Might be. I haven’t tested this feature yet.
their information also says that “Create an IPsec tunnel on both FortiGates via CLI and ensure the IKE version is 2.”
i wonder if that is actually required, or if version 1 is supported in this new TCP feature?
on a side note, i have my IPsec using version 1 as it appears the andriod Forticlient app does not seem to support version 2… has anyone got andriod Forticlient to use version 2?
Do you mind detailing this?
We have never used Fortitoken, that seems like a pain in the ass.
The Azure/Entra integrations have been working wonderfully and we have had zero issues deploying and supporting them. It’s just NPS with an added step, also not bound to just push, just defaults to the users prefered “less secure” type.
We also have a number of DUO Proxy’s handling MFA for VPN without issue as well.
Currently labbing the IPSec SSO in 7.4, hoping they iron that out. It will probably become our main deploy type.
Hi, just wondering what is meant by “on the Gate”, I implemented IPSec VPN with fortitokens and it works relatively well with forticlients so far for the few clients. Just want to know whether there is any security concerns.
Thank you for this! I’m going to go the SSL VPN route.
I couldn’t get it working on iOS natively with IKEv2 but unsure about FCT on the device
You can instruct the FortiGate to listen to IPSEC traffic on any other port other than UDP port 500.
By default IPSEC listens on UDP 500/4500. You can instruct the gate to listen on any TCP port.
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/33578/configurable-ike-port
I have to mention since your post is about remote access VPN I have not tested this with FortiClient myself, but I have multiple boxes installed in countries who block IPSEC, S2S tunnels and complete SDWAN setup using ADVPN+BGP running on custom port.
Rather than using FortiAuthenticator or some other RADIUS / SAML auth platform, installing FortiTokens directly onto the FortiGate for MFA with locally-specified accounts (whether they are local accounts or remote accounts). Currently, using FortiToken directly on the Gate with IPSec does not work. FortiClient doesn’t wait for an MFA prompt and immediately disconnects.
i have my config for SSL VPN here
https://github.com/wallacebrf/dns
it has loop back, blocking most countries, blocks tons of bad ASNs, and auto blocks brute force attacks
take a look and let me know if you have any questions.
i used a lot of the information from yurisk.info, his site is great
does fortitoken MFA work when using the IOS native?
This is some nice to know info, thanks for this.
I see, thanks for the info! Thats what I deploy though, fortitoken direct on Fortigate with local user account and IPsec VPN for the users. But I set those up 2-3 yrs back, maybe the fortigate version and forticlient version was older and okay, so far no user complaints for those VPNs.
Thanks! I started setting it up and I’m not seeing the ssl VPN login page on the loop back whether accessing internally or extremely via dnat. I wanted to see the page before I disable the page lol. I had to take a break before I pulled my hair out lol. Maybe I’ll get somewhere after lunch! And fortimanager makes it even more fun to setup haha.
I tested with another Fortigate and I can see the SSL VPN login page with the SSL VPN listening on the loopback and a policy to allow me to connect to it internally. The actual firewall I need to get this working on doesn’t seem to actually be listening on the loopback. I decided to ignore the web page issue and just see if I can log in via the Forticlient. I ran a packet capture during this. The Forticlient can never connect and I see three SYNs from the Fortigate’s POV and never a SYNACK. It’s like the SSL VPN is not running or something. I’ve disabled and re-enabled it via CLI as well…
Not sure never spent much time on it to get it working
Nevermind. I needed a policy referencing the SSL VPN root interface for it to actually “wake up” and respond. SMH. Didn’t think about that because I wasn’t at the point of worrying about who can talk to who just yet. lol