In case anyone else wastes their Saturday like I just did. I was setting up a new Fortigate 30G (7.2.8) and then switched to a 40F (7.4.6/7) for troubleshooting shooting. Anyways, after fighting to get IPSec SAML with Entra ID to connect, then I wasn’t passing traffic. Doing all of this on Windows Forticlient VPN (free version) 7.4.2. After doing hours of troubleshooting, found that Forticlient 7.4.2 doesn’t seem to respect “set nattraversal force” in ipsec phase1-interface. And the check box is missing from Forticlient VPN 7.4.2
So I was able to connect but wasn’t passing traffic. Both sides just sending traffic with no receipt. So finally say this was a NAT Traversal issue. Has to manually edit the .conf file to make nat_traversal to 1 and then reimport it to Forticlient…low and behold…traffic starts passing.
I hated today.
Same for me, spend like 4 hours troubleshooting it. Experimentally found out that NAT traversal works with this Auto option enabled. Also opened ticket with TAC, they told me that IKEv2 has built in NAT traversal so NAT traversal option is not needed.
https://preview.redd.it/u3sfuxa66oge1.jpeg?width=587&format=pjpg&auto=webp&s=2ac6584c3268ee822f8b288d3a3d3a022eb5e8a0
Try 7.0.14. Worked for us.
Actually ikev2 (only possible option for saml) have NAT Detection in built. So this is a bug in FortiClient and not a config mistake from your end but good catch.
I had exactly the same experience with my recent new IPsec RA project. Even when you give FortiClient the profile via EMS, it does the same thing regarding NAT-T.
Must be a bug with 7.4 only because of the new addition of TCP Encap.
Overall IPsec with Saml isnt fully fleshed out yet, so because of DS-Lite IPv4 problems for example, I will have to deploy an IPsec + SSL Vpn dual tech setup for the customer…
You’re my hero - this worked perfectly and I never would have thought to try it on my own. Thanks!
7.2.8 is the only version currently available on 30G, but also I thought SAML IPSec was introduced in 7.2.4
I meant Forticlient version 7.0.14