SSL VPN to IPsec VPN Migration

FortiOS 7.6.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

February 13, 2025

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration
01-760-1018190-20250213
 TABLE OF CONTENTS

Change Log 4
Introduction 5
Migration background 6
Security Comparison 6
IKEv1 or IKEv2? 6
Tunneling protocol and encapsulation 7
Migration basics 8
Design considerations 8
Authentication method 9
Multiple user groups 9
Full tunneling versus split tunneling 10
Client address assignments 10
Split DNS and DNS suffix 10
Policy configurations 10
FortiClient or endpoint configurations 11
Migrate VPNs before or after upgrade? 14
FortiOS SSL VPN to dial-up VPN migration 14
Topology 14
Part 1: Identifying user authentication methods 15
Part 2: Configuring IPsec tunnels using the VPN wizard 23
FortiClient endpoint configuration migration 32

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 3

Fortinet Inc.
Change Log

Date Change Description

2024-07-25 Initial release.

2025-02-12 Updated for FOS 7.6.1.

2025-02-13 Added Split DNS and DNS suffix on page 10.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 4

Fortinet Inc.
Introduction

Virtual Private Network (VPN) technology allows users, devices, and sites to securely connect to each other over the
internet in an otherwise insecure medium. SSL VPN and IPsec VPN in particular are well used technologies that are
easy to configure and deploy.
Each technology has its advantages and common use cases. SSL VPN, for example, is typically tailored towards secure
remote access from individual users and endpoints. It is generally easy to set up, and because connections are secured
over TLS on TCP/443, few ISPs will restrict SSL VPN connections. It also offers two modes (tunnel and web mode) that
can be provisioned in agent and agentless deployments.
On the other hand, IPsec VPN is typically associated with site-to-site connections, and is especially convenient in multi-
site hub and spoke deployments using ADVPN (Auto Discovery VPN). Complex multi-site deployments are simplified, as
ADVPN incorporates automatic tunnel establishment between sites, dynamic routing, and mass provisioning using an
orchestrator such as FortiManager.
On a smaller scale, IPsec VPN is just as capable of supporting remote users using dial-up VPN connections. Protocols,
encryption algorithms, and authentication methods can all be customized to suit a company’s needs.
Finally, as an alternative to VPN—and especially SSL VPN web-based VPN—ZTNA (Zero Trust Network Access) can
also be used to secure remote access. ZTNA offers a seamless connection secured over TLS between the endpoints
and Zero Trust Application Gateway. A Zero Trust approach assumes devices cannot be trusted until they have passed
required security posture checks, such as client certificate verification and vulnerability scans. See the SSL VPN to
ZTNA Migration Guide for more information.
This document explores SSL VPN and IPsec VPN a little deeper, as well as things to consider while migrating from SSL
VPN to IPsec VPN. Additionally, we will review examples of common SSL VPN use cases and demonstrate steps to
migrate these setups to IPsec VPN.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 5

Fortinet Inc.
Migration background

To understand how to migrate from SSL VPN to IPsec VPN, we first examine a few aspects of each VPN technology:
l Security Comparison on page 6
l IKEv1 or IKEv2? on page 6
l Tunneling protocol and encapsulation on page 7

Security Comparison

SSL VPN offers security through TLS in the following ways:

l By encrypting the data transmitted between the client and the VPN gateway using cryptographic algorithms to
ensure data in transit has not been tampered
l By providing an authentication mechanism for client and server to verify the identify of each other
l By using secure key exchanges such as Diffie-Hellman to establish shared secrets between client and server
l By using X.509 certificates to authenticate servers and optionally clients
IPsec offers security through the ISAKMP (Internet Security Association and Key Exchange Management Protocol)
framework:
l By using the IKE (Internet Key Exchange) protocol to negotiate the parameters of secure communication, generate
and manage keys, and establish SAs (Security Associations) between the communicating parties
l By encrypting data packets using symmetric encryption algorithms, such as AES, 3DES, CHACHA, that are
negotiated by IKE with keys that are generated by IKE. See Phase 1 Configurations.
l By using HMAC (Hash-based Message Authentication Code) to verify the integrity of the message and ensure data
in transit has not been tempered. See Phase 1 Configurations.
l By specifying key lifetimes and other security settings used in the SAs
IPsec offers flexibility in choosing the encryption and hashing algorithm as well as key lifetime intervals as opposed to
SSL VPN, which negotiates the cipher suite between the client and server.

IKEv1 or IKEv2?

FortiGate supports IKEv1 and IKEv2, and both are configured similarly. The underlying protocol for IKEv2 is more
streamlined, requiring fewer message exchanges to negotiate the SAs compared to IKEv1. The major difference is
IKEv1 uses XAuth (Extended Authentication) for user authentication, and IKEv2 uses EAP (Extensible Authentication
Protocol). IKEv1 is generally well used and well understood, with a more rigid protocol that is simpler to troubleshoot.
Whereas IKEv2 offers more flexibility, resulting in more variations when troubleshooting.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 6

Fortinet Inc.
Migration background

Tunneling protocol and encapsulation

SSL VPN uses the TLS protocol for tunneling.

However, Fortinet’s IPsec VPN offers the following options for tunneling and encapsulation:
l Native ESP
l UDP encapsulation
l TCP encapsulation with Fortinet proprietary extension to allow inline ASIC offloading
l TCP encapsulation using RFC 8229
When ESP is used without encapsulation, it connects directly over IP Protocol 50. When ESP is encapsulated within
UDP, it uses UDP/500 and UDP/4500 for NAT traversal, which are the options for dialup IPsec VPN.
In IPsec site-to-site tunnels, the UDP port can be customized. See Configurable IKE port.
In IPsec site-to-site tunnels using IKEv2, the TCP port can also be customized. See Encapsulate ESP packets within
TCP headers
For Remote access VPN tunnels where FortiGate acts as a dialup IPsec server for FortiClient endpoints, a custom TCP
port is configurable to encapsulate IPsec traffic, allowing VPN traffic from FortiClient to traverse restrictive firewalls that
only permit TCP-based traffic. This feature is only supported on IKE version 2, see Dialup IPsec VPN using custom TCP
port. On the FortiClient side, this feature requires FortiClient 7.4.1 or later. For information on configuring custom TCP
port on FortiClient, see IPsec VPN over TCP.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 7

Fortinet Inc.
Migration basics

Once you understand the differences between SSL VPN and IPsec VPN technologies, it is time to plan the migration.
This section describes the following:
l Design considerations on page 8
l FortiOS SSL VPN to dial-up VPN migration on page 14
l FortiClient endpoint configuration migration on page 32

Design considerations

The following example diagram represents a common SSL VPN tunnel-mode topology:

Individual users connect from the internet to the WAN interface of the FortiGate. Each user must authenticate to be
granted access and establish an SSL VPN tunnel. Once connected, traffic is encrypted and secured by TLS between the
endpoint and the FortiGate WAN interface. Users can access internal resources based on the configured firewall policy
for their user group.
In a dial-up IPsec VPN scenario, the topology will be generally the same.

Individual users connect to the WAN interface of the VPN gateway and will authenticate using the chosen method. Once
the IPsec tunnel is established, traffic is encrypted and secured by the ISAKMP protocol between the endpoint and the
FortiGate WAN interface. Users can access internal resources based on the configured firewall policy for their user
group.
In conclusion, no topology design changes are needed to migrate from SSL VPN to IPsec VPN.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 8

Fortinet Inc.
 Migration basics

Authentication method

In order to establish an SSL VPN tunnel, users must authenticate to a user group that is associated with SSL VPN in a
user group to portal mapping. Authentication can be any of the following methods supported by the FortiGate:

SSL VPN Authentication Methods Requirement

l PKI Required to configure at least one of these user
l Local authentication methods
l LDAP
l RADIUS
l SAML
l Two-factor authentication Optional

Two-factor authentication using FortiToken is also supported, and can work in combination with Local, LDAP, RADIUS
or SAML authentication.
For IPsec tunnels, users can authenticate using pre-shared keys or certificates or through XAuth (Extended
Authentication) in IKEv1 tunnels and EAP in IKEv2 tunnels. Authentication can be any of the following methods
supported by the FortiGate:

Authentication Methods IKE Version Requirement

l Pre-shared key IKEv1 and IKEv2 Required to configure one of these
l PKI (Signature) user authentication methods

l LDAP IKEv1 Optional user authentication

methods.
l Local IKEv1 and IKEv2 (IPsec IKEv1 uses XAUTH, and
l RADIUS IPsec IKEv2 uses EAP for user
authentication.)
l SAML IKEv2

l Two-factor authentication IKEv1 and IKEv2 Optional

Pre-shared key and PKI authentication can be paired with any of the other user authentication methods. Two-factor
authentication using FortiToken is also supported and can work in combination with Local, LDAP, RADIUS, or SAML
authentication.
In conclusion, when migrating from SSL VPN to IPsec VPN, all authentication methods are supported and can be
migrated. Users and user groups can be reused in the new IPsec configurations. Administrators must choose a pre-
shared key or PKI certificate while configuring the IPsec tunnel as it is a required setting.

Multiple user groups

SSL VPN configurations use only one SSL VPN settings page and one SSL VPN interface. Multiple user groups can be
configured and mapped to different portals, and granular access is controlled by the firewall policy.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 9

Fortinet Inc.
 Migration basics

In IPsec VPN, one dial-up VPN tunnel setting can accommodate one or more user groups by defining the group within
the VPN settings or inheriting the groups from the firewall policy. Unlike SSL VPN, administrators can also create
individual dial-up VPN tunnels for each group.
When using multiple dial-up VPN tunnels, each tunnel with the same settings requires a unique peer ID in order for dial-
up clients to engage the right tunnel when initiating a connection to the VPN gateway. In IKEv1, it is recommended to use
aggressive mode to accommodate the peer ID field within the phase1 tunnel.
When migrating from SSL VPN to IPsec VPN, use one of these methods to define your group settings.

Full tunneling versus split tunneling

Full tunneling forces all remote user traffic to go through the VPN; whereas, split tunneling allows administrators to
specify the traffic destinations that go through VPN.
Both SSL VPN and IPsec VPN support split tunneling. By default, SSL VPN enables split tunneling based on the
destination configured in the firewall policy. By default, IPsec disables split tunneling in custom configurations, but
enables it in wizard configurations. When enabled, you must configure the network(s) to be included or excluded from
routing through the tunnel.

Client address assignments

SSL VPN assigns addresses out of a pre-defined or custom IP range. Dialup IPsec VPN has many methods of address
assignments. However, it is recommended to use mode config where the FortiGate acts as the IP addressing server.
The mode config setting has many options for address assignments, ranging from manual IP address range to
integration with a DHCP server.
Migrating from SSL VPN to IPsec VPN provides added flexibility in IP addressing. Use mode config and one of the
addressing options that it provides.

Split DNS and DNS suffix

SSL VPN in tunnel mode supports the configuration of both split DNS and DNS suffix. For dial-up IPsec tunnels, the
availability of these features depends on the IKE version in use.
l IKE version 1: Supports DNS suffix configuration but requires enabling unity-support in the Phase 1 configuration.
See IPsec DNS Suffix.
l IKE version 2: Supports split DNS. See IPsec Split DNS.
When configuring your environment, consider reviewing the existing SSL VPN settings to determine the most suitable
IKE version for your requirements.

Policy configurations

SSL VPN uses a single ssl.root tunnel interface as source within a firewall policy to control inbound access from
endpoint clients. User groups must be defined within the policy to control user groups that are allowed access to the
internal resources.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 10

Fortinet Inc.
 Migration basics

Conversely, IPsec VPN creates a virtual VPN interface using the name of each IPsec tunnel. The virtual tunnel interface
(s) can be chosen as a source within a firewall policy to control inbound access from endpoint clients. User groups can
be defined in the policy and inherited by the VPN tunnel configurations, or they can be defined individually in each tunnel
configuration.
When migrating from SSL VPN to IPsec VPN, consider the changes to the firewall policies needed to accommodate user
group configurations.

FortiClient or endpoint configurations

When connecting to SSL VPN in tunnel mode, endpoints must have FortiClient installed. Same is the case for IPsec
tunnels.
FortiClient can be installed individually on endpoints or managed by FortiClient EMS. Using FortiClient EMS is preferred
because it allows administrators to centrally manage their clients and easily scale their deployments. See FortiClient
endpoint configuration migration on page 32 for more information.
A basic FortiClient SSL VPN configuration consists of:

Connection name Local name to identify the tunnel.

Remote Gateway The address of the FortiGate SSL VPN interface.

Port The listening port on the FortiGate. Defaults to TCP/443. Can be customized to
another port.

Authentication Supports manual entry of username/password each time to authenticate or a

saved login.
When single sign-on is enabled, users can perform SAML authentication using
the embedded browser or through an external browser.

Client Certificate When SSL VPN server requires a client certificate, FortiClient must supply the
certificate to be used.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 11

Fortinet Inc.
Migration basics

A basic FortiClient IPsec VPN configuration consists of:

Connection name Local name to identify the tunnel.

Remote Gateway The address of the FortiGate IPsec VPN gateway.

Authentication Method Either a pre-shared key or X.509 client certificate.

Authentication (XAuth or EAP) Supports manual entry of username/password each time to authenticate or a
saved login.

Failover SSL VPN Relevant only when using SSL VPN for redundancy. Set to None otherwise.

Single Sign On Enable to use SAML authentication.

This feature is available on FortiClient 7.2.4 and later.

Advanced Settings Additional IPsec VPN settings such as:

l IKE version

l Main/Aggressive mode (for IKEv1)

l Addressing mode
l Phase1 options
l Phase2 options

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 12

Fortinet Inc.
Migration basics

The Advanced Settings options include granular settings such as:

VPN Settings l IKE version

l Main/Aggressive mode (for IKEv1)
l Addressing mode
l Phase1 options
l Phase2 options

Phase 1 l IKE proposal – Encryption and Authentication algorithms

l DH Group
l Key Life
l Local ID
l Dead Peer Detection
l NAT Traversal
l Local LAN

Phase 2 l IKE proposal – Encryption and Authentication algorithms

l Key Life
l Replay Detection
l Perfect Forward Secrecy (PFS)
l DH Group

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 13

Fortinet Inc.
 Migration basics

These settings must match the VPN settings configured on the FortiGate. For example, when multiple dial-up tunnels
are configured on the FortiGate with peer ID enabled, the client must configure a local ID to match. On FortiClient,
configure a local ID under Phase 1 options.
VPN settings should be configured and centrally managed by FortiClient EMS and pushed to each endpoint when
possible. From FortiClient EMS, create a new remote access profile for the IPsec tunnel to match the FortiGate tunnel
setting. See FortiClient or endpoint configurations on page 11 for more information about IPsec configuration using
FortiClient EMS.

Migrate VPNs before or after upgrade?

Deciding whether to migrate VPNs before or after an upgrade is a choice that administrators should make based on their
company policies, best practices, and business impact. One consideration is to evaluate the potential downtime for
remote users in either scenario.
Another factor to consider is whether the current firmware impacts security. If a security patch is critical, administrators
may decide to upgrade before migrating their VPN.
Finally, it takes time to carefully assess the design considerations, create a plan, execute and test configurations in a
controlled manner, and then deploy changes to users. Give yourself time to plan accordingly. Schedule your upgrade
and maintenance only after you decide on an approach.

FortiOS SSL VPN to dial-up VPN migration

Once you understand the design considerations, you can migrate the configurations based on your preferences. We
recommend taking a two-part approach:
l First, analyze the user authentication method(s) that are used in your current SSL VPN setup. Understand any
conditions that may require you to choose between different IPsec VPN implementations.
l Next, configure your IPsec tunnel settings using the VPN wizard. Further customization may be needed to complete
the configuration for specific setups.
The following sections will guide you through these steps:
l Topology on page 14
l Part 1: Identifying user authentication methods on page 15
l Part 2: Configuring IPsec tunnels using the VPN wizard on page 23

Topology

The examples in this migration guide use the following topology:

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 14

Fortinet Inc.
 Migration basics

It is assumed that SSL VPN is preconfigured on the WAN interface of the FortiGate, and the remote users connect to the
WAN interface to access internal resources hosted behind the FortiGate’s LAN interface.
This SSL VPN configuration will be migrated to IPsec using the same basic topology.

Part 1: Identifying user authentication methods

In Part 1, we identify the user authentication methods currently used in your SSL VPN configuration. For each method,
we outline any restrictions and limitations related to using those methods for IPsec.
User authentication methods on FortiGate require configuration of either users or user groups. These user groups make
use of different authentication servers, such as RADIUS, LDAP, and SAML inside their configuration. These
preconfigured objects can generally be used in the IPsec VPN configurations without further modifications.
Follow these steps to identify the user authentication method currently used in your SSL VPN configuration. If you
already know the authentication method, you can skip these steps and go to Next steps after identifying the
authentication method on page 16.

To identify the user authentication method currently used in SSL VPN configurations:

1. Locate the user group(s) used in SSL VPN firewall policies:

a. Go to Policy & Object > Firewall Policy.
b. Edit the firewall policy that has SSL-VPN tunnel interface (ssl.root) in the Incoming interface field.
c. Note the user groups used in the Source field inside the firewall policy.
d. Perform the same step for all SSL VPN firewall policies to get a list of user groups used for SSL VPN user
authentication.
2. Identify the configured authentication method for SSL VPN:
a. Go to User & Authentication > User Groups, and edit the group(s).
b. Use the following statements to help you identify the configured authentication method:

If the configuration shows Your authentication method is

Local users configured under Member with no Local user authentication

configuration under Remote Groups > Remote
Server

Remote Groups > Remote Server, uses LDAP LDAP-based user authentication
Server

Remote Groups > Remote Server, uses RADIUS RADIUS-based user authentication
Server

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 15

Fortinet Inc.
Migration basics

If the configuration shows Your authentication method is

Remote Groups > Remote Server, uses SAML SSO SAML-based user authentication
Server

PKI users are configured under Member, and if Certificate-based user authentication
Remote Groups > Remote Server uses LDAP Server Note: This guide does not demonstrate how to
l If Remote Group > Remote Server uses LDAP
migrate certificate-based user authentication.
Server, then you are using Certificate-based
user authentication with LDAP as two-factor
authentication.
l If Remote Group > Remote Server uses
RADIUS Server, then you are using Certificate-
based user authentication with RADIUS as two-
factor authentication.

Next steps after identifying the authentication method

Based on the identified authentication method, go to the following topics to find more information about migrating the
authentication method to IPsec VPN as well as specific IPsec IKE version support requirements, if any:
l Local user authentication on page 16
l LDAP-based user authentication on page 17
l RADIUS-based user authentication on page 19
l SAML-based user authentication on page 20
After reviewing the authentication method, move to Part 2, which outlines configuring IPsec tunnel using VPN wizard and
makes use of user groups discussed in Part 1.

Local user authentication

In local user authentication, username and password are configured locally on FortiGate for each user. You can then
configure local user groups to contain multiple local users. See Users to configure a local user, and see User groups to
configure user groups.
This example configuration shows a local user with username johnlocus added to local user group named Local user
group.

To view the configuration in the GUI:

1. Go to User & Authentication > User Groups.

2. Find the user group that you previously identified in the policy configuration, and double-click to see the details.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 16

Fortinet Inc.
Migration basics

In this example, the member johnlocus is displayed.

To view the configuration in the CLI:

config user group

edit "Local user group"
set member "johnlocus"
next
end

Applying the user group

The user group named Local user group can be used inside the IPsec tunnel configuration, if you have a single user
group. If you have multiple user groups, they can be used inside firewall policies, after configuring Inherit from policy on
the IPsec tunnel. See Part 2: Configuring IPsec tunnels using the VPN wizard on page 23.

LDAP-based user authentication

IPsec IKEv1 uses XAUTH for user authentication, and IPsec IKEv2 uses EAP for user authentication. EAP is not
completely interoperable with LDAP. It requires customization on the LDAP server to store user credentials in plain text,
which is not feasible. Therefore, LDAP-based user authentication only works with XAUTH and only supports IPsec
IKEv1 by design. If you are required to use IKEv2, migrate to use RADIUS-based user authentication instead.
In LDAP-based user authentication, LDAP server acts as a centralized authentication server. Thus, usernames and
passwords must be directly managed on the LDAP server. To use this authentication method for IPsec (IKEv1),
FortiGate requires a configured LDAP server and user group that uses LDAP server. Optionally, to segregate user
groups based on user’s LDAP group membership to perform group matching, you can configure multiple user groups
and use group name option.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 17

Fortinet Inc.
Migration basics

See Configuring an LDAP server to configure an LDAP server. See Tracking users in each Active Directory LDAP group
to configure group matching.
This example configuration shows an LDAP server named LDAP Connector that is used inside a user group named
LDAP user group. The Group Name setting matches only users belonging to the LDAP group called Domain Users on
the LDAP server. Only users belonging to Domain Users are allowed to connect to the IPsec tunnel.

To view the configuration in the GUI:

1. Go to User & Authentication > User Groups.

2. Find the user group that you previously identified in the policy configuration, and double-click to see the details.
The Remote Group displays an LDAP server connector.

To view the configuration in the CLI:

config user group

edit "LDAP user group"
set member "LDAP Connector"
config match
edit 1
set server-name "LDAP Connector"
set group-name "CN=Domain Users,CN=Users,DC=financial,DC=local"
next
end
next
end

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 18

Fortinet Inc.
Migration basics

Applying the user group

The user group named LDAP user group can be used inside the IPsec tunnel configuration, if you have a single user
group. If you have multiple user groups, they can be used inside firewall policies, after configuring Inherit from policy on
the IPsec tunnel. Be sure to change IKE version to version 2. See Part 2: Configuring IPsec tunnels using the VPN
wizard on page 23.

RADIUS-based user authentication

In RADIUS-based user authentication, the RADIUS server is used as a centralized authentication server. Thus,
usernames and passwords must directly be managed on the RADIUS server. To configure a RADIUS server on
FortiGate, see Configuring a RADIUS server.
To use this authentication method for IPsec, FortiGate requires a configured RADIUS server and a user group that
references the RADIUS server.
Optionally, to segregate user groups based on user’s group membership on RADIUS server, you can use the Group
Name option. FortiGate expects the RADIUS server to be configured correctly to return the correct RADIUS attribute
(that is, Fortinet-Group-Name VSA) in RADIUS response packet. See Restricting RADIUS user groups to match
selective users on the RADIUS server.
In this example configuration, FortiGate is configured with RADIUS server named Radius Connector, and a user group
called Radius user group references the RADIUS server. The group name option is configured to only allow the user to
connect to IPsec tunnel, if RADIUS server returns Domain Users in the RADIUS response packet to FortiGate.

To view the configuration in the GUI:

1. Go to User & Authentication > User Groups.

2. Find the user group that you previously identified in the policy configuration, and double-click to see the details.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 19

Fortinet Inc.
Migration basics

The Remote Group displays a RADIUS server connector.

To view the configuration in the CLI:

config user group

edit "Radius user group"
set member "Radius Connector"
config match
edit 1
set server-name "Radius Connector"
set group-name "Domain Users"
next
end
next
end

Applying the user group

The user group named Radius user group can be used inside the IPsec tunnel configuration, if you have a single user
group. If you have multiple user groups, they can be used inside firewall policies, after configuring Inherit from policy on
IPsec tunnel. See Part 2: Configuring IPsec tunnels using the VPN wizard on page 23.

SAML-based user authentication

IPsec supports SAML-based user authentication on FortiClient version 7.2.4 and later. SAML authentication is only
supported on IPsec IKEv2. IPsec IKEv1 is not supported.
Ensure to upgrade FortiClient to version 7.2.4 or later. See Deployment & Installers to upgrade FortiClient using
FortiClient EMS.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 20

Fortinet Inc.
Migration basics

Part 2 of this guide uses the VPN wizard to configure IPsec. By default, the VPN wizard configures IKE version 1. The
configuration is then later customized to use IKE version 2 along with enabling EAP for user authentication.
For SAML to work with IPsec, it needs additional configuration of auth-ike SAML port, SAML sever certificate, and
interface binding between interface used by IPsec VPN gateway and SAML server. For end-to-end configuration
example on deploying SAML with IKEv2 using different IdPs, review SAML-based authentication for FortiClient remote
access dialup IPsec VPN clients.
This example configuration demonstrates the additional SAML configurations needed. The configuration is based on
using FortiAuthenticator as the SAML IdP.

To configure and view the auth-ike-saml-port used for authentication in the CLI:

You can only configure and view this setting in the CLI.
config system global
set auth-ike-saml-port 9443
end

To configure and view the SAML certificate in the GUI:

1. View the SAML server certificated configured for use with SAML.
a. Go to User & Authentication > Authentication Settings.
b. Enable Certificate, and select your SAML server certificate.

To view the SAML User Group in the GUI:

1. Go to User & Authentication > User Groups.

2. Find the user group that you previously identified in the policy configuration, double-click to see the details.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 21

Fortinet Inc.
Migration basics

The Remote Groups display the SAML SSO server.

To configure and view the SAML configurations in the CLI:

1. View SAML server certificate uploaded as SAML_Server_Certificate.

config user setting
set auth-cert "SAML_Server_Certificate"
end

2. View the SAML user group named SAML User group that uses the SAML SSO server named SAML-FAC.
config user group
edit "SAML User group"
set member "SAML-FAC"
config match
edit 1
set server-name "SAML-FAC"
set group-name "Corporate"
next
end
next
end

To configure the binding between the SAML server and the interface on which IPsec gateway is
configured:

1. Configure the binding between the SAML server and interface on which IPsec gateway is configured. This
configuration can only be performed and viewed using the CLI.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 22

Fortinet Inc.
 Migration basics

config system interface

edit "WAN"
set ike-saml-server "SAML-FAC"
next
end

Applying the user group

The user group named SAML User group can be used inside the IPsec tunnel configuration, if you have a single user
group. If you have multiple user groups, they can be used inside firewall policies, after configuring Inherit from policy on
IPsec tunnel. See Part 2: Configuring IPsec tunnels using the VPN wizard on page 23.

Part 2: Configuring IPsec tunnels using the VPN wizard

After reviewing user authentication methods used in your current SSL VPN configuration and comparing it with IPsec
authentication methods discussed in Part 1: Identifying user authentication methods on page 15, you can now migrate
SSL VPN to IPsec VPN.
IPsec tunnels can be configured using either the VPN wizard in the GUI, or a custom IPsec configuration in the GUI or
CLI. In this guide, the VPN Wizard is used to configure IPsec tunnels. The settings specified in the VPN wizard for
configuring the IPsec tunnel can also be customized later to modify the IKE version, the IKE mode, or to specify custom
security associations (SAs) and other granular settings.

To configure IPsec using the VPN wizard:

1. On FortiGate, go to VPN > VPN Wizard. The VPN Wizard opens.

2. Set the following options, and click Begin:

Tunnel name Enter a name for the VPN tunnel.

The name can be a maximum of 15 characters.

Select a template Select Remote Access.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 23

Fortinet Inc.
Migration basics

3. In the VPN tunnel section, set the following options, and click Next:

VPN client type Select FortiClient.

If you have other VPN clients installed on endpoints choose from: iOS,
Android/Windows, and Cisco.

Authentication method Choose between the following options:

l Pre-shared key: create a unique pre-shared key. The key must be shared

among all FortiClient endpoints to connect to VPN.

l Signature: Used to authenticate remote users to IPsec gateway using
their user certificates.
l Set Certificate Name to the server certificate used to identify the VPN
Gateway.
l Set Peer Certificate CA to the CA certificate that signed certificates
for FortiClient endpoints.
Both the server certificate (Certificate name) and peer CA (Peer
Certificate CA) certificates must be uploaded to FortiGate.
For more information about the certificates, see Importing the certificates from
Dialup IPsec VPN with certificate authentication.

IKE Select IKE version 2 or 1 based on your requirements.

Note that the supported user authentication methods vary based on the IKE
version, see Authentication method on page 9.

Transport Select from the following:

l UDP: Use UDP transport for IKE.

l Auto: Use UDP transport for IKE, with fallback to TCP transport.
l TCP encapsulation: Use TCP transport for IKE.
This option is only available when using IKE version 2.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 24

Fortinet Inc.
Migration basics
Use Fortinet encapsulation
NAT traversal
Keepalive frequency
EAP peer identification
User authentication method
DNS Server
FortiOS 7.6.0 SSL VPN to IPsec VPN Migration
Fortinet Inc.
For more information on using custom TCP ports when TCP is used as
transport, see Using TCP as transport method on page 30.
l Enabled: Enables Fortinet TCP encapsulation that is an alternative to and
compliant with RFC 8229, allowing NP8 inline offload of IPsec traffic.
l Disabled: Uses TCP encapsulation based on RFC 8229 as per configured
transport setting.
This option is only available when using IKE version 2 and Transport is set to
Auto or TCP encapsulation.
l Enable: This option is used when there is a NAT device between
FortiGate and VPN clients. It enables NAT-T Discovery and Traversal if
NAT device is detected.
l Disable: Disables NAT-T Discovery.
l Forced: Enables NAT-T and forces to use UDP port 500 for ESP
encapsulation. This option is only available when using IKE version 1.
Keepalives keep the IPsec tunnel active by sending probes regularly per the
configured frequency, but only if the IPsec tunnel is idle and no traffic is flowing
through it. These probes prevent the NAT port session mappings on the
intermediate NAT devices in the ISP network from timing out. It is set to 10 by
default.
This option is only available when NAT traversal is set to Enabled or Forced.
To perform user authentication using EAP, select EAP identity request.
This option is only available when using IKE version 2.
When Authentication is set to Pre-shared key, select the user group to perform
user authentication. Review the different types of user authentication methods
available for IPsec:
l Local user authentication on page 16
l LDAP-based user authentication on page 17
l RADIUS-based user authentication on page 19
l SAML-based user authentication on page 20
When using IKE version 1 and Authentication method is set to Signature, the
User authentication method setting is optional. Select a user group if you want
to perform username and password authentication along with certificate
authentication.
Single User groups: If your current SSL VPN Authentication/Portal Mapping
uses a single user group for user authentication, select Phase 1 interface then
select the user group from the drop-down.
Multiple User groups: If your current SSL VPN Authentication/Portal Mapping
uses multiple user groups for user authentication, select Inherit from policy
setting then select the user groups. The specified user groups are
automatically added under User/group fields in the respective IPsec firewall
policies configured by the VPN Wizard.
Select either:
l Use System DNS: enables FortiClient to use its own DNS server.
25
Migration basics
Enable IPv4 Split Tunnel
4. In the Remote Endpoint section, set the following options, and click Next:
Addresses to assign to
connected endpoints
Subnet for connected
endpoints
FortiOS 7.6.0 SSL VPN to IPsec VPN Migration
Fortinet Inc.
l Specify: lets you specify a unique DNS server.
Note: If split tunneling is enabled, and the specified DNS server is located
behind FortiGate, ensure the DNS server is reachable through the Local
interface and is part of Local Address field IP scope.
When enabled, only traffic configured in the Local address field will go through
the tunnel (that is, split tunneling).
When disabled, all traffic from remote users will go through the tunnel (that is,
full tunneling).
Enter the IP address range that you need to assign IP addresses from to the
dialup clients that successfully connect to IPsec VPN.
The VPN wizard only configures tunnels using mode-config and address
range. To use other methods, you can customize the settings after the IPsec
tunnel is configured by the VPN Wizard. See IKE Mode Config clients.
(Optional) You can use different address ranges from your current SSL VPN
configurations to avoid IP overlap.
255.255.255.255
Enter the subnet mask to be used by the clients.
It is recommended to configure it as 255.255.255.255 since addresses are
assigned to single clients.
26
Migration basics

FortiClient settings

Security posture gateway Enable and select the required Security posture tags. See Augmenting VPN
matching security with ZTNA for more information.

Save Password Enable saving XAuth username and password on the VPN clients. Enabled by
default. CLI setting is set save-password enable.

Auto Connect Allow the client to bring the tunnel up when there is no traffic. Disabled by
default. CLI setting is set client-auto-negotiate disable.

Always up (keep alive) Allow the client to keep the tunnel up when there is no traffic. Disabled by
default. CLI setting is set client-keep-alive disable.

5. In the Local FortiGate section, set the following options, and click Next:

Incoming interface that binds This interface is the same Listen on interface as defined in your SSL VPN
to tunnel settings.

Create and add interface to Enable if the requirement is to segregate incoming interfaces into different
zone zones. See Zones.
If not, disable.

Local interface This is the internal interface(s) that will be accessed by VPN users.
The equivalent SSL VPN configurations are the destination interface(s) in the
ssl.root to <destination> firewall policies.

Local address These are internal network(s) that are allowed to be accessed by VPN users.
The equivalent SSL VPN configurations are the destination address(es) in the
ssl.root to <destination> firewall policies.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 27

Fortinet Inc.
Migration basics

The subnet specified in the Local Address field is used for split tunneling if the
setting Enable IPv4 Split Tunnel is enabled in the VPN tunnel section of the
VPN Wizard.

6. In the Review section, review the configurations and objects, and then click Submit:

Addresses

Split address group Address group for the destination address(es) allowed by the tunnel. Used for
split tunneling configurations.

Address Firewall address for the range defined for VPN clients.

Interfaces

VPN IPsec phase 1 interface IPsec Phase 1 tunnel name and configuration.

VPN IPsec phase 2 interface IPsec Phase 2 tunnel name and configuration.

Zone Name of the zone created for IPsec tunnel, if Zone creation was enabled.

Policies

Remote to local policies Name of inbound firewall policy or policies.

Peer Name of PKI user configured, if selected authentication method is Signature.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 28

Fortinet Inc.
Migration basics

The VPN wizard generates all required configurations, objects, and policies. Go to VPN > IPsec tunnels to view the
newly created IPsec tunnels.

Next steps

You may need to edit the IPsec tunnel settings created by the VPN wizard, depending on your requirements. For further
customization, see Customizing IPsec tunnel settings on page 29.

Customizing IPsec tunnel settings

You may need to edit the IPsec tunnel settings created by the VPN wizard, depending on your requirements. This
section includes the following optional procedures:
l Using peer ID on page 29
l Using TCP as transport method on page 30
l Changing Phase1 and Phase2 proposals on page 32

Using peer ID

If multiple dialup IPsec tunnels are configured on same physical (WAN) interface, FortiGate uses a peer ID to
differentiate between incoming IPsec connection attempts and to associate the connection to the correct IPsec tunnel.
As such, it is important to configure a unique peer ID for each IPsec tunnel.
The peer ID can be used to differentiate between multiple dialup IPsec tunnels when using IKE version 1 in Aggressive
mode. However, this functionality is limited with IKE version 2 because the peer ID is not included in the initial IKE

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 29

Fortinet Inc.
Migration basics

message. As a result, FortiGate as IPsec dialup server is unable to accurately match the correct phase 1 configuration
among multiple dialup IPsec tunnel configurations.

During the IPsec negotiation process, FortiClient transmits its configured local ID, which
FortiGate matches against the defined peer IDs to identify the appropriate tunnel. Therefore,
local ID configured on FortiClient must align with the corresponding peer ID set on FortiGate to
successfully establish an IPsec tunnel.

A unique peer ID must be configured on different IPsec tunnels.

To configure an IPsec tunnel for each user group:

1. Go to VPN > IPsec Tunnels and edit the respective IPsec tunnel.
2. Confirm that IKE is set to Version 1 and Mode is set to Aggressive.
3. Under Authentication, change Accept Peer ID to Specific peer ID:

1. Set Peer ID to a unique peer ID of your choice.

2. Click OK.

Using TCP as transport method

Dialup IPsec VPN, traditionally reliant on UDP, can now operate over TCP. This enhancement enables VPN traffic from
FortiClient to traverse restrictive firewalls that permit only TCP-based traffic. This feature is only available if the IPsec
tunnel is configured to use IKE version 2. FortiClient must be also configured to use TCP as its transport. The supported
FortiClient version for this feature is FortiClient version 7.4.1 or later. For more information on configuring custom TCP
port on FortiClient, see IPsec VPN over TCP.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 30

Fortinet Inc.
Migration basics

To configure TCP as transport in the GUI:

1. Go to VPN > IPsec Tunnels and edit the respective IPsec tunnel.
2. Confirm that IKE is set to Version 2.
3. Set Transport to TCP encapsulation.
4. Click OK.

To configure TCP as transport in the CLI:

See Connecting to the CLI for information about connecting to the CLI.
config vpn ipsec phase1-interface
edit <tunnel-name>
set transport tcp
next
end

To view and modify TCP port used by IKEv2 in the CLI:

1. Check the default TCP IKE port used by FortiGate:

# show full-configuration system settings | grep ike-tcp
set ike-tcp-port 4500

2. Change the default TCP port to use a custom port, such as 5500:
config system settings
set ike-tcp-port 5500
end

Variable Description
ike-tcp-port <port> Set the TCP port for IKE/IPsec traffic (1 - 65535, default = 4500).

When using TCP port 443 for IKE/IPsec traffic, GUI access can be affected for interfaces that
are bound to an IPsec tunnel when the GUI admin port is also using port 443. To ensure
continued functionality, change either the IKE/IPsec port or the administrative access port.

To change the administrative access port:

config system global

set admin-sport <port>
end

For port conflicts with ZTNA and SSL VPN, ZTNA and SSL VPN will take precedence. To
avoid any port conflicts with other services, review the FortiOS Ports guide for other incoming
ports used on the FortiGate.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 31

Fortinet Inc.
Migration basics

Changing Phase1 and Phase2 proposals

To change Security Associations in Phase 1 and Phase 2 of IPsec tunnel:

1. Go to VPN > VPN Tunnels, and edit the IPsec tunnel.

2. Under Phase 1 proposal, select required custom configuration.
3. Under Phase 2 Selectors, select the phase 2 tunnel, and click Edit.
4. Select the required custom configuration, and click OK to save the changes to the phase 2 selectors.
5. Click OK to save the changes on the IPsec tunnel.

FortiClient endpoint configuration migration

Migration from SSL VPN to IPsec on FortiClient EMS must be done in parallel with FortiGate configuration since IPsec
settings have to be matched on both FortiGate (VPN server) and FortiClient (VPN client). On FortiClient EMS, VPN
configuration is accomplished through the Remote Access endpoint profile, which enables setting up either SSL VPN or
IPsec or both. See FortiClient EMS Remote Access documentation.
To get started, add a remote access profile under the Endpoint Profiles section on FortiClient EMS. See Creating a new
profile.
Once new Remote Access profile is added, add tunnel under the VPN Tunnels section within the same Remote Access
profile context.

To migrate using a FortiClient EMS Remote Access endpoint profile:

1. In FortiClient EMS, go to Endpoint Profiles.

2. Select the needed profile type, and click Add.
3. Click Add Profile to create a Windows, macOS, and Linux profile.
4. Click Add Tunnel and complete the options in the Basic Settings section to add a new connection:

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 32

Fortinet Inc.
Migration basics

Name Name of the tunnel

Type Select IPsec VPN.

Remote Gateway IP address or FQDN that FortiClient uses to reach FortiGate for VPN
connection.
If you used FortiGate’s VPN wizard, this setting corresponds to the address of
the incoming interface configured during the wizard's Authentication step.
Typically, this is the same address used for the SSL VPN remote gateway.

Authentication Method
Available options are Local Certificate, Pre Shared Key, Smart Card
Certificate, and Local Store Certificate.
The FortiGate VPN wizard permits either pre-shared key or signature. When
the pre-shared key option is configured on the FortiGate, use the same value
in the Pre Shared Key field in FortiClient EMS.
If signature authentication method is preferred, select the certificate option
suitable for your company requirements. Ensure that the certificate’s CA
matches the Peer Certificate CA configured during the Authentication step of
the FortiGate VPN wizard.

5. Under Basic Settings, go to VPN Settings section, and configure the IKE version, Mode, and Options. These
settings must match the ones configured on FortiGate.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 33

Fortinet Inc.
Migration basics

IKE Select either Version 1 or Version 2.

The FortiGate VPN wizard defaults to Version 1.

Mode Select Aggressive or Main mode. Default option for the FortiGate
VPN Creation Wizard is Aggressive.

Options The Mode Config option is the default option and recommended. It's also the
default mode configured on FortiGate with the VPN wizard.

6. Under Basic Settings, go to the Phase 1 section and configure the option. FortiGate’s VPN wizard automatically
selects phase 1 parameters. You can check these parameters by running the following CLI commands on the
FortiGate:
show full vpn ipsec phase1-interface <tunnel-name>

Ensure that you match phase 1 settings on FortiClient EMS to the phase 1 settings
configured on FortiGate.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 34

Fortinet Inc.
Migration basics

IKE Proposal Select Encryption and Authentication algorithms used for generating keys to
protect FortiClient and FortiGate negotiations. At least one of the selected
encryption-authentication pairs must match to any of the ones configured on
FortiGate. FortiGate’s VPN wizard sets the following algorithms automatically:
l AES128 - SHA256

l AES256 - SHA256
l AES128 - SHA1
l AES256 - SHA1

DH Groups Select a Diffie-Hellman (DH) group. It must match to one of the groups
selected on FortiGate.
The FortiGate VPN wizard configures DH groups 14 and 5 automatically.

Key Life Enter the time (in seconds) that must pass before IKE encryption key expires.
New key gets generated in real-time without interrupting the service. Key life
can be configured within the range of 120 and 172,800 seconds.
The default value for the FortiGate VPN wizard is 86400 seconds.

Local ID Enter the Local ID.

By default the FortiGate VPN wizard leaves this setting blank.

7. Configure the remaining Phase 1 options as needed by your requirements. Refer to IPsec VPN documentation for
details.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 35

Fortinet Inc.
Migration basics

Phase 1 configuration also allows configuring Dead Peer Detection (DPD) mechanism on both FortiClient and
FortiGate. DPD configuration is not available in the GUI but is available in XML on FortiClient EMS. For more
information regarding DPD and how to configure it on FortiGate, see Dead peer detection. The IKE Settings section
describes FortiClient\EMS configuration of DPD with XML.
8. Under Basic Settings, go to the Phase 2 section. The same concept applies for phase 2 settings, the settings on
FortiClient EMS and FortiGate must match. As with phase 1, you can confirm what settings were automatically set
by the FortiGate VPN wizard by running the following command on FortiGate:
show full vpn ipsec phase2-interface <tunnel-name>

IKE Proposal Select Encryption and Authentication algorithms used to protect the data
transferred between the IPsec peers. At least a single pair must match on both
FortiClient and FortiGate. The FortiGate VPN wizard configures the following
settings by default:
l AES128-SHA1

l AES256-SHA1
l AES128-SHA256
l AES256-SHA256
l AES128GCM
l AES256GCM

DH groups Configure the DH groups to match on FortiGate. The FortiGate VPN wizard
uses 14, 5 by default.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 36

Fortinet Inc.
Migration basics

Key Life Set the time until the phase 2 key expires. The default option is in seconds;
however, you can also configure the key life in kilobytes (KBytes) or both. If
both is selected, whichever limit gets exceeded first takes precedence. Default
value is 43200 (seconds), which matches the value set by the FortiGate VPN
wizard.

Replay Detection When enabled, FortiGate checks for already- received packets and discards
the ones that arrive out of order. Enabled by default on both FortiClient EMS
and FortiGate.

PFS PFS forces a new DH key exchange upon tunnel establishment and after
phase 2 key expiration, causing a new key to be generated each time. Enabled
by default on both FortiClient EMS and FortiGate.

9. Go to the Advanced Settings section to configure multiple options for IPsec connection including Save Password,
Auto-Connect, and Always Up, which then appear on FortiClient GUI. They enable automatic connection to a VPN
tunnel and its recovery from network disruption. If you decide to include these settings in your configuration, ensure
that you also configure them in the Client Options step of FortiGate VPN wizard. For more information on the
available options, refer to Remote Access IPsec documentation.

10. Click Save to save the changes.

11. Push the profile to FortiClient endpoints.
12. On an endpoint, open FortiClient, and go to the Remote Access tab to confirm the settings have been pushed to
FortiClient.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 37

Fortinet Inc.
Migration basics

The user must select Save Password, Auto-Connect, and Always Up to activate them.

FortiOS 7.6.0 SSL VPN to IPsec VPN Migration 38

Fortinet Inc.
 www.fortinet.com

Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.