CyberInsurance, IPSec VPN, and MFA

VPN
1

CyberInsurance is requiring MFA on all remote connections.

We are currently using IPSec VPN for all remote connections.

Aside from Fortitoken, what other MFA options might I have have with IPSec VPN connections? Ideally I would to configure SAML to EntraID and let that handle the MFA, but all the documentation and posts I find are related to configuring that for SSL VPN… which we are not and do not want to use.

Is SAML an option for IPSec VPN and if so, is there a straight-forward guide for configuring it?

2

You can offload the authentication to a RADIUS server that handles the MFA part.

Example: Use Microsoft Entra multifactor authentication with NPS - Microsoft Entra ID | Microsoft Learn

3

Hello SAML and ipsec is not supported on fortigate. For mfa i would suggest like others comments to delegate to a radius server

4

yes our insurance company required this last year for us - we used Duo - https://duo.com/docs/fortinet

5

As others mentioned. A radius server that is tied into your identity platform.

We mainly use windows NPS with the Azure extension

6

Are these user based VPNs?

If so, look at Azure VPN conditional access.

Users get issued a just-in-time short lived certificate from MS at connect time and you can use PKI authentication. MS will grant the certificate only if the user and device meet CA conditions.

7

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/109964/ssl-vpn-with-azure-ad-sso-integration

8

You can use a radius proxy like DUO or OKTA which both platforms support MFA. Yes I said OKTA lol, might avoid them with all the talks of OKTA compromises.

9

SAML for IPsec is not yet ready. SSL-VPN is fully functional.

10

Take a look at FortiAuthenticator it will really make it simple and add a brick into your ZTNA roadmap that you can later easy leverage

11

Do you know if that will work with IPSec also?

12

No one’s mentioned FortiAuthenticator? Great multiuse platform!

13

By user-based, you mean client VPN vs site to site? Yes, client VPN in that a user initiates the VPN connection to HQ.

HQ has on prem AD and all devices are AD joined, not AAD joined… and I don’t want to go that route currently.

Unless I misunderstood what you are suggesting?

14

yes. Dialup IPsec VPN with certificate authentication | FortiGate / FortiOS 7.4.1 | Fortinet Document Library.

for the ldap part you can use duo auth proxy.

15

I do love Fortiauthenticator. But in most of our environments it’s easiest and most cost effective to throw an NPS server in and call it a day.

16

Well I meant, not a device tunnel.

17

Outbound firewall authentication with Azure AD as a SAML IdP | FortiGate / FortiOS 7.4.1 | Fortinet Document Library

I’ve been reading the docs and stumbled across this the other day. My plan is to use this to authenticate firewall users and then base policy off of this.

18

Correct - not a device tunnel

19

Then check out the Azure VPN conditional access docs. It may be what you’re looking for.