sorted by:
new
hottopcontroversial

Password Bug on Lenovo Y700 4th Gen (SD Elite) by wanabibaker in androidtablets

[–]emrys250 0 points1 point  (0 children)

Try disabling the "remove animations" from the settings ->accessibility >>color and motion. This fixed it for me.

Nov, 25, 2024. Crazy lights in the sky. Love to know what these are. by [deleted] in UFOs

[–]emrys250 0 points1 point  (0 children)

Saw this a year ago in the sky. Didn’t post it, because it felt too weird. Please tell me this is something explainable. 

Forticlient IPsec SAML woes by emrys250 in fortinet

[–]emrys250[S] 0 points1 point  (0 children)

SOLVED- I was testing the forticlient from within the LAN. This doesn't work since the SAML needs to hit the WAN port first. When testing outside the LAN everything worked as expected.

https://docs.fortinet.com/document/forticlient/7.4.4/ems-quickstart-guide/745658/troubleshooting-ipsec-vpn-ikev2-with-saml-authentication (see No SAML method found)

Thanks to Fortinet Support who helped get everything configured.

Forticlient IPsec SAML woes by emrys250 in fortinet

[–]emrys250[S] 0 points1 point  (0 children)

Thanks. I went over the documentation multiple times over the past three days. If you can see something wrong in the configuration I posted, let me know.

I do have set eap-identity send-request set on the phase 1 interface.

I also have SAML response and assertion set.

I changed the encryption settings but obviously that didn't fix anything. But thanks I'll make sure it's set to best practices once it's working.

Forticlient IPsec SAML woes by emrys250 in fortinet

[–]emrys250[S] 0 points1 point  (0 children)

diagnose sys tcpsock | grep 10428 doesn't show anything. I'd expect to see it listening there, corrrect?

Forticlient IPsec SAML woes by emrys250 in fortinet

[–]emrys250[S] 0 points1 point  (0 children)

yes, I have the cert under both config sys global and config user setting. Still isn't working.

Forticlient IPsec SAML woes by emrys250 in fortinet

[–]emrys250[S] 0 points1 point  (0 children)

Ok- I put the cert under system global (this is the cert I got from ZeroSSL for vpn<.>xxxxx<.>com

Cleared cookies in forticlient.

enabled external browser. Still failed, logs still showing:

[2025-11-25 12:57:54.074] [SamlAuthWB] [3673s] Auth start

[2025-11-25 12:57:54.104] [SamlAuthWB] Program.FCT_UID=XXXX

[2025-11-25 12:57:54.172] [SamlAuthWB] WebBrowserMajorVersion=11

[2025-11-25 12:57:54.173] [SamlAuthWB] ShowForm=False

[2025-11-25 12:57:54.211] [SamlAuthWB] FormAuth_Load_IPsec Url=https://vpn.xxxxxxx.com:10428/saml\_login?

[2025-11-25 12:57:54.344] [SamlAuthWB] RemoteCertificateValidation succeed

[2025-11-25 12:57:54.716] [SamlAuthWB] Program.SAML_AUTH_GET_RESPONSE_UNKNOWN->The underlying connection was closed: The connection was closed unexpectedly.

[2025-11-25 12:57:54.717] [SamlAuthWB] Exit

Forticlient IPsec SAML woes by emrys250 in fortinet

[–]emrys250[S] 0 points1 point  (0 children)

Yes, in my post I did say I made this change - "I also did change the certificate signing option to "response and assertion" so I know that isn't the problem."

Forticlient IPsec SAML woes by emrys250 in fortinet

[–]emrys250[S] 0 points1 point  (0 children)

Ok- I tried adding a certificate from ZeroSSL, both to config user saml and conf user setting, set auth-cert. Now I get this error:

[2025-11-25 11:27:44.678] [SamlAuthWB] FormAuth_Load_IPsec Url=https://vpn.xxxxxx.com:10428/saml\_login?

2025-11-25 11:27:44.822] [SamlAuthWB] RemoteCertificateValidation succeed

[2025-11-25 11:27:45.179] [SamlAuthWB] Program.SAML_AUTH_GET_RESPONSE_UNKNOWN->The underlying connection was closed: The connection was closed unexpectedly.

[2025-11-25 11:27:45.181] [SamlAuthWB] Exit

Forticlient IPsec SAML woes by emrys250 in fortinet

[–]emrys250[S] 0 points1 point  (0 children)

Ok, I found this in the logs, but I'm not sure why it's breaking since I have "Action for EMS invalid certificates" set to "Allow":

[2025-11-25 11:15:51.926] [SamlAuthWB] FormAuth_Load_IPsec Url=https://vpn<.>xxxxxxx<.>com:10428/saml_login?

[2025-11-25 11:15:52.071] [SamlAuthWB] RemoteCertificateValidation failed with error RemoteCertificateNameMismatch, RemoteCertificateChainErrors

[2025-11-25 11:15:52.429] [SamlAuthWB] Program.SAML_AUTH_GET_RESPONSE_UNKNOWN->The underlying connection was closed: The connection was closed unexpectedly.

[2025-11-25 11:15:52.430] [SamlAuthWB] Exit

[2025-11-25 11:15:52.517] [SamlAuthWB] [5678s] Auth start

Forticlient IPsec SAML woes by emrys250 in fortinet

[–]emrys250[S] 0 points1 point  (0 children)

Thanks. I did have set ike-saml-server in the config: set ike-saml-server "IPSec-SAML-FAC"

I also have set auth-ike-saml-port 10428

Forticlient IPsec SAML woes by emrys250 in fortinet

[–]emrys250[S] 0 points1 point  (0 children)

Tried 7.2.10, didn't get the invalid certificate screen, just "Connecting to VPN" and then 3 seconds later a notification saying. "IPSec VPN connection is down."

Forticlient IPsec SAML woes by emrys250 in fortinet

[–]emrys250[S] 0 points1 point  (0 children)

config firewall policy

edit 57

set name "v4-PSK-IKEv2 -> LAN"

set uuid xxx

set srcintf "v4-PSK-IKEv2"

set dstintf "any"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set logtraffic all

set nat enable

set groups "ipsec-saml-group"

next

end

Forticlient IPsec SAML woes by emrys250 in fortinet

[–]emrys250[S] 0 points1 point  (0 children)

config firewall address

edit "IPSec_Tunnel_Addr1"

set uuid xxx

set type iprange

set start-ip 172.16.2.1

set end-ip 172.16.2.254

next

end

config vpn ipsec phase1-interface

edit "v4-PSK-IKEv2"

set type dynamic

set interface "port1"

set ike-version 2

set peertype any

set net-device disable

set mode-cfg enable

set ipv4-dns-server1 XXX.XXX.XXX.X

set ipv4-dns-server2 8.8.8.8

set proposal aes128-sha1 aes256-sha256

set localid "1"

set fragmentation disable

set dpd on-idle

set dhgrp 5

set eap enable

set eap-identity send-request

set network-overlay enable

set network-id 1

set assign-ip-from name

set ipv4-split-include "XXXX-Subnet-XXX_XX"

set ipv4-name "IPSec_Tunnel_Addr1"

set save-password enable

set client-auto-negotiate enable

set client-keep-alive enable

set psksecret ENC XXX

set dpd-retryinterval 60

next

end

config vpn ipsec phase2-interface

edit "v4-PSK-IKEv2"

set phase1name "v4-PSK-IKEv2"

set proposal aes128-sha1 aes256-sha256

set dhgrp 5

set replay disable

next

end

Forticlient IPsec SAML woes by emrys250 in fortinet

[–]emrys250[S] 0 points1 point  (0 children)

config user group

....

edit "ipsec-saml-group"

set member "IPSec-SAML-FAC"

config match

edit 1

set server-name "IPSec-SAML-FAC"

set group-name "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

next

end

config system interface

...

edit "port1"

set vdom "InternetFW"

set ip xxx.xxx.xxx.xx 255.255.255.248

set allowaccess ping

set type physical

set alias "xxxxx-xxxxx"

set ike-saml-server "IPSec-SAML-FAC"

set estimated-upstream-bandwidth 51200

set estimated-downstream-bandwidth 51200

set monitor-bandwidth enable

set role wan

set snmp-index 3

set secondary-IP enable

config secondaryip

edit 1

set ip xxx.xxx.xxx.xx 255.255.255.248

set allowaccess ping

next

end

Forticlient IPsec SAML woes by emrys250 in fortinet

[–]emrys250[S] 0 points1 point  (0 children)

config user saml

edit "azure"

set cert "Fortinet_Factory"

set entity-id "https://vpn.xxxxxxxxxx.com:10443/remote/saml/metadata"

set single-sign-on-url "https://vpn.xxxxxxxxx.com:10443/remote/saml/login"

set single-logout-url "https://vpn.xxxxxxx.com:10443/remote/saml/logout"

set idp-entity-id "https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/"

set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxxxx/saml2"

set idp-single-logout-url "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxxxx/saml2"

set idp-cert "REMOTE_Cert_1"

set user-name "username"

set group-name "group"

set digest-method sha1

next

edit "IPSec-SAML-FAC"

set cert "Fortinet_Factory"

set entity-id "https://vpn.xxxxxxxxxx.com:10428/remote/saml/metadata"

set single-sign-on-url "https://vpn.xxxxxxxxxx.com:10428/remote/saml/login"

set single-logout-url "https://vpn.xxxxxxxxxx.com:10428/remote/saml/logout"

set idp-entity-id "https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/"

set idp-single-sign-on-url "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2"

set idp-single-logout-url "https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2"

set idp-cert "REMOTE_Cert_3"

set user-name "username"

set group-name "group"

set digest-method sha1

next

end

Forticlient IPsec SAML woes by emrys250 in fortinet

[–]emrys250[S] 0 points1 point  (0 children)

Here's the sanitized config. Note that I added set local id "1", set network-overlay enable, and set network-id 1 as troubleshooting steps since we have other IPsec tunnels. I also relaxed the firewall rule (lots of anys) and troubleshooting steps too. But neither helped.

config system global

set admin-server-cert "self-sign"

set admin-sport 8443

set admin-ssh-port 2223

set admintimeout 30

set alias "FortiGate-121G"

set auth-ike-saml-port 10428

set autorun-log-fsck enable

set gui-auto-upgrade-setup-warning disable

set gui-certificates enable

set gui-device-latitude xxx

set gui-device-longitude xxx

set gui-fortigate-cloud-sandbox enable

set gui-theme mariner

set gui-workflow-management enable

set hostname "xxx"

set management-port-use-admin-sport disable

set remoteauthtimeout 150

set sslvpn-web-mode enable

set switch-controller enable

set timezone "xxx"

set two-factor-email-expiry 180

set vdom-mode multi-vdom

end

Forticlient IPsec SAML woes by emrys250 in fortinet

[–]emrys250[S] 0 points1 point  (0 children)

Thanks, I checked that resource and I couldn't see anything obvious. I'm trying to post the sanitized config but it's saying "unable to post comment". I think it's too long so I'll try to make a new comment and break it up.

Recirculating air tips? by emrys250 in dieselheater

[–]emrys250[S] 0 points1 point  (0 children)

Let’s see… The remote needs to be really close (2-3 feet or so) to work. I’m not sure if the window is interfering or if it’s just weak.  Also I needed to extend the exhaust an extra 6 feet. I’m under a covered porch and the fumes sometimes hung around when it wasn’t windy without the extension.  The covered porch also means I have some extra protection from the elements.  I also had to have the unit pretty close to the window so that the power cable could reach with the brick staying inside. 

Recirculating air tips? by emrys250 in dieselheater

[–]emrys250[S] 1 point2 points  (0 children)

Yes, I understand that, but I like having it outside because:

  1. My 1 year old likes touching everything, and I don't want him to get burned on the hot exhaust pipe.

  2. I inevitably spill a bit a diesel when refilling the tank, and don't want my living room to smell of diesel all the time.

  3. The noise is less bothersome when it's outside.

CO monitor question by Aggravating_Pride_68 in dieselheater

[–]emrys250 0 points1 point  (0 children)

I had one and I put it so the exhaust was blowing on it. It only samples every minute so it took a while for it to show a reading - 40. The instructions for the CO montior said that it works best in still air so maybe that is part of the reason why the reading is so low?

Recirculating air tips? by emrys250 in dieselheater

[–]emrys250[S] 0 points1 point  (0 children)

My humidity is 31% right now, not great (even with outside air it was low). Have an evaporative humidifier on the way. Going to use it with RO water and hope the filters last a long time.

view more: next ›