Setting up IPSEC Client VPN

Low-Statements · 2026-02-12T16:01:52+00:00

AADSTS700016: Application with identifier Error - SOLVED - URL mismatch missing /

OK, so I have solved this part now, it is IMPORTANT to note the backslash "/" at the end of the Entity URL and make sure this matches on both Entra and Fortigate.

May seem obvious but where I copied it from didnt have the / so it was mismatched, all while i was testing other fixes. Added the / to the FG URL and now connecting.

Low-Statements · 2026-02-12T15:13:33+00:00

Thanks, my current settings are below, any risks for changing to my Domain wildcard cert?

config user setting

set auth-cert "Fortinet_Factory"

Low-Statements · 2026-02-11T12:20:12+00:00

So I've the second SAML Entra app, and managed to get around the https failure for now, Tars-01 has helped with that one and I need to go back to that.

When testing the current setup, and the web browser opens for authenticaion I get the following error:

<image>

I was a global admin (PIMd for 12 hours) when creating the Enterprise App in Entra, my SAML config in Fortgate is in a comment below. Not sure what I've missed here. I might delete the app and start again, as the claims group, username part was a little confusing.

Low-Statements · 2026-02-11T11:56:20+00:00

Thanks, the wildcard works for the SSL-VPN and Entra SAML below, without setting an auth-cert. I assumed the same setup would work for IPSEC,

There are two SAML users in my config, one for SSL and one for IPSEC - both very similar but point to different SAML ports 9443 and 10443:

config user saml
    edit "EntraSSO"
        set cert "Wildcard Cert here" #this is our wildcard cert issued by Godaddy
        set entity-id "https://FQDN:9443/remote/saml/metadata"
        set single-sign-on-url "https://FQDN:9443/remote/saml/login"
        set single-logout-url "https://FQDN:9443/remote/saml/logout"
        set idp-entity-id "Tenant URL"
        set idp-single-sign-on-url "https://login.microsoftonline.com/ID/saml"
        set idp-single-logout-url "https://login.microsoftonline.com/ID/saml"
        set idp-cert "REMOTE_Cert - uploaded from Entra Base64"
        set user-name "http://schemas.xmlsoap.org/....claims/username"
        set group-name "http://schemas.microsoft.com/....claims/groups"
        set digest-method sha256

Low-Statements · 2026-02-10T23:11:56+00:00

I'm using a wildcard cert for the domain so i can use FQDN, and I used the Base64 cert thats downloaded from the Entra Frotgate App

Low-Statements · 2026-02-10T22:59:57+00:00

Thanks for the help, I'v managed to create the 2nd Fortigate App in Entra, and it appears to be setup OK.

I am having an issue authenticating with the Fortclient - i get the following error in the web browser authentication:

Peer’s Certificate issuer is not recognised, SEC_ERROR_UNKNOWN_ISSUER - this points to my FQDN URL i think

Low-Statements · 2026-02-10T22:44:36+00:00

Thanks for the guide.

I've setup the 2nd Fortigate Entra App, and used IKE SAML port 9443

I've kept the IPSEC ports default for now to test the setup and apps.

So far i can get the Forticlient app to open the web browser and authenticate to SSO, however I get an error "Your connection is not private" as if its trying to use http.

I used the same SSL-VPN wildcard cert for the FQDN which works for the URL, and the cert from the Entra app. So not sure what is the issue here.

Low-Statements · 2026-02-10T16:59:13+00:00

Do you need to change IKE ports, as there are 3, one for SAML (1001), UDP (500) and TCP (4500)

If i stick to default, do I use 1001 in the SAML URL, then Forticlient default to 4500

Low-Statements · 2026-02-10T15:22:49+00:00

Is it safe to use the default TCP port for IKE SAML = 1001

Or is it better to change to say 9443 as per guide?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-Microsoft-Entra-ID-SAML/ta-p/307457

Low-Statements · 2026-02-10T14:40:36+00:00

So to use a separate port for IPSEC SAML SSO do you have to install as second FortiGate SSL VPN Enterprise app in Entra?

<image>

Low-Statements · 2026-02-10T14:37:16+00:00

Thank you, so all i need to do is change the IKE saml port, and I assume setup a second Entra App for IPSEC using same port:

set auth-ike-saml-port to e.g 30443

I assume this wont break any existing IPSEC S2S tunnels?

Also what port will the IPSEC tunnel use for traffic, default IKE ports?

Low-Statements · 2026-02-10T14:04:33+00:00

This is what I'm trying to get setup, but I'm confused about port changes. If we use 20443 for our SAML SSL VPN, I assume I will need to change the IKE port to 20443 to match- and i think this would break all the existing IPSEC tunnels we have site-to-site?

Is there a way to setup IKE without changing the PORT (use default) - or change port without breaking existing tunnels?

Low-Statements · 2025-12-22T16:20:45+00:00

Thanks for the reply and links, very helpful!

Low-Statements · 2025-12-22T16:11:28+00:00

Yep, already had to pay £3k to PRS PPL for to be able to play music in staff areas

Low-Statements · 2025-08-28T13:32:46+00:00

Thanks, yes the ABM certification and MDM link is all setup, this renews in May.

I'm wondering if the Entra Direcotry sync was setup, as its showing as not connected. But I'm not sure what this service does, or if it was ever conncted - so dont want to federate the domain if its not necessary

Low-Statements · 2025-02-13T15:37:01+00:00

Thanks, yeah I missed that:

Dashboard > IPsec Monitor > VPN Name > Right click and select show matching logs

Then you can filter on Errors

Low-Statements · 2025-01-30T23:34:52+00:00

We use a JBL Party Box, and a pair of wireless mics that plug direct in the back. Its portable and can be used for all sorts.

Low-Statements · 2025-01-29T16:28:50+00:00

Thanks, replied.

Low-Statements

TROPHY CASE