inherit from policy on
the IPsec tunnel. See Part 2: Configuring IPsec tunnels using the IPsec wizard on page 22.

LDAP-based user authentication

IPsec IKEv1 uses XAUTH for user authentication, and IPsec IKEv2 uses EAP for user authentication. EAP is not
completely interoperable with LDAP. It requires customization on the LDAP server to store user credentials in plain text,
which is not feasible. Therefore, LDAP-based user authentication only works with XAUTH and only supports IPsec
IKEv1 by design. If you are required to use IKEv2, migrate to use RADIUS-based user authentication instead.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 16

Fortinet Inc.
Migration basics

In LDAP-based user authentication, LDAP server acts as a centralized authentication server. Thus, usernames and
passwords must be directly managed on the LDAP server. To use this authentication method for IPsec (IKEv1),
FortiGate requires a configured LDAP server and user group that uses LDAP server. Optionally, to segregate user
groups based on user’s LDAP group membership to perform group matching, you can configure multiple user groups
and use group name option.
See Configuring an LDAP server to configure an LDAP server. See Tracking users in each Active Directory LDAP group
to configure group matching.
This example configuration shows an LDAP server named LDAP Connector that is used inside a user group named
LDAP user group. The Group Name setting matches only users belonging to the LDAP group called Domain Users on
the LDAP server. Only users belonging to Domain Users are allowed to connect to the IPsec tunnel.

To view the configuration in the GUI:

1. Go to User & Authentication > User Groups.

2. Find the user group that you previously identified in the policy configuration, and double-click to see the details.
The Remote Group displays an LDAP server connector.

To view the configuration in the CLI:

config user group

edit "LDAP user group"
set member "LDAP Connector"
config match
edit 1
set server-name "LDAP Connector"
set group-name "CN=Domain Users,CN=Users,DC=financial,DC=local"
next

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 17

Fortinet Inc.
Migration basics

end
next
end

Applying the user group

The user group named LDAP user group can be used inside the IPsec tunnel configuration, if you have a single user
group. If you have multiple user groups, they can be used inside firewall policies, after configuring Inherit from policy on
the IPsec tunnel. Be sure to change IKE version to version 2. See Part 2: Configuring IPsec tunnels using the IPsec
wizard on page 22.

RADIUS-based user authentication

In RADIUS-based user authentication, the RADIUS server is used as a centralized authentication server. Thus,
usernames and passwords must directly be managed on the RADIUS server. To configure a RADIUS server on
FortiGate, see Configuring a RADIUS server.
To use this authentication method for IPsec, FortiGate requires a configured RADIUS server and a user group that
references the RADIUS server.
Optionally, to segregate user groups based on user’s group membership on RADIUS server, you can use the Group
Name option. FortiGate expects the RADIUS server to be configured correctly to return the correct RADIUS attribute
(that is, Fortinet-Group-Name VSA) in RADIUS response packet. See Restricting RADIUS user groups to match
selective users on the RADIUS server.
In this example configuration, FortiGate is configured with RADIUS server named Radius Connector, and a user group
called Radius user group references the RADIUS server. The group name option is configured to only allow the user to
connect to IPsec tunnel, if RADIUS server returns Domain Users in the RADIUS response packet to FortiGate.

To view the configuration in the GUI:

1. Go to User & Authentication > User Groups.

2. Find the user group that you previously identified in the policy configuration, and double-click to see the details.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 18

Fortinet Inc.
Migration basics

The Remote Group displays a RADIUS server connector.

To view the configuration in the CLI:

config user group

edit "Radius user group"
set member "Radius Connector"
config match
edit 1
set server-name "Radius Connector"
set group-name "Domain Users"
next
end
next
end

Applying the user group

The user group named Radius user group can be used inside the IPsec tunnel configuration, if you have a single user
group. If you have multiple user groups, they can be used inside firewall policies, after configuring Inherit from policy on
IPsec tunnel. See Part 2: Configuring IPsec tunnels using the IPsec wizard on page 22.

SAML-based user authentication

IPsec supports SAML-based user authentication on FortiClient version 7.2.4 and later. SAML authentication is only
supported on IPsec IKEv2. IPsec IKEv1 is not supported.
Ensure to upgrade FortiClient to version 7.2.4 or later. See Deployment & Installers to upgrade FortiClient using
FortiClient EMS.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 19

Fortinet Inc.
Migration basics

Part 2 of this guide uses the IPsec wizard to configure IPsec. By default, IPsec wizard configures IKEv1. The
configuration is then later customized to use IKEv2 along with enabling EAP for user authentication, see Changing from
IKEv1 to IKEv2 on page 30.
For SAML to work with IPsec, it needs additional configuration of auth-ike SAML port, SAML sever certificate, and
interface binding between interface used by IPsec VPN gateway and SAML server. For end-to-end configuration
example on deploying SAML with IKEv2 using different IdPs, review SAML-based authentication for FortiClient remote
access dialup IPsec VPN clients.
This example configuration demonstrates the additional SAML configurations needed. The configuration is based on
using FortiAuthenticator as the SAML IdP.

To configure and view the auth-ike-saml-port used for authentication in the CLI:

You can only configure and view this setting in the CLI.
config system global
set auth-ike-saml-port 9443
end

To configure and view the SAML certificate in the GUI:

1. Enable Certificate and select your SAML server certificate.

a. Go to User & Authentication > Authentication Settings.
b. Enable Certificate, and select your SAML server certificate.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 20

Fortinet Inc.
Migration basics

To view the SAML User Group in the GUI:

1. Go to User & Authentication > User Groups.

2. Find the user group that you previously identified in the policy configuration, double-click to see the details.
The Remote Groups display the SAML SSO server.

To configure and view the SAML configurations in the CLI:

1. Configure the SAML server certificate uploaded as SAML_Server_Certificate.

config user setting
set auth-cert "SAML_Server_Certificate"
end

2. View the SAML user group named SAML User group that uses the SAML SSO server named SAML-FAC.
config user group
edit "SAML User group"
set member "SAML-FAC"
config match
edit 1
set server-name "SAML-FAC"
set group-name "Corporate"
next
end
next
end

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 21

Fortinet Inc.
 Migration basics

To configure the binding between the SAML server and the interface on which IPsec gateway is
configured:

1. Configure the binding between the SAML server and interface on which IPsec gateway is configured. This
configuration can only be performed and viewed using the CLI.
config system interface
edit "WAN"
set ike-saml-server "SAML-FAC"
next
end

Applying the user group

The user group named SAML User group can be used inside the IPsec tunnel configuration, if you have a single user
group. If you have multiple user groups, they can be used inside firewall policies, after configuring Inherit from policy on
IPsec tunnel. See Part 2: Configuring IPsec tunnels using the IPsec wizard on page 22.

Part 2: Configuring IPsec tunnels using the IPsec wizard

After reviewing user authentication methods used in your current SSL VPN configuration and comparing it with IPsec
authentication methods discussed in Part 1: Identifying user authentication methods on page 14, you can now migrate
SSL VPN to IPsec VPN.
IPsec tunnels can be configured using the IPsec wizard, a custom IPsec configuration, or a combination of both. In this
guide, the IPsec wizard is used to configure IPsec tunnels. When using the IPsec wizard, FortiGate configures IPsec
tunnels using IKEv1 in aggressive mode by default. IPsec tunnel configuration using the IPsec wizard can also be
modified to use the needed IKE version, IKE mode, custom security associations (SAs), and other granular settings.

To use the IPsec wizard:

1. On FortiGate, go to VPN > IPsec Wizard. The VPN Creation Wizard opens to the VPN Setup step.
2. On the VPN Setup page, set the following options, and click Next:

Name Enter a name for the VPN tunnel.

The name can be a maximum of 15 characters.

Template type Remote Access

Remote device type Different clients are supported. Since SSL VPN tunnel mode requires
FortiClient, leave the default as Client-based and FortiClient.

The wizard proceeds to the Authentication step.

3. On the Authentication page, set the following options, and click Next:

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 22

Fortinet Inc.
Migration basics

Incoming Interface This interface is the same Listen on interface as defined in your SSL VPN
settings.

Authentication method Choose one of the following options:

l Pre-shared Key: create a unique pre-shared key. The key must be shared

among all FortiClient endpoints to connect to VPN.

l Signature: use to connect remote users to IPsec with certificate-based
VPN authentication.
l For Certificate Name name, select the server certificate used to
identify the VPN Gateway.
l For (Optional) User Group, see Signature.
l For Peer Certificate CA, select the CA certificate that signed
certificates for FortiClient endpoints.
Both the server certificate and peer CA certificate must be uploaded to
FortiGate.
For more information about the certificates, see Importing the certificates from
Dialup IPsec VPN with certificate authentication.

User Group If selected authentication method is:

l Pre-shared key: select the user group to perform user authentication.

Review the different types of user authentication methods available for

IPsec:
l Local user authentication on page 15
l LDAP-based user authentication on page 16
l RADIUS-based user authentication on page 18
l SAML-based user authentication on page 19
l Signature: select, and then set the following options:
l (Optional) User Group: This configuration is optional. Select user
group if you want to perform username and password authentication
along with certificate authentication.
Single User groups: If your current SSL VPN’s Authentication/Portal Mapping
uses a single user group for user authentication, then select that user group
here.
Multiple User groups: If your current SSL VPN’s Authentication/Portal
Mapping uses multiple user groups for user authentication, then select any
user group temporarily as a placeholder. This configuration will later be
modified to use the Inherit from policy setting, which enables configuring the
user groups in the firewall policy directly for user authentication. See Using
multiple user groups on page 28.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 23

Fortinet Inc.
Migration basics

The wizard proceeds to the Policy & Routing step.

4. On the Policy & Routing page, set the following options, and click Next:

Local Interface This is the internal interface(s) accessed by VPN users.

The equivalent SSL VPN configurations are the destination interface(s) in the
ssl.root to <destination> firewall policies.

Local Address These are the internal network(s) accessed by VPN users.
The equivalent SSL VPN configurations are the destination address(es) in the
ssl.root to <destination> firewall policies.

Client Address Range Enter the IP address range from which you want to assign IP addresses to the
dialup clients that successfully connect to IPsec VPN.
(Optional) You can use different address ranges as your SSL VPN
configurations to avoid IP overlap.

Subnet Mask Enter the subnet mask to be used by the clients.

It is recommended to leave it as 255.255.255.255 since addresses are
assigned to single clients.

DNS Server Select either:

l Use System DNS: enables FortiClient to use its own DNS server.

l Specify: lets you specify a unique DNS server.

Note: If split tunneling is enabled, and the specified DNS server is located
behind FortiGate, ensure the DNS server is reachable through the Local
interface and is part of Local Address field IP scope.

Enable IPv4 Split Tunnel When enabled, only traffic configured in the Local address field will go through
the tunnel (that is, split tunneling).
When disabled, all traffic from remote users will go through the tunnel (that is,
full tunneling).

Allow Endpoint Registration Deprecated. Settings do not affect the VPN configuration.

The wizard proceeds to the Client Options step.

5. On the Client Options page, set the following options, and click Next:

Save Password Enable saving XAuth username and password on the VPN clients. Enabled by
default. CLI setting is set save-password enable.

Auto Connect Allow the client to bring the tunnel up when there is no traffic. Disabled by
default. CLI setting is set client-auto-negotiate disable.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 24

Fortinet Inc.
Migration basics

Always Up (Keep Alive) Allow the client to keep the tunnel up when there is no traffic. Disabled by
default. CLI setting is set client-keep-alive disable.

The wizard proceeds to the Review Settings step.

6. On the Review Settings page, review the configurations and objects, and then click Create:

Split Tunnel Group Address group for the destination address(es) allowed by the tunnel. Used for
split tunneling configurations.

Phase 1 interface IPsec Phase 1 tunnel configurations.

Phase 2 interface IPsec Phase 2 tunnel configurations.

Address Firewall address for the range defined for the endpoint clients.

Remote to local policies Inbound firewall policy/policies.

Source interface: New VPN tunnel interface
Destination interface: Interface of destination network
Source address: Address range for endpoint clients
Destination address: Local subnet(s) allowed for the VPN clients
Service: All
NAT: Enable

Endpoint Registration Deprecated. Settings do not affect the VPN configuration.

The IPsec wizard generates all the configurations, objects, and policies. Notice the name of the firewall policy is
prefixed with vpn_.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 25

Fortinet Inc.
Migration basics

7. Click Show Tunnel List to view the new tunnel on the VPN > IPsec Tunnels page. Locate the tunnel under Dialup –
FortiClient (Windows, Mac OS, Android).
8. Select the new tunnel and click Edit to view the basic settings:

Next steps

You may need to edit or customize the IPsec tunnel settings created by the IPsec wizard, depending on your
requirements. For further customization, see Customizing IPsec tunnel settings on page 26.

Customizing IPsec tunnel settings

You can edit the IPsec tunnels created by the IPsec wizard, or you can convert them to custom tunnels to access more
options. This section includes the following optional procedures:
l Editing IPsec tunnel settings on page 27
l Converting to custom IPsec tunnel settings on page 27

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 26

Fortinet Inc.
Migration basics

l Using multiple user groups on page 28

l Changing from IKEv1 to IKEv2 on page 30
l Changing Phase1 and Phase2 proposals on page 31

Editing IPsec tunnel settings

You can edit some settings for the IPsec tunnels created by the IPsec wizard without converting them to custom tunnels.

To edit IPsec tunnel settings:

1. Go to the VPN > IPsec Tunnels page, and locate the IPsec tunnel configuration created by the IPsec Wizard under
Dialup – FortiClient (Windows, Mac OS, Android).
2. Select the tunnel and click Edit to view the settings:

3. Edit the settings, and click OK.

Converting to custom IPsec tunnel settings

You can convert the IPsec tunnels created by the IPsec wizard to custom tunnels to access additional settings for your
requirements.

To convert to custom IPsec tunnel settings:

1. Go to the VPN > IPsec Tunnels page, and locate the IPsec tunnel configuration created by the IPsec wizard under
Dialup – FortiClient (Windows, Mac OS, Android).
2. Select the tunnel and click Edit.
3. Click Convert To Custom Tunnel to access more options.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 27

Fortinet Inc.
Migration basics

4. Edit the settings, and click OK.

Using multiple user groups

If multiple user groups are configured in SSL VPN Authentication/Portal Mapping, then you can choose one of the
following design options:
l Option 1: Inherit settings from the policy on page 28
l Option 2: configure an IPsec tunnel for each user group on page 29

Option 1: Inherit settings from the policy

If your current SSL VPN configuration uses multiple user groups under Authentication/Portal mapping, you can achieve
the same on IPsec tunnels by using the Inherit from policy setting, which enables users to configure the user groups
directly on the firewall policy.

To inherit settings from the policy:

1. Edit the XAUTH settings on IPsec tunnel.

2. Change the temporarily configured user group under User Group to Inherit from policy.

3. Click OK to save.
4. Add the user groups to the auto generated firewall policy:
a. Go to Policy & Object > Firewall Policy.
b. Locate the respective firewall policy, and open it for editing.
The IPsec wizard uses a prefix of vpn_ for the policies it creates.
c. Set the Source field to the user group.
For example, user group named LDAP User Group is added to the automatically generated firewall policy
named vpn_Dialup_remote_0:

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 28

Fortinet Inc.
Migration basics

d. Click OK to save the firewall policy.

e. Repeat this step on all policies created by the IPsec wizard.

Option 2: configure an IPsec tunnel for each user group

Configure a new IPsec tunnel for each individual user group. Because multiple IPsec tunnels are configured on same
physical (WAN) interface, FortiGate uses a peer ID to differentiate between incoming IPsec connection attempts and
associate the connection to the correct IPsec tunnel. As such, it is important to configure a unique peer ID for each IPsec
tunnel.
A unique peer ID must be configured on different IPsec tunnels using following steps.

To configure an IPsec tunnel for each user group:

1. Under VPN > IPsec Tunnels, edit the respective IPsec tunnel.
2. Under Tunnel Template, click Convert to Custom Tunnel to access more options.
3. Under Authentication > Peer Options, change the Accept Types to Specific peer ID:

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 29

Fortinet Inc.
Migration basics

4. Enter a unique peer ID of your choice.

5. Click OK.

FortiClient must use same peer ID when it sends the request to connect to IPsec tunnels. Peer
ID is called Local ID on FortiClient’s VPN configuration. Thus, local ID on FortiClient must
match peer ID on FortiGate to connect to correct IPsec tunnel.

Changing from IKEv1 to IKEv2

IPsec wizard uses IKEv1 to configure the IPsec tunnel. If you want to use IPsec IKEv2 instead, you can change the
configuration.

To configure IKEv2:

1. Go to VPN > IPsec Tunnels, and edit the IPsec tunnel.

2. Under Tunnel Template, click Convert to Custom Tunnel to access more options.

3. Under Authentication > IKE, set Version to 2:

4. Click OK.
5. IPsec IKEv2 uses EAP for user authentication. You must enable the following CLI settings to enable EAP to perform
user authentication. These settings can only be enabled using CLI.
User authentication is then performed using user groups
config vpn ipsec phase1-interface
edit <tunnel-name>
set eap enable
set eap-identity send-request
next
end

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 30

Fortinet Inc.
Migration basics

Changing Phase1 and Phase2 proposals

To change Security Associations in Phase 1 and Phase 2 of IPsec tunnel:

1. Go to VPN > IPsec Tunnels, and edit the IPsec tunnel.

2. Under Tunnel Template, click Convert to Custom Tunnel to access more options.

3. Under Phase 1 Proposal, click Edit, and select required custom configuration.
4. Click the checkmark button to save.
5. Under Phase 2 Selectors, click Edit, and select the required custom configuration.
6. Click the checkmark button to save.
7. Click OK to save the changes on the IPsec tunnel.

FortiClient endpoint configuration migration

Migration from SSL VPN to IPsec on FortiClient EMS must be done in parallel with FortiGate configuration since IPsec
settings have to be matched on both FortiGate (VPN server) and FortiClient (VPN client). On FortiClient EMS, VPN
configuration is accomplished through the Remote Access endpoint profile, which enables setting up either SSL VPN or
IPsec or both. See FortiClient EMS Remote Access documentation.
To get started, add a remote access profile under the Endpoint Profiles section on FortiClient EMS. See Creating a new
profile.
Once new Remote Access profile is added, add tunnel under the VPN Tunnels section within the same Remote Access
profile context.

To migrate using a FortiClient EMS Remote Access endpoint profile:

1. In FortiClient EMS, go to Endpoint Profiles.

2. Select the needed profile type, and click Add.
3. Click Add Profile to create a Windows, macOS, and Linux profile.
4. Click Add Tunnel and complete the options in the Basic Settings section to add a new connection:

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 31

Fortinet Inc.
Migration basics

Name Name of the tunnel

Type Select IPsec VPN.

Remote Gateway IP address or FQDN that FortiClient uses to reach FortiGate for VPN
connection.
If you used FortiGate’s IPsec wizard, this setting corresponds to the address of
the incoming interface configured during the wizard's Authentication step.
Typically, this is the same address used for the SSL VPN remote gateway.

Authentication Method Available options are Local Certificate, Pre Shared Key, Smart Card
Certificate, and Local Store Certificate.
The FortiGate IPsec wizard permits either pre-shared key or signature. When
the pre-shared key option is configured on the FortiGate, use the same value
in the Pre Shared Key field in FortiClient EMS.
If signature authentication method is preferred, select the certificate option
suitable for your company requirements. Ensure that the certificate’s CA
matches the Peer Certificate CA configured during the Authentication step of
the FortiGate IPsec wizard.

5. Under Basic Settings, go to VPN Settings section, and configure the IKE version, Mode, and Options. These
settings must match the ones configured on FortiGate.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 32

Fortinet Inc.
Migration basics

IKE Select either Version 1 or Version 2.

The FortiGate IPsec wizard defaults to Version 1.

Mode Select Aggressive or Main mode. Default option for the FortiGate
VPN Creation Wizard is Aggressive.

Options The Mode Config option is the default option and recommended. It's also the
default mode configured on FortiGate with the IPsec wizard.

6. Under Basic Settings, go to the Phase 1 section and configure the option. FortiGate’s IPsec wizard automatically
selects phase 1 parameters. You can check these parameters by running the following CLI commands on the
FortiGate:
show full vpn ipsec phase1-interface <tunnel-name>

Ensure that you match phase 1 settings on FortiClient EMS to the phase 1 settings
configured on FortiGate.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 33

Fortinet Inc.
Migration basics

IKE Proposal Select Encryption and Authentication algorithms used for generating keys to
protect FortiClient and FortiGate negotiations. At least one of the selected
encryption-authentication pairs must match to any of the ones configured on
FortiGate. FortiGate’s IPsec wizard sets the following algorithms
automatically:
l AES128 - SHA256

l AES256 - SHA256
l AES128 - SHA1
l AES256 - SHA1

DH Groups Select a Diffie-Hellman (DH) group. It must match to one of the groups
selected on FortiGate.
The FortiGate IPsec wizard configures DH groups 14 and 5 automatically.

Key Life Enter the time (in seconds) that must pass before IKE encryption key expires.
New key gets generated in real-time without interrupting the service. Key life
can be configured within the range of 120 and 172,800 seconds.
The default value for the FortiGate IPsec wizard is 86400 seconds.

Local ID Enter the Local ID.

By default the FortiGate IPsec wizard leaves this setting blank.

7. Configure the remaining Phase 1 options as needed by your requirements. Refer to IPsec VPN documentation for
details.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 34

Fortinet Inc.
Migration basics

Phase 1 configuration also allows configuring Dead Peer Detection (DPD) mechanism on both FortiClient and
FortiGate. DPD configuration is not available in the GUI but is available in XML on FortiClient EMS. For more
information regarding DPD and how to configure it on FortiGate, see Dead peer detection. The IKE Settings section
describes FortiClient\EMS configuration of DPD with XML.
8. Under Basic Settings, go to the Phase 2 section. The same concept applies for phase 2 settings, the settings on
FortiClient EMS and FortiGate must match. As with phase 1, you can confirm what settings were automatically set
by the FortiGate IPsec wizard by running the following command on FortiGate:
show full vpn ipsec phase2-interface <tunnel-name>

IKE Proposal Select Encryption and Authentication algorithms used to protect the data
transferred between the IPsec peers. At least a single pair must match on both
FortiClient and FortiGate. The FortiGate IPsec wizard configures the following
settings by default:
l AES128-SHA1

l AES256-SHA1
l AES128-SHA256
l AES256-SHA256
l AES128GCM
l AES256GCM

DH groups Configure the DH groups to match on FortiGate. The FortiGate IPsec wizard
uses 14, 5 by default.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 35

Fortinet Inc.
Migration basics

Key Life Set the time until the phase 2 key expires. The default option is in seconds;
however, you can also configure the key life in kilobytes (KBytes) or both. If
both is selected, whichever limit gets exceeded first takes precedence. Default
value is 43200 (seconds), which matches the value set by the FortiGate IPsec
wizard.

Replay Detection When enabled, FortiGate checks for already- received packets and discards
the ones that arrive out of order. Enabled by default on both FortiClient EMS
and FortiGate.

PFS PFS forces a new DH key exchange upon tunnel establishment and after
phase 2 key expiration, causing a new key to be generated each time. Enabled
by default on both FortiClient EMS and FortiGate.

9. Go to the Advanced Settings section to configure multiple options for IPsec connection including Save Password,
Auto-Connect, and Always Up, which then appear on FortiClient GUI. They enable automatic connection to a VPN
tunnel and its recovery from network disruption. If you decide to include these settings in your configuration, ensure
that you also configure them in the Client Options step of FortiGate IPsec wizard. For more information on the
available options, refer to Remote Access IPsec documentation.

10. Click Save to save the changes.

11. Push the profile to FortiClient endpoints.
12. On an endpoint, open FortiClient, and go to the Remote Access tab to confirm the settings have been pushed to
FortiClient.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 36

Fortinet Inc.
Migration basics

The user must select Save Password, Auto-Connect, and Always Up to activate them.

FortiOS 7.4.4 SSL VPN to IPsec VPN Migration 37

Fortinet Inc.
 www.fortinet.com

Copyright© 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.