SSL VPN to IPsec VPN Migration

FortiOS 7.6.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

July 25, 2024

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration
01-760-1018190-20240725
 TABLE OF CONTENTS

Change Log 4
Introduction 5
Migration background 6
Security Comparison 6
IKEv1 or IKEv2? 6
Tunneling protocol and encapsulation 7
Migration basics 8
Design considerations 8
Authentication method 9
Multiple user groups 9
Full tunneling versus split tunneling 10
Client address assignments 10
Policy configurations 10
FortiClient or endpoint configurations 10
Migrate VPNs before or after upgrade? 13
FortiOS SSL VPN to dial-up VPN migration 13
Topology 14
Part 1: Identifying user authentication methods 14
Part 2: Configuring IPsec tunnels using the VPN wizard 22
FortiClient endpoint configuration migration 33

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 3

Fortinet Inc.
Change Log

Date Change Description

2024-07-25 Initial release.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 4

Fortinet Inc.
Introduction

Virtual Private Network (VPN) technology allows users, devices, and sites to securely connect to each other over the
internet in an otherwise insecure medium. SSL VPN and IPsec VPN in particular are well used technologies that are
easy to configure and deploy.
Each technology has its advantages and common use cases. SSL VPN, for example, is typically tailored towards secure
remote access from individual users and endpoints. It is generally easy to set up, and because connections are secured
over TLS on TCP/443, few ISPs will restrict SSL VPN connections. It also offers two modes (tunnel and web mode) that
can be provisioned in agent and agentless deployments.
On the other hand, IPsec VPN is typically associated with site-to-site connections, and is especially convenient in multi-
site hub and spoke deployments using ADVPN (Auto Discovery VPN). Complex multi-site deployments are simplified, as
ADVPN incorporates automatic tunnel establishment between sites, dynamic routing, and mass provisioning using an
orchestrator such as FortiManager.
On a smaller scale, IPsec VPN is just as capable of supporting remote users using dial-up VPN connections. Protocols,
encryption algorithms, and authentication methods can all be customized to suit a company’s needs.
Finally, as an alternative to VPN—and especially SSL VPN web-based VPN—ZTNA (Zero Trust Network Access) can
also be used to secure remote access. ZTNA offers a seamless connection secured over TLS between the endpoints
and Zero Trust Application Gateway. A Zero Trust approach assumes devices cannot be trusted until they have passed
required security posture checks, such as client certificate verification and vulnerability scans. See the SSL VPN to
ZTNA Migration Guide for more information.
This document explores SSL VPN and IPsec VPN a little deeper, as well as things to consider while migrating from SSL
VPN to IPsec VPN. Additionally, we will review examples of common SSL VPN use cases and demonstrate steps to
migrate these setups to IPsec VPN.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 5

Fortinet Inc.
Migration background

To understand how to migrate from SSL VPN to IPsec VPN, we first examine a few aspects of each VPN technology:
l Security Comparison on page 6
l IKEv1 or IKEv2? on page 6
l Tunneling protocol and encapsulation on page 7

Security Comparison

SSL VPN offers security through TLS in the following ways:

l By encrypting the data transmitted between the client and the VPN gateway using cryptographic algorithms to
ensure data in transit has not been tampered
l By providing an authentication mechanism for client and server to verify the identify of each other
l By using secure key exchanges such as Diffie-Hellman to establish shared secrets between client and server
l By using X.509 certificates to authenticate servers and optionally clients
IPsec offers security through the ISAKMP (Internet Security Association and Key Exchange Management Protocol)
framework:
l By using the IKE (Internet Key Exchange) protocol to negotiate the parameters of secure communication, generate
and manage keys, and establish SAs (Security Associations) between the communicating parties
l By encrypting data packets using symmetric encryption algorithms, such as AES, 3DES, CHACHA, that are
negotiated by IKE with keys that are generated by IKE. See Phase 1 Configurations.
l By using HMAC (Hash-based Message Authentication Code) to verify the integrity of the message and ensure data
in transit has not been tempered. See Phase 1 Configurations.
l By specifying key lifetimes and other security settings used in the SAs
IPsec offers flexibility in choosing the encryption and hashing algorithm as well as key lifetime intervals as opposed to
SSL VPN, which negotiates the cipher suite between the client and server.

IKEv1 or IKEv2?

FortiGate supports IKEv1 and IKEv2, and both are configured similarly. The underlying protocol for IKEv2 is more
streamlined, requiring fewer message exchanges to negotiate the SAs compared to IKEv1. The major difference is
IKEv1 uses XAuth (Extended Authentication) for user authentication, and IKEv2 uses EAP (Extensible Authentication
Protocol). IKEv1 is generally well used and well understood, with a more rigid protocol that is simpler to troubleshoot.
Whereas IKEv2 offers more flexibility, resulting in more variations when troubleshooting.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 6

Fortinet Inc.
Migration background

Tunneling protocol and encapsulation

SSL VPN uses the TLS protocol for tunneling.

However Fortinet’s IPsec VPN offers the following options for tunneling and encapsulation:
l Native ESP
l UDP encapsulation
l TCP encapsulation with Fortinet proprietary extension to allow inline ASIC offloading
l TCP encapsulation using RFC 8229
When ESP is used without encapsulation, it connects directly over IP Protocol 50. When ESP is encapsulated within
UDP, it uses UDP/500 and UDP/4500 for NAT traversal, which are the options for dial-up IPsec VPN.
In IPsec site-to-site tunnels, the UDP port can be customized. See Configurable IKE port.
In IPsec site-to-site tunnels using IKEv2, the TCP port can also be customized. See Encapsulate ESP packets within
TCP headers.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 7

Fortinet Inc.
Migration basics

Once you understand the differences between SSL VPN and IPsec VPN technologies, it is time to plan the migration.
This section describes the following:
l Design considerations on page 8
l FortiOS SSL VPN to dial-up VPN migration on page 13
l FortiClient endpoint configuration migration on page 33

Design considerations

The following example diagram represents a common SSL VPN tunnel-mode topology:

Individual users connect from the internet to the WAN interface of the FortiGate. Each user must authenticate to be
granted access and establish an SSL VPN tunnel. Once connected, traffic is encrypted and secured by TLS between the
endpoint and the FortiGate WAN interface. Users can access internal resources based on the configured firewall policy
for their user group.
In a dial-up IPsec VPN scenario, the topology will be generally the same.

Individual users connect to the WAN interface of the VPN gateway and will authenticate using the chosen method. Once
the IPsec tunnel is established, traffic is encrypted and secured by the ISAKMP protocol between the endpoint and the
FortiGate WAN interface. Users can access internal resources based on the configured firewall policy for their user
group.
In conclusion, no topology design changes are needed to migrate from SSL VPN to IPsec VPN.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 8

Fortinet Inc.
 Migration basics

Authentication method

In order to establish an SSL VPN tunnel, users must authenticate to a user group that is associated with SSL VPN in a
user group to portal mapping. Authentication can be any of the following methods supported by the FortiGate:

SSL VPN Authentication Methods Requirement

l PKI Required to configure at least one of these user
l Local authentication methods
l LDAP
l RADIUS
l SAML
l Two-factor authentication Optional

Two-factor authentication using FortiToken is also supported, and can work in combination with Local, LDAP, RADIUS
or SAML authentication.
For IPsec tunnels, users can authenticate using pre-shared keys or certificates or through XAuth (Extended
Authentication) in IKEv1 tunnels and EAP in IKEv2 tunnels. Authentication can be any of the following methods
supported by the FortiGate:

Authentication Methods IKE Version Requirement

l Pre-shared key IKEv1 and IKEv2 Required to configure one of these
l PKI (Signature) user authentication methods

l LDAP IKEv1 Optional user authentication

methods.
l Local IKEv1 and IKEv2 (IPsec IKEv1 uses XAUTH, and
l RADIUS IPsec IKEv2 uses EAP for user
authentication.)
l SAML IKEv2

l Two-factor authentication IKEv1 and IKEv2 Optional

Pre-shared key and PKI authentication can be paired with any of the other user authentication methods. Two-factor
authentication using FortiToken is also supported and can work in combination with Local, LDAP, RADIUS, or SAML
authentication.
In conclusion, when migrating from SSL VPN to IPsec VPN, all authentication methods are supported and can be
migrated. Users and user groups can be reused in the new IPsec configurations. Administrators must choose a pre-
shared key or PKI certificate while configuring the IPsec tunnel as it is a required setting.

Multiple user groups

SSL VPN configurations use only one SSL VPN settings page and one SSL VPN interface. Multiple user groups can be
configured and mapped to different portals, and granular access is controlled by the firewall policy.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 9

Fortinet Inc.
 Migration basics

In IPsec VPN, one dial-up VPN tunnel setting can accommodate one or more user groups by defining the group within
the VPN settings or inheriting the groups from the firewall policy. Unlike SSL VPN, administrators can also create
individual dial-up VPN tunnels for each group.
When using multiple dial-up VPN tunnels, each tunnel with the same settings requires a unique peer ID in order for dial-
up clients to engage the right tunnel when initiating a connection to the VPN gateway. In IKEv1, it is recommended to use
aggressive mode to accommodate the peer ID field within the phase1 tunnel.
When migrating from SSL VPN to IPsec VPN, use one of these methods to define your group settings.

Full tunneling versus split tunneling

Full tunneling forces all remote user traffic to go through the VPN; whereas, split tunneling allows administrators to
specify the traffic destinations that go through VPN.
Both SSL VPN and IPsec VPN support split tunneling. By default, SSL VPN enables split tunneling based on the
destination configured in the firewall policy. By default, IPsec disables split tunneling in custom configurations, but
enables it in wizard configurations. When enabled, you must configure the network(s) to be included or excluded from
routing through the tunnel.

Client address assignments

SSL VPN assigns addresses out of a pre-defined or custom IP range. Dialup IPsec VPN has many methods of address
assignments. However, it is recommended to use mode config where the FortiGate acts as the IP addressing server.
The mode config setting has many options for address assignments, ranging from manual IP address range to
integration with a DHCP server.
Migrating from SSL VPN to IPsec VPN provides added flexibility in IP addressing. Use mode config and one of the
addressing options that it provides.

Policy configurations

SSL VPN uses a single ssl.root tunnel interface as source within a firewall policy to control inbound access from
endpoint clients. User groups must be defined within the policy to control user groups that are allowed access to the
internal resources.
Conversely, IPsec VPN creates a virtual VPN interface using the name of each IPsec tunnel. The virtual tunnel interface
(s) can be chosen as a source within a firewall policy to control inbound access from endpoint clients. User groups can
be defined in the policy and inherited by the VPN tunnel configurations, or they can be defined individually in each tunnel
configuration.
When migrating from SSL VPN to IPsec VPN, consider the changes to the firewall policies needed to accommodate user
group configurations.

FortiClient or endpoint configurations

When connecting to SSL VPN in tunnel mode, endpoints must have FortiClient installed. Same is the case for IPsec
tunnels.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 10

Fortinet Inc.
Migration basics

FortiClient can be installed individually on endpoints or managed by FortiClient EMS. Using FortiClient EMS is preferred
because it allows administrators to centrally manage their clients and easily scale their deployments. See FortiClient
endpoint configuration migration on page 33 for more information.
A basic FortiClient SSL VPN configuration consists of:

Connection name Local name to identify the tunnel.

Remote Gateway The address of the FortiGate SSL VPN interface.

Port The listening port on the FortiGate. Defaults to TCP/443. Can be customized to
another port.

Authentication Supports manual entry of username/password each time to authenticate or a

saved login.
When single sign-on is enabled, users can perform SAML authentication using
the embedded browser or through an external browser.

Client Certificate When SSL VPN server requires a client certificate, FortiClient must supply the
certificate to be used.

A basic FortiClient IPsec VPN configuration consists of:

Connection name Local name to identify the tunnel.

Remote Gateway The address of the FortiGate IPsec VPN gateway.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 11

Fortinet Inc.
Migration basics

Authentication Method Either a pre-shared key or X.509 client certificate.

Authentication (XAuth or EAP) Supports manual entry of username/password each time to authenticate or a
saved login.

Failover SSL VPN Relevant only when using SSL VPN for redundancy. Set to None otherwise.

Single Sign On Enable to use SAML authentication.

This feature is available on FortiClient 7.2.4 and later.

Advanced Settings Additional IPsec VPN settings such as:

l IKE version

l Main/Aggressive mode (for IKEv1)

l Addressing mode
l Phase1 options
l Phase2 options

The Advanced Settings options include granular settings such as:

VPN Settings l IKE version

l Main/Aggressive mode (for IKEv1)
l Addressing mode
l Phase1 options
l Phase2 options

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 12

Fortinet Inc.
 Migration basics

Phase 1 l IKE proposal – Encryption and Authentication algorithms

l DH Group
l Key Life
l Local ID
l Dead Peer Detection
l NAT Traversal
l Local LAN

Phase 2 l IKE proposal – Encryption and Authentication algorithms

l Key Life
l Replay Detection
l Perfect Forward Secrecy (PFS)
l DH Group

These settings must match the VPN settings configured on the FortiGate. For example, when multiple dial-up tunnels
are configured on the FortiGate with peer ID enabled, the client must configure a local ID to match. On FortiClient,
configure a local ID under Phase 1 options.
VPN settings should be configured and centrally managed by FortiClient EMS and pushed to each endpoint when
possible. From FortiClient EMS, create a new remote access profile for the IPsec tunnel to match the FortiGate tunnel
setting. See FortiClient or endpoint configurations on page 10 for more information about IPsec configuration using
FortiClient EMS.

Migrate VPNs before or after upgrade?

Deciding whether to migrate VPNs before or after an upgrade is a choice that administrators should make based on their
company policies, best practices, and business impact. One consideration is to evaluate the potential downtime for
remote users in either scenario.
Another factor to consider is whether the current firmware impacts security. If a security patch is critical, administrators
may decide to upgrade before migrating their VPN.
Finally, it takes time to carefully assess the design considerations, create a plan, execute and test configurations in a
controlled manner, and then deploy changes to users. Give yourself time to plan accordingly. Schedule your upgrade
and maintenance only after you decide on an approach.

FortiOS SSL VPN to dial-up VPN migration

Once you understand the design considerations, you can migrate the configurations based on your preferences. We
recommend taking a two-part approach:
l First, analyze the user authentication method(s) that are used in your current SSL VPN setup. Understand any
conditions that may require you to choose between different IPsec VPN implementations.
l Next, configure your IPsec tunnel settings using the VPN wizard. Further customization may be needed to complete
the configuration for specific setups.
The following sections will guide you through these steps:

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 13

Fortinet Inc.
 Migration basics

l Topology on page 14
l Part 1: Identifying user authentication methods on page 14
l Part 2: Configuring IPsec tunnels using the VPN wizard on page 22

Topology

The examples in this migration guide use the following topology:

It is assumed that SSL VPN is preconfigured on the WAN interface of the FortiGate, and the remote users connect to the
WAN interface to access internal resources hosted behind the FortiGate’s LAN interface.
This SSL VPN configuration will be migrated to IPsec using the same basic topology.

Part 1: Identifying user authentication methods

In Part 1, we identify the user authentication methods currently used in your SSL VPN configuration. For each method,
we outline any restrictions and limitations related to using those methods for IPsec.
User authentication methods on FortiGate require configuration of either users or user groups. These user groups make
use of different authentication servers, such as RADIUS, LDAP, and SAML inside their configuration. These
preconfigured objects can generally be used in the IPsec VPN configurations without further modifications.
Follow these steps to identify the user authentication method currently used in your SSL VPN configuration. If you
already know the authentication method, you can skip these steps and go to Next steps after identifying the
authentication method on page 15.

To identify the user authentication method currently used in SSL VPN configurations:

1. Locate the user group(s) used in SSL VPN firewall policies:

a. Go to Policy & Object > Firewall Policy.
b. Edit the firewall policy that has SSL-VPN tunnel interface (ssl.root) in the Incoming interface field.
c. Note the user groups used in the Source field inside the firewall policy.
d. Perform the same step for all SSL VPN firewall policies to get a list of user groups used for SSL VPN user
authentication.
2. Identify the configured authentication method for SSL VPN:
a. Go to User & Authentication > User Groups, and edit the group(s).
b. Use the following statements to help you identify the configured authentication method:

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 14

Fortinet Inc.
Migration basics

If the configuration shows Your authentication method is

Local users configured under Member with no Local user authentication

configuration under Remote Groups > Remote
Server

Remote Groups > Remote Server, uses LDAP LDAP-based user authentication
Server

Remote Groups > Remote Server, uses RADIUS RADIUS-based user authentication
Server

Remote Groups > Remote Server, uses SAML SSO SAML-based user authentication
Server

PKI users are configured under Member, and if Certificate-based user authentication
Remote Groups > Remote Server uses LDAP Server Note: This guide does not demonstrate how to
l If Remote Group > Remote Server uses LDAP
migrate certificate-based user authentication.
Server, then you are using Certificate-based
user authentication with LDAP as two-factor
authentication.
l If Remote Group > Remote Server uses
RADIUS Server, then you are using Certificate-
based user authentication with RADIUS as two-
factor authentication.

Next steps after identifying the authentication method

Based on the identified authentication method, go to the following topics to find more information about migrating the
authentication method to IPsec VPN as well as specific IPsec IKE version support requirements, if any:
l Local user authentication on page 15
l LDAP-based user authentication on page 16
l RADIUS-based user authentication on page 18
l SAML-based user authentication on page 19
After reviewing the authentication method, move to Part 2, which outlines configuring IPsec tunnel using VPN wizard and
makes use of user groups discussed in Part 1.

Local user authentication

In local user authentication, username and password are configured locally on FortiGate for each user. You can then
configure local user groups to contain multiple local users. See Users to configure a local user, and see User groups to
configure user groups.
This example configuration shows a local user with username johnlocus added to local user group named Local user
group.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 15

Fortinet Inc.
Migration basics

To view the configuration in the GUI:

1. Go to User & Authentication > User Groups.

2. Find the user group that you previously identified in the policy configuration, and double-click to see the details.
In this example, the member johnlocus is displayed.

To view the configuration in the CLI:

config user group

edit "Local user group"
set member "johnlocus"
next
end

Applying the user group

The user group named Local user group can be used inside the IPsec tunnel configuration, if you have a single user
group. If you have multiple user groups, they can be used inside firewall policies, after configuring Inherit from policy on
the IPsec tunnel. See Part 2: Configuring IPsec tunnels using the VPN wizard on page 22.

LDAP-based user authentication

IPsec IKEv1 uses XAUTH for user authentication, and IPsec IKEv2 uses EAP for user authentication. EAP is not
completely interoperable with LDAP. It requires customization on the LDAP server to store user credentials in plain text,
which is not feasible. Therefore, LDAP-based user authentication only works with XAUTH and only supports IPsec
IKEv1 by design. If you are required to use IKEv2, migrate to use RADIUS-based user authentication instead.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 16

Fortinet Inc.
Migration basics

In LDAP-based user authentication, LDAP server acts as a centralized authentication server. Thus, usernames and
passwords must be directly managed on the LDAP server. To use this authentication method for IPsec (IKEv1),
FortiGate requires a configured LDAP server and user group that uses LDAP server. Optionally, to segregate user
groups based on user’s LDAP group membership to perform group matching, you can configure multiple user groups
and use group name option.
See Configuring an LDAP server to configure an LDAP server. See Tracking users in each Active Directory LDAP group
to configure group matching.
This example configuration shows an LDAP server named LDAP Connector that is used inside a user group named
LDAP user group. The Group Name setting matches only users belonging to the LDAP group called Domain Users on
the LDAP server. Only users belonging to Domain Users are allowed to connect to the IPsec tunnel.

To view the configuration in the GUI:

1. Go to User & Authentication > User Groups.

2. Find the user group that you previously identified in the policy configuration, and double-click to see the details.
The Remote Group displays an LDAP server connector.

To view the configuration in the CLI:

config user group

edit "LDAP user group"
set member "LDAP Connector"
config match
edit 1
set server-name "LDAP Connector"
set group-name "CN=Domain Users,CN=Users,DC=financial,DC=local"
next

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 17

Fortinet Inc.
Migration basics

end
next
end

Applying the user group

The user group named LDAP user group can be used inside the IPsec tunnel configuration, if you have a single user
group. If you have multiple user groups, they can be used inside firewall policies, after configuring Inherit from policy on
the IPsec tunnel. Be sure to change IKE version to version 2. See Part 2: Configuring IPsec tunnels using the VPN
wizard on page 22.

RADIUS-based user authentication

In RADIUS-based user authentication, the RADIUS server is used as a centralized authentication server. Thus,
usernames and passwords must directly be managed on the RADIUS server. To configure a RADIUS server on
FortiGate, see Configuring a RADIUS server.
To use this authentication method for IPsec, FortiGate requires a configured RADIUS server and a user group that
references the RADIUS server.
Optionally, to segregate user groups based on user’s group membership on RADIUS server, you can use the Group
Name option. FortiGate expects the RADIUS server to be configured correctly to return the correct RADIUS attribute
(that is, Fortinet-Group-Name VSA) in RADIUS response packet. See Restricting RADIUS user groups to match
selective users on the RADIUS server.
In this example configuration, FortiGate is configured with RADIUS server named Radius Connector, and a user group
called Radius user group references the RADIUS server. The group name option is configured to only allow the user to
connect to IPsec tunnel, if RADIUS server returns Domain Users in the RADIUS response packet to FortiGate.

To view the configuration in the GUI:

1. Go to User & Authentication > User Groups.

2. Find the user group that you previously identified in the policy configuration, and double-click to see the details.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 18

Fortinet Inc.
Migration basics

The Remote Group displays a RADIUS server connector.

To view the configuration in the CLI:

config user group

edit "Radius user group"
set member "Radius Connector"
config match
edit 1
set server-name "Radius Connector"
set group-name "Domain Users"
next
end
next
end

Applying the user group

The user group named Radius user group can be used inside the IPsec tunnel configuration, if you have a single user
group. If you have multiple user groups, they can be used inside firewall policies, after configuring Inherit from policy on
IPsec tunnel. See Part 2: Configuring IPsec tunnels using the VPN wizard on page 22.

SAML-based user authentication

IPsec supports SAML-based user authentication on FortiClient version 7.2.4 and later. SAML authentication is only
supported on IPsec IKEv2. IPsec IKEv1 is not supported.
Ensure to upgrade FortiClient to version 7.2.4 or later. See Deployment & Installers to upgrade FortiClient using
FortiClient EMS.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 19

Fortinet Inc.
Migration basics

Part 2 of this guide uses the VPN wizard to configure IPsec. By default, the VPN wizard configures IKEv1. The
configuration is then later customized to use IKEv2 along with enabling EAP for user authentication, see Changing from
IKEv1 to IKEv2 on page 31.
For SAML to work with IPsec, it needs additional configuration of auth-ike SAML port, SAML sever certificate, and
interface binding between interface used by IPsec VPN gateway and SAML server. For end-to-end configuration
example on deploying SAML with IKEv2 using different IdPs, review SAML-based authentication for FortiClient remote
access dialup IPsec VPN clients.
This example configuration demonstrates the additional SAML configurations needed. The configuration is based on
using FortiAuthenticator as the SAML IdP.

To configure and view the auth-ike-saml-port used for authentication in the CLI:

You can only configure and view this setting in the CLI.
config system global
set auth-ike-saml-port 9443
end

To configure and view the SAML certificate in the GUI:

1. View the SAML server certificated configured for use with SAML.
a. Go to User & Authentication > Authentication Settings.
b. Enable Certificate, and select your SAML server certificate.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 20

Fortinet Inc.
Migration basics

To view the SAML User Group in the GUI:

1. Go to User & Authentication > User Groups.

2. Find the user group that you previously identified in the policy configuration, double-click to see the details.
The Remote Groups display the SAML SSO server.

To configure and view the SAML configurations in the CLI:

1. View SAML server certificate uploaded as SAML_Server_Certificate.

config user setting
set auth-cert "SAML_Server_Certificate"
end

2. View the SAML user group named SAML User group that uses the SAML SSO server named SAML-FAC.
config user group
edit "SAML User group"
set member "SAML-FAC"
config match
edit 1
set server-name "SAML-FAC"
set group-name "Corporate"
next
end
next
end

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 21

Fortinet Inc.
 Migration basics

To configure the binding between the SAML server and the interface on which IPsec gateway is
configured:

1. Configure the binding between the SAML server and interface on which IPsec gateway is configured. This
configuration can only be performed and viewed using the CLI.
config system interface
edit "WAN"
set ike-saml-server "SAML-FAC"
next
end

Applying the user group

The user group named SAML User group can be used inside the IPsec tunnel configuration, if you have a single user
group. If you have multiple user groups, they can be used inside firewall policies, after configuring Inherit from policy on
IPsec tunnel. See Part 2: Configuring IPsec tunnels using the VPN wizard on page 22.

Part 2: Configuring IPsec tunnels using the VPN wizard

After reviewing user authentication methods used in your current SSL VPN configuration and comparing it with IPsec
authentication methods discussed in Part 1: Identifying user authentication methods on page 14, you can now migrate
SSL VPN to IPsec VPN.
IPsec tunnels can be configured using the VPN wizard, a custom IPsec configuration, or a combination of both. In this
guide, the VPN wizard is used to configure IPsec tunnels. When using the VPN wizard, FortiGate configures IPsec
tunnels using IKEv1 in aggressive mode by default. IPsec tunnel configuration using the VPN wizard can also be
modified to use the needed IKE version, IKE mode, custom security associations (SAs), and other granular settings.

To configure IPsec using the VPN wizard:

1. On FortiGate, go to VPN > VPN Wizard. The VPN Wizard opens.

2. Set the following options, and click Begin:

Tunnel name Enter a name for the VPN tunnel.

The name can be a maximum of 15 characters.

Select a template Select Remote Access.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 22

Fortinet Inc.
Migration basics

The wizard proceeds to the Remote Endpoint step.

3. In the Remote Endpoint section, set the following options, and click Next:

VPN client type FortiClient (default option).

Different clients are supported. Since SSL VPN tunnel mode required
FortiClient, leave the default as FortiClient.

IP range for connected Enter the IP address range from which you want to assign IP addresses to the
endpoints dialup clients that successfully connect to IPsec VPN.
The VPN wizard only configures tunnels using mode-config and address
range. To use other methods, you can customize the settings. See IP address
assignment.
(Optional) You can use different address ranges from your current SSL VPN
configurations to avoid IP overlap.

Subnet for connected 255.255.255.255

endpoints Enter the subnet mask to be used by the clients.
It is recommended to configure it as 255.255.255.255 since addresses are
assigned to single clients.

FortiClient settings

(Optional) Security posture Select the desired ZTNA tag(s). See Augmenting VPN security with ZTNA for
tags more information.

Save Password Enable saving XAuth username and password on the VPN clients. Enabled by
default. CLI setting is set save-password enable.

Auto Connect Allow the client to bring the tunnel up when there is no traffic. Disabled by
default. CLI setting is set client-auto-negotiate disable.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 23

Fortinet Inc.
Migration basics

Always up (keep alive) Allow the client to keep the tunnel up when there is no traffic. Disabled by
default. CLI setting is set client-keep-alive disable.

The wizard proceeds to the VPN tunnel step.

4. In the VPN tunnel section, set the following options, and click Next:

Authentication method Choose between the following options:

l Pre-shared key: create a unique pre-shared key. The key must be shared

among all FortiClient endpoints to connect to VPN.

l Signature: Use to connect remote users to IPsec with certificate-based
VPN authentication.
l For Certificate Name name, select the server certificate used to
identify the VPN Gateway.
l For (Optional) User Group, see Signature.
l For Peer Certificate CA, select the CA certificate that signed
certificates for FortiClient endpoints.
Both the server certificate (Certificate name) and peer CA (Peer
Certificate CA) certificate must be uploaded to FortiGate.
For more information about the certificates, see Importing the certificates from
Dialup IPsec VPN with certificate authentication.

User group Relates to the Authentication setting.

When Authentication is set to Pre-shared key, select the user group to perform
user authentication. Review the different types of user authentication methods
available for IPsec:

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 24

Fortinet Inc.
Migration basics

l Local user authentication on page 15

l LDAP-based user authentication on page 16
l RADIUS-based user authentication on page 18
l SAML-based user authentication on page 19
When Authentication is set to Signature, the User group setting is optional.
Select a user group if you want to perform username and password
authentication along with certificate authentication.
Single User groups: If your current SSL VPN’s Authentication/Portal Mapping
uses a single user group for user authentication, then select that user group
here.
Multiple User groups: If your current SSL VPN’s Authentication/Portal
Mapping uses multiple user groups for user authentication, then select any
user group temporarily as a placeholder. This configuration will later be
modified to use the Inherit from policy setting, which enables configuring the
user groups in the firewall policy directly for user authentication. See Using
multiple user groups on page 28.

DNS Server Select either:

l Use System DNS: enables FortiClient to use its own DNS server.

l Specify: lets you specify a unique DNS server.

Note: If split tunneling is enabled, and the specified DNS server is located
behind FortiGate, ensure the DNS server is reachable through the Local
interface and is part of Local Address field IP scope.

Enable IPv4 Split Tunnel When enabled, only traffic configured in the Local address field will go through
the tunnel (that is, split tunneling).
When disabled, all traffic from remote users will go through the tunnel (that is,
full tunneling).

Allow Endpoint Registration Deprecated. Settings do not affect the VPN configuration.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 25

Fortinet Inc.
Migration basics

The wizard proceeds to the Local FortiGate step.

5. In the Local FortiGate section, set the following options, and click Next:

Incoming interface that binds This interface is the same Listen on interface as defined in your SSL VPN
to tunnel settings.

Create and add interface to Enable if the requirement is to segregate incoming interfaces into different
zone zones. See Zones.
If not, disable.

Local interface This is the internal interface(s) that will be accessed by VPN users.
The equivalent SSL VPN configurations are the destination interface(s) in the
ssl.root to <destination> firewall policies.

Local address These are internal network(s) that will be accessed by VPN users.
The equivalent SSL VPN configurations are the destination address(es) in the
ssl.root to <destination> firewall policies.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 26

Fortinet Inc.
Migration basics

The wizard proceeds to the Review step.

6. In the Review section, review the configurations and objects, and then click Submit:

Addresses

Split address group Address group for the destination address(es) allowed by the tunnel. Used for
split tunneling configurations.

Address Firewall address for the range defined for VPN clients.

Interfaces

VPN IPsec phase 1 interface IPsec Phase 1 tunnel name and configuration.

VPN IPsec phase 2 interface IPsec Phase 2 tunnel name and configuration.

Zone Name of the zone created for IPsec tunnel, if Zone creation was enabled.

Policies

Remote to local policies Name of inbound firewall policy or policies.

Peer Name of PKI user configured, if selected authentication method is Signature.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 27

Fortinet Inc.
Migration basics

The VPN wizard generates all required configurations, objects, and policies. Go to VPN > IPsec tunnels to view the
newly created IPsec tunnels.

Next steps

You may need to edit the IPsec tunnel settings created by the VPN wizard, depending on your requirements. For further
customization, see Customizing IPsec tunnel settings on page 28.

Customizing IPsec tunnel settings

You may need to edit the IPsec tunnel settings created by the VPN wizard, depending on your requirements. This
section includes the following optional procedures:
l Using multiple user groups on page 28
l Changing from IKEv1 to IKEv2 on page 31
l Changing Phase1 and Phase2 proposals on page 32

Using multiple user groups

If multiple user groups are configured in SSL VPN Authentication/Portal Mapping, then you can choose one of the
following design options:
l Option 1: Inherit settings from the policy on page 29
l Option 2: configure an IPsec tunnel for each user group on page 30

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 28

Fortinet Inc.
Migration basics

Option 1: Inherit settings from the policy

If your current SSL VPN configuration uses multiple user groups under Authentication/Portal mapping, you can achieve
the same on IPsec tunnels by using the Inherit from policy setting, which enables users to configure the user groups
directly on the firewall policy.

To inherit settings from the policy:

1. Go to VPN > IPsec Tunnels, and open the tunnel configuration for editing.
2. Under Authentication, set User Group to Inherit from policy.

3. Click OK to save.
4. Add the user groups to the auto generated firewall policy:
a. Go to Policy & Object > Firewall Policy.
b. Locate the respective firewall policy, and open it for editing.
The VPN wizard uses a prefix of vpn_ for the policies it creates.
c. Set the User/group field to the user group.
For example, user group named LDAP User Group is added to the automatically generated firewall policy
named vpn_Dialup_remote_0:

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 29

Fortinet Inc.
Migration basics

d. Click OK to save the firewall policy.

e. Repeat this step on all policies created by the VPN wizard.

Option 2: configure an IPsec tunnel for each user group

Configure a new IPsec tunnel for each individual user group. Because multiple IPsec tunnels are configured on same
physical (WAN) interface, FortiGate uses a peer ID to differentiate between incoming IPsec connection attempts and
associate the connection to the correct IPsec tunnel. As such, it is important to configure a unique peer ID for each IPsec
tunnel.
A unique peer ID must be configured on different IPsec tunnels using following steps.

To configure an IPsec tunnel for each user group:

1. Under VPN > IPsec Tunnels, edit the respective IPsec tunnel.
2. Under Authentication, change Accept Peer ID to Specific peer ID:

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 30

Fortinet Inc.
Migration basics

3. Enter a unique peer ID of your choice.

4. Click OK.

FortiClient must use same peer ID when it sends the request to connect to IPsec tunnels. Peer
ID is called Local ID on FortiClient’s VPN configuration. Thus, local ID on FortiClient must
match peer ID on FortiGate to connect to correct IPsec tunnel.

Changing from IKEv1 to IKEv2

The VPN wizard uses IKEv1 to configure the IPsec tunnel. If you want to use IPsec IKEv2 instead, you can change the
configuration.

To configure IKEv2:

1. Go to VPN > IPsec Tunnels, and edit the IPsec tunnel.

2. Under Authentication, set IKE to Version 2:

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 31

Fortinet Inc.
Migration basics

3. Click OK.
4. IPsec IKEv2 uses EAP for user authentication. You must enable the following CLI settings to enable EAP to perform
user authentication. These settings can only be enabled using CLI.
User authentication is then performed using user groups
config vpn ipsec phase1-interface
edit <tunnel-name>
set eap enable
set eap-identity send-request
next
end

Changing Phase1 and Phase2 proposals

To change Security Associations in Phase 1 and Phase 2 of IPsec tunnel:

1. Go to VPN > IPsec Tunnels, and edit the IPsec tunnel.

2. Under Phase 1 proposal, select required custom configuration.
3. Under Phase 2 Selectors, select the phase 2 tunnel, and click Edit.
4. Select the required custom configuration, and click OK to save the changes to the phase 2 selectors.
5. Click OK to save the changes on the IPsec tunnel.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 32

Fortinet Inc.
Migration basics

FortiClient endpoint configuration migration

Migration from SSL VPN to IPsec on FortiClient EMS must be done in parallel with FortiGate configuration since IPsec
settings have to be matched on both FortiGate (VPN server) and FortiClient (VPN client). On FortiClient EMS, VPN
configuration is accomplished through the Remote Access endpoint profile, which enables setting up either SSL VPN or
IPsec or both. See FortiClient EMS Remote Access documentation.
To get started, add a remote access profile under the Endpoint Profiles section on FortiClient EMS. See Creating a new
profile.
Once new Remote Access profile is added, add tunnel under the VPN Tunnels section within the same Remote Access
profile context.

To migrate using a FortiClient EMS Remote Access endpoint profile:

1. In FortiClient EMS, go to Endpoint Profiles.

2. Select the needed profile type, and click Add.
3. Click Add Profile to create a Windows, macOS, and Linux profile.
4. Click Add Tunnel and complete the options in the Basic Settings section to add a new connection:

Name Name of the tunnel

Type Select IPsec VPN.

Remote Gateway IP address or FQDN that FortiClient uses to reach FortiGate for VPN
connection.
If you used FortiGate’s VPN wizard, this setting corresponds to the address of
the incoming interface configured during the wizard's Authentication step.
Typically, this is the same address used for the SSL VPN remote gateway.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 33

Fortinet Inc.
Migration basics

Authentication Method Available options are Local Certificate, Pre Shared Key, Smart Card
Certificate, and Local Store Certificate.
The FortiGate VPN wizard permits either pre-shared key or signature. When
the pre-shared key option is configured on the FortiGate, use the same value
in the Pre Shared Key field in FortiClient EMS.
If signature authentication method is preferred, select the certificate option
suitable for your company requirements. Ensure that the certificate’s CA
matches the Peer Certificate CA configured during the Authentication step of
the FortiGate VPN wizard.

5. Under Basic Settings, go to VPN Settings section, and configure the IKE version, Mode, and Options. These
settings must match the ones configured on FortiGate.

IKE Select either Version 1 or Version 2.

The FortiGate VPN wizard defaults to Version 1.

Mode Select Aggressive or Main mode. Default option for the FortiGate
VPN Creation Wizard is Aggressive.

Options The Mode Config option is the default option and recommended. It's also the
default mode configured on FortiGate with the VPN wizard.

6. Under Basic Settings, go to the Phase 1 section and configure the option. FortiGate’s VPN wizard automatically
selects phase 1 parameters. You can check these parameters by running the following CLI commands on the
FortiGate:
show full vpn ipsec phase1-interface <tunnel-name>

Ensure that you match phase 1 settings on FortiClient EMS to the phase 1 settings
configured on FortiGate.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 34

Fortinet Inc.
Migration basics

IKE Proposal Select Encryption and Authentication algorithms used for generating keys to
protect FortiClient and FortiGate negotiations. At least one of the selected
encryption-authentication pairs must match to any of the ones configured on
FortiGate. FortiGate’s VPN wizard sets the following algorithms automatically:
l AES128 - SHA256

l AES256 - SHA256
l AES128 - SHA1
l AES256 - SHA1

DH Groups Select a Diffie-Hellman (DH) group. It must match to one of the groups
selected on FortiGate.
The FortiGate VPN wizard configures DH groups 14 and 5 automatically.

Key Life Enter the time (in seconds) that must pass before IKE encryption key expires.
New key gets generated in real-time without interrupting the service. Key life
can be configured within the range of 120 and 172,800 seconds.
The default value for the FortiGate VPN wizard is 86400 seconds.

Local ID Enter the Local ID.

By default the FortiGate VPN wizard leaves this setting blank.

7. Configure the remaining Phase 1 options as needed by your requirements. Refer to IPsec VPN documentation for
details.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 35

Fortinet Inc.
Migration basics

Phase 1 configuration also allows configuring Dead Peer Detection (DPD) mechanism on both FortiClient and
FortiGate. DPD configuration is not available in the GUI but is available in XML on FortiClient EMS. For more
information regarding DPD and how to configure it on FortiGate, see Dead peer detection. The IKE Settings section
describes FortiClient\EMS configuration of DPD with XML.
8. Under Basic Settings, go to the Phase 2 section. The same concept applies for phase 2 settings, the settings on
FortiClient EMS and FortiGate must match. As with phase 1, you can confirm what settings were automatically set
by the FortiGate VPN wizard by running the following command on FortiGate:
show full vpn ipsec phase2-interface <tunnel-name>

IKE Proposal Select Encryption and Authentication algorithms used to protect the data
transferred between the IPsec peers. At least a single pair must match on both
FortiClient and FortiGate. The FortiGate VPN wizard configures the following
settings by default:
l AES128-SHA1

l AES256-SHA1
l AES128-SHA256
l AES256-SHA256
l AES128GCM
l AES256GCM

DH groups Configure the DH groups to match on FortiGate. The FortiGate VPN wizard
uses 14, 5 by default.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 36

Fortinet Inc.
Migration basics

Key Life Set the time until the phase 2 key expires. The default option is in seconds;
however, you can also configure the key life in kilobytes (KBytes) or both. If
both is selected, whichever limit gets exceeded first takes precedence. Default
value is 43200 (seconds), which matches the value set by the FortiGate VPN
wizard.

Replay Detection When enabled, FortiGate checks for already- received packets and discards
the ones that arrive out of order. Enabled by default on both FortiClient EMS
and FortiGate.

PFS PFS forces a new DH key exchange upon tunnel establishment and after
phase 2 key expiration, causing a new key to be generated each time. Enabled
by default on both FortiClient EMS and FortiGate.

9. Go to the Advanced Settings section to configure multiple options for IPsec connection including Save Password,
Auto-Connect, and Always Up, which then appear on FortiClient GUI. They enable automatic connection to a VPN
tunnel and its recovery from network disruption. If you decide to include these settings in your configuration, ensure
that you also configure them in the Client Options step of FortiGate VPN wizard. For more information on the
available options, refer to Remote Access IPsec documentation.

10. Click Save to save the changes.

11. Push the profile to FortiClient endpoints.
12. On an endpoint, open FortiClient, and go to the Remote Access tab to confirm the settings have been pushed to
FortiClient.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 37

Fortinet Inc.
Migration basics

The user must select Save Password, Auto-Connect, and Always Up to activate them.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 38

Fortinet Inc.
 www.fortinet.com

Copyright© 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.