FortiGate IPsec VPN with SAML — Andrew Travis

https://www.reddit.com/r/fortinet/comments/1rrsdmv/ipsec_saml_works_at_home_but_not_on_hotspots/

SAML IPSEC ERR_EMPTY_RESPONSE

This will happen if your carrier is using CGNAT ( Changing Public IPS like 4g ) or via Internal Technical Tip: Getting ERR_EMPTY_RESPONSE when connecting to IPSec SAML and users are inside the internal network | Community

Fortinet Guide

https://community.fortinet.com/fortigate-3/technical-tip-how-to-configure-microsoft-entra-id-saml-authentication-for-dial-up-ipsec-vpn-164015

Registry Key to backup IPSEC ( Dont do this won’t bring over the right PSK Key )

HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\IPSec

Website with Existing Config

https://docs.google.com/spreadsheets/d/1QgMkKxQQINvPLsXQyRRb3QqWmRizXpt-xOLvMxfw9F8/edit?gid=0#gid=0

Powershell to Add config to existing

https://pastebin.com/vwZHHCHs

“IPSEC-Split” Needs to be an address Group with all Local Subnets

config vpn ipsec phase1-interface
edit "IPsec-SAML"
set ipv4-split-include "IPSEC-Split"
set type dynamic
set interface "port1"
set ike-version 2
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 10.1.1.4
set ipv4-dns-server2 10.1.1.5
set proposal aes256-sha256
set dpd on-idle
set dhgrp 20
set eap enable
set eap-identity send-request
set ipv4-start-ip 10.212.134.150
set ipv4-end-ip 10.212.134.250
set client-auto-negotiate enable
set client-keep-alive enable
set psksecret XXXXXXXXX
set dpd-retryinterval 60
next
end


config vpn ipsec phase2-interface
edit "IPsec-SAML"
set phase1name "IPsec-SAML"
set proposal aes256-sha256
set dhgrp 20
set replay disable
next
end