My organization currently has an SSL VPN that all of our end users connect to. I would like to switch to IPSec to help eliminate the security issues associated with the SSL VPN.
My goal is to use certificate based authentication instead of psk and also use saml sso with Entra.
Does anyone have this setup working successfully in production?
Can we use the certificates our machines get from our on-premises ADCS?
Are there any good guides out there I can follow for this setup?
Why do you want to do certificates and SAML? Use one or the other.
Yes.
Basically this, but there is enough documentation out there on certificate authentication: https://community.fortinet.com/t5/FortiClient/Technical-Tip-Dial-up-IPsec-VPN-users-with-security-certificates/ta-p/197921
We setup sslvpn via a loop back interface. We use FAC for MFA. After setting policies to geoblock, service block, the login attempts from sites such as Stark Industries, stopped cold. So much easier to manage this via interface policies. You may find that quite a few users are not able to connect using IPSec based on how other sites are configured. Loopback is super easy to configure. If you aren’t willing to do that, I’d configure IPSec in parallel and pilot with a few users to see if they run into issues or not. The one undeniable benefit of IPSec is speed due to greater packet efficiency as it operates at the network rather than transport layer, so that would definitely be a win.
I tried this a while back when it was released. I have IPSEC working using certificates and wanted to see if we could use SAML based authentication as that was what the auth being used for our SSL VPN. It required the 7.2.4 client and that was buggy enough for me to drop it.
Where would you get the PSK on the client? Dialup IPSEC doesn’t utilize a PSK.
I did a POC for a client using IPsec with SAML auth using Entra as the IdP, during the (limited amount of) testing, it worked great
Perhaps this has what you are looking for. https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/951346/saml-based-authentication-for-forticlient-remote-access-dialup-ipsec-vpn-clients
Mainly I didn’t want to use a psk that can be copied from our machines. It will also ensure they have to be using one of our approved organization machines.
The way I understand it is the cert auth would require they be logging in from a trusted machine and saml authenticates the user.
We are currently replacing our VPN with Fortigate VPN using 7.2.4 with SAML and find it very stable.
We did find 7.2.4 issues with the documented SAML bug for SSL VPN but IPSec appears unaffected.
I don’t think it supports SAML and certs currently.
Was there a psk or certificate needed on the client machine or did it just use SAML?
SAML for IPsec is a relatively new feature and a bit buggy in general, so a combination of the two is probably a bit untested. You can test it and it might work, but it might not either. I don’t know if those two configurations can co-exist in the same VPN configuration.