Fortinet white logo
Fortinet white logo

EMS Administration Guide

IPsec VPN SAML-based authentication

IPsec VPN SAML-based authentication

FortiClient IPsec VPN IKEv2 supports SAML authentication with identity providers (IdP) such as Microsoft Entra ID, Okta, and FortiAuthenticator. This configuration also supports pushing authentication tokens. This provides a similar experience as using SAML-based authentication for SSL VPN.

The following instructions assume that you have already configured your Entra ID environment, that your FortiClient EMS and FortiGate are part of a Fortinet Security Fabric, and that the FortiGate has been configured in Azure as an enterprise application for SAML single sign on.

The following provide configuration examples for Entra ID, Okta, and FortiAuthenticator:

The examples use the following product versions:

Product

Version

FortiClient

7.2.4

FortiClient EMS

FortiGate

7.4.3

FortiAuthenticator

6.5.3

Use case 1: SAML authentication with Entra ID as IdP

To configure SAML authentication with Entra ID as IdP:
  1. The following shows an example enterprise application for SAML single sign on in Azure. Key to this configuration is that the endpoint can resolve the FortiGate fully qualified domain name (FQDN) (in this example, it is remote...de01). Also note the port number, which in this example is 10428. Under SAML Certificates, beside Certificate (Base64), click Download.

  2. Configure FortiOS:
    1. Import the certificate that you downloaded from the Azure portal to FortiOS by going to System > Certificates > Create/Import > Remote Certificate and selecting the desired certificate.
    2. Define a user IKE SAML authentication port:

      config system global

      set auth-ike-saml-port 10428

      end

    3. Configure SAML user settings. In this example, remote...de01 is the remote gateway. Port 10428 is the IKE SAML authentication port that you defined in step 2a:
      1. Configure a SAML user:

        config user saml

        edit "IPSec-SAML-FAC"

        set cert "Fortinet_Factory"

        set entity-id "https://remote...de01:10428/remote/saml/metadata"

        set single-sign-on-url "https://remote...de01:10428/remote/saml/login"

        set single-logout-url "https://remote...de01:10428/remote/saml/logout"

        set idp-entity-id "https://sts.windows.net/f1a72219-.../"

        set idp-single-sign-on-url "https://login.microsoftonline.com/f1a72219-.../saml2"

        set idp-single-logout-url "https://login.microsoftonline.com/f1a72219-.../saml2"

        set idp-cert "REMOTE_Cert_2"

        set user-name "username"

        set group-name "saml-group"

        set digest-method sha1

        next

        end

      2. Configure a user group. The example user group is ipsec-saml-group, which includes the SAML user that you configured. You will use this group in a FortiOS firewall policy to control access permission to protected resources:

        config user group

        edit "ipsec-saml-group"

        set member "IPSec-SAML-FAC"

        next

        end

    4. Configure the IKE SAML server for the FortiOS interface used for VPN connection. This example uses port1 as the WAN interface, which the configuration uses for IPsec VPN IKEv2 connection:

      config system interface

      edit "port1"

      set ike-saml-server IPSec-SAML-FAC

      next

      end

    5. Configure the IPsec VPN IKEv2 tunnel:
      1. Configure an IP address range for the IPsec VPN tunnel to use. In this example, there is a file server with IP address 192.168.235.180 sitting on the FortiOS LAN network 192.168.235.0/24. Substitute your own values as needed.

        config firewall address

        edit "IPSec_Tunnel_Addr1"

        set type iprange

        set start-ip 192.168.1.100

        set end-ip 192.168.1.108

        next

        end

        config firewall address

        edit "LAN2-192.168.235.0"

        set subnet 192.168.235.0 255.255.255.0

        next

        end

      2. Create an IPsec VPN IKEv2 tunnel. This example uses a preshared key as the authentication method. Ensure that you set eap enable and eap-identity send-request correctly:

        config vpn ipsec phase1-interface

        edit "v4-PSK-IKEv2"

        set type dynamic

        set interface "port1"

        set ike-version 2

        set peertype any

        set net-device disable

        set mode-cfg enable

        set ipv4-dns-server1 172.17.60.6

        set ipv4-dns-server2 8.8.8.8

        set proposal aes128-sha1 aes256-sha256

        set dpd on-idle

        set dhgrp 5

        set eap enable

        set eap-identity send-request

        set assign-ip-from name

        set ipv4-split-include "LAN2-192.168.235.0"

        set ipv4-name "IPSec_Tunnel_Addr1"

        set save-password enable

        set client-auto-negotiate enable

        set client-keep-alive enable

        set psksecret 11111111

        set dpd-retryinterval 60

        next

        end

        config vpn ipsec phase2-interface

        edit "v4-PSK-IKEv2"

        set phase1name "v4-PSK-IKEv2"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256

        set dhgrp 5

        next

        end

      3. Add the SAML group to the firewall policy for the VPN tunnel. In this example, ipsec-saml-group is the SAML group name, and port3 is the FortiGate LAN interface. Modify the commands to fit your environment:

        config firewall address

        edit "LAN2_port3 address"

        set type interface-subnet

        set subnet 192.168.235.0 255.255.255.0

        set interface "port3"

        next

        end

        config firewall policy

        edit 117

        set name "v4-PSK-IKEv2 -> LAN"

        set srcintf "v4-PSK-IKEv2"

        set dstintf "port3"

        set action accept

        set srcaddr "IPSec_Tunnel_Addr1"

        set dstaddr "LAN2_port3 address"

        set schedule "always"

        set service "ALL"

        set nat enable

        set groups "ipsec-saml-group"

        next

        end

      4. (Optional) FortiClient validates the certificate configured in FortiOS. To prevent an invalid server certificate prompt, the certificate common name (CN) should match the VPN remote gateway FQDN (remote...de01 in this example) and you should import the certificate authority (CA) as a trusted root CA authority. FortiClient also verifies certificates for IdPs such as FortiAuthenciator, Azure, and Okta.

        config user setting

        set auth-cert "remote...de01-oldca"

        end

  3. Configure a new IPsec VPN IKEv2 tunnel in EMS:
    1. In EMS, go to Endpoint Profiles > Remote Access.
    2. Create a new profile or edit an existing one.
    3. Under VPN Tunnels, click Add Tunnel.
    4. Select Manual.
    5. Configure Basic Settings:
      1. In the Name field, configure the desired tunnel name.
      2. For Type, select IPsec VPN.
      3. In the Remote Gateway field, enter the remote gateway. In this example it is remote...de01.
      4. From the Authentication Method dropdown list, select Pre Shared Key.
      5. In the Pre-Shared Key field, enter the same key that you configured in step 2.e.ii.

    6. Configure Advanced Settings:
      1. Disable Prompt for Certificate.
      2. Toggle on Enable SAML Login.
      3. In the SAML Port field, enter the port that you noted from the Azure portal. In this example, it is 10428.
      4. Enable Show "Remember Password" Option.
      5. Enable Show "Always Up" Option.
      6. Enable Show "Auto Connect" Option.
    7. Leave other fields at their default values, and save. For the XML configuration for the tunnel, see IPsec VPN tunnel XML configuration.
  4. After FortiClient receives the configuration changes from EMS, connect to the tunnel:
    1. In FortiClient, go to the Remote Access tab.
    2. From the VPN Name dropdown list, select the IPsec VPN tunnel.
    3. Click Connect.
    4. An authentication dialog appears. Enter the Entra ID credentials to establish the VPN connection.

  5. After the VPN tunnel is up, attempt access to a resource that a FortiOS firewall policy protects. The following shows diagnose firewall auth list output for such access:
    192.168.1.100, user@example.onmicrosoft.com
            type: fw, id: 0, duration: 74, idled: 74
            server: IPSec-SAML-FAC
            packets: in 0 out 0, bytes: in 0 out 0
            group_id: 6
            group_name: ipsec-saml-group
    
    ----- 1 listed, 0 filtered ------

    To view IKE debug log output for this access, see IKE debug log reference.

Use case 2: SAML authentication with Okta as IdP

Configuring IPsec VPN SAML authentication using Okta as the IdP is similar to Use case 1: SAML authentication with Entra ID as IdP. The following shows an example configuring the SAML user for Okta (step 2.c.i):

config user saml

edit "IPSec-SAML-FAC"

set cert "Fortinet_Factory"

set entity-id "https://remote...de01:10428/remote/saml/metadata/"

set single-sign-on-url "https://remote...de01:10428/remote/saml/login/"

set single-logout-url "https://remote...de01:10428/remote/saml/logout/"

set idp-entity-id "http://www.okta.com/exk5v..."

set idp-single-sign-on-url "https://dev-....okta.com/app/dev-..._samlloginfgt39_1/exk5v.../sso/saml"

set idp-single-logout-url "https://dev-....okta.com/app/dev-..._samlloginfgt39_1/exk5v.../slo/saml"

set idp-cert "REMOTE_Cert_4"

set user-name "username"

set group-name "saml-group"

set digest-method sha1

next

end

To verify the configuration:
  1. After the VPN tunnel is up, attempt access to a resource that a FortiOS firewall policy protects. Run get ipsec vpn tunnel details in the FortiOS CLI. Following is the expected output:

    gateway name: 'v4-PSK-IKEv2_0' local-gateway: 10.152.35.161:0 (static) remote-gateway: 10.152.35.170:0 (dynamic) dpd-link: on mode: ike-v2 interface: 'port1' (3) vrf:0 rx packets: 18 bytes: 2259 errors: 13 tx packets: 0 bytes: 0 errors: 0 dpd: on-idle/negotiated idle: 60000ms retry: 3 count: 0 selectors name: 'v4-PSK-IKEv2' auto-negotiate: disable mode: tunnel src: 0:0.0.0.0-255.255.255.255:0 dst: 0:192.168.1.100-192.168.1.100:0 SA lifetime/rekey: 43200/43101 mtu: 1438 tx-esp-seq: 1 replay: enabled qat: 0 inbound spi: 758626b4 enc: aes-cb 37491f896e23475bcbc98cb98fe6511c auth: sha1 01cfde3affa4edcca94626c9fcc474fe55113e36 outbound spi: 80b1a046 enc: aes-cb 88c755eec85f512ca31ce65b687932bb auth: sha1 d2953b6376c145b82e88a05983dfec180e33dbc4 NPU acceleration: none

  2. Run diagnose sniffer packet <gateway name> to view the packet sniffer information. Following is the expected output:

    Using Original Sniffing Mode interfaces=[v4-PSK-IKEv2] filters=[none] pcap_lookupnet: v4-PSK-IKEv2: no IPv4 address assigned 8.902304 192.168.1.100 -> 192.168.235.180: icmp: echo request 8.902770 192.168.235.180 -> 192.168.1.100: icmp: echo reply 9.910247 192.168.1.100 -> 192.168.235.180: icmp: echo request 9.910518 192.168.235.180 -> 192.168.1.100: icmp: echo reply 10.925738 192.168.1.100 -> 192.168.235.180: icmp: echo request 10.926070 192.168.235.180 -> 192.168.1.100: icmp: echo reply 11.941364 192.168.1.100 -> 192.168.235.180: icmp: echo request 11.942012 192.168.235.180 -> 192.168.1.100: icmp: echo reply 49.060511 192.168.1.100 -> 192.168.235.180: icmp: echo request 49.061039 192.168.235.180 -> 192.168.1.100: icmp: echo reply 50.066813 192.168.1.100 -> 192.168.235.180: icmp: echo request 50.067084 192.168.235.180 -> 192.168.1.100: icmp: echo reply 51.082305 192.168.1.100 -> 192.168.235.180: icmp: echo request 51.082633 192.168.235.180 -> 192.168.1.100: icmp: echo reply 52.097539 192.168.1.100 -> 192.168.235.180: icmp: echo request 52.097898 192.168.235.180 -> 192.168.1.100: icmp: echo reply

  3. Run diagnose firewall auth list. Following is the expected output:

    192.168.1.100, example@fortinet.com type: fw, id: 0, duration: 664, idled: 458 server: IPSec-SAML-FAC packets: in 8 out 8, bytes: in 480 out 480 group_id: 6 group_name: ipsec-saml-group ----- 1 listed, 0 filtered ------

Use case 3: SAML authentication with FortiAuthenticator as IdP

Configuring IPsec VPN SAML authentication using FortiAuthenticator as the IdP is similar to Use case 1: SAML authentication with Entra ID as IdP. The following shows an example configuring the SAML user for FortiAuthenticator (step 2.c.i). Ensure the endpoint can resolve the remote gateway FQDN (in this example remote...de01) and the FortiAuthenticator FQDN (in this example fac.example.fct.local):

config user saml

edit "IPSec-SAML-FAC"

set cert "Fortinet_Factory"

set entity-id "https://remote...de01:10428/remote/saml/metadata/"

set single-sign-on-url "https://remote...de01:10428/remote/saml/login/"

set single-logout-url "https://remote...de01:10428/remote/saml/logout/"

set idp-entity-id "http://fac.example.fct.local/saml-idp/lxat.../metadata/"

set idp-single-sign-on-url "https://fac.example.fct.local/saml-idp/lxat.../login/"

set idp-single-logout-url "https://fac.example.fct.local/saml-idp/lxat.../logout/"

set idp-cert "REMOTE_Cert_3"

set user-name "username"

set group-name "saml-group"

set digest-method sha1

next

end

IPsec VPN tunnel XML configuration

The following shows the XML configuration for the IPsec VPN tunnel configured in Use case 1: SAML authentication with Entra ID as IdP step 3. Note the <sso_enabled> and <ike_saml_port> elements:

<?xml version="1.0" ?>
<forticlient_configuration>
    <vpn>
        <enabled>1</enabled>
        <sslvpn>
            <options>
                <negative_split_tunnel_metric/>
                <dnscache_service_control>0</dnscache_service_control>
                <warn_invalid_server_certificate>1</warn_invalid_server_certificate>
                <no_dns_registration>0</no_dns_registration>
                <use_gui_saml_auth>0</use_gui_saml_auth>
                <preferred_dtls_tunnel>0</preferred_dtls_tunnel>
                <prefer_sslvpn_dns>1</prefer_sslvpn_dns>
                <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
                <enabled>1</enabled>
            </options>
            <connections/>
        </sslvpn>
        <ipsecvpn>
            <options>
                <use_win_local_computer_cert>1</use_win_local_computer_cert>
                <disallow_invalid_server_certificate>1</disallow_invalid_server_certificate>
                <usesmcardcert>1</usesmcardcert>
                <show_auth_cert_only>0</show_auth_cert_only>
                <no_dns_registration>0</no_dns_registration>
                <enable_udp_checksum>0</enable_udp_checksum>
                <beep_if_error>0</beep_if_error>
                <disable_default_route>0</disable_default_route>
                <block_ipv6>1</block_ipv6>
                <check_for_cert_private_key>0</check_for_cert_private_key>
                <enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory>
                <usewincert>1</usewincert>
                <uselocalcert>0</uselocalcert>
                <use_win_current_user_cert>1</use_win_current_user_cert>
                <enabled>1</enabled>
            </options>
            <connections>
                <connection>
                    <name>IPSec-V2-EAP-SAML</name>
                    <uid>BA387F1D-E421-4753-AAA4-657C4C8202AF</uid>
                    <machine>0</machine>
                    <keep_running>0</keep_running>
                    <disclaimer_msg/>
                    <sso_enabled>1</sso_enabled>
                    <single_user_mode>0</single_user_mode>
                    <type>manual</type>
                    <ui>
                        <show_remember_password>1</show_remember_password>
                        <show_alwaysup>1</show_alwaysup>
                        <show_autoconnect>1</show_autoconnect>
                        <show_passcode>0</show_passcode>
                        <save_username>0</save_username>
                    </ui>
                    <redundant_sort_method>0</redundant_sort_method>
                    <tags>
                        <allowed/>
                        <prohibited/>
                    </tags>
                    <host_check_fail_warning/>
                    <ike_settings>
                        <server>remote...de01</server>
                        <authentication_method>Preshared Key</authentication_method>
                        <fgt>1</fgt>
                        <prompt_certificate>0</prompt_certificate>
                        <xauth>
                            <use_otp>0</use_otp>
                            <enabled>1</enabled>
                            <prompt_username>1</prompt_username>
                        </xauth>
                        <version>2</version>
                        <mode>aggressive</mode>
                        <key_life>86400</key_life>
                        <localid/>
                        <implied_SPDO>0</implied_SPDO>
                        <implied_SPDO_timeout>0</implied_SPDO_timeout>
                        <nat_traversal>1</nat_traversal>
                        <nat_alive_freq>5</nat_alive_freq>
                        <enable_local_lan>0</enable_local_lan>
                        <enable_ike_fragmentation>0</enable_ike_fragmentation>
                        <mode_config>1</mode_config>
                        <dpd>1</dpd>
                        <run_fcauth_system>0</run_fcauth_system>
                        <sso_enabled>1</sso_enabled>
                        <ike_saml_port>10428</ike_saml_port>
                        <dpd_retry_count>3</dpd_retry_count>
                        <dpd_retry_interval>5</dpd_retry_interval>
                        <auth_data>
                            <preshared_key>Enc 380ffd71e1570436106bf459ff8fc41e43a7279260bec9b01e7dd3bfc3c8dfc0</preshared_key>
                        </auth_data>
                        <xauth_timeout>120</xauth_timeout>
                        <dhgroup>5</dhgroup>
                        <proposals>
                            <proposal>AES128|SHA1</proposal>
                            <proposal>AES256|SHA256</proposal>
                        </proposals>
                    </ike_settings>
                    <ipsec_settings>
                        <remote_networks>
                            <network>
                                <addr>0.0.0.0</addr>
                                <mask>0.0.0.0</mask>
                            </network>
                            <network>
                                <addr>::/0</addr>
                                <mask>::/0</mask>
                            </network>
                        </remote_networks>
                        <dhgroup>5</dhgroup>
                        <key_life_type>seconds</key_life_type>
                        <key_life_seconds>43200</key_life_seconds>
                        <key_life_Kbytes>5200</key_life_Kbytes>
                        <replay_detection>1</replay_detection>
                        <pfs>1</pfs>
                        <use_vip>1</use_vip>
                        <virtualip>
                            <type>modeconfig</type>
                            <ip>0.0.0.0</ip>
                            <mask>0.0.0.0</mask>
                            <dnsserver>0.0.0.0</dnsserver>
                            <winserver>0.0.0.0</winserver>
                        </virtualip>
                        <proposals>
                            <proposal>AES128|SHA1</proposal>
                            <proposal>AES256|SHA256</proposal>
                        </proposals>
                    </ipsec_settings>
                    <android_cert_path/>
                    <warn_invalid_server_certificate>1</warn_invalid_server_certificate>
                    <on_connect>
                        <script>
                            <os>windows</os>
                            <script/>
                        </script>
                        <script>
                            <os>MacOSX</os>
                            <script/>
                        </script>
                        <script>
                            <os>linux</os>
                            <script/>
                        </script>
                    </on_connect>
                    <on_disconnect>
                        <script>
                            <os>windows</os>
                            <script/>
                        </script>
                        <script>
                            <os>MacOSX</os>
                            <script/>
                        </script>
                        <script>
                            <os>linux</os>
                            <script/>
                        </script>
                    </on_disconnect>
                    <traffic_control>
                        <enabled>0</enabled>
                        <mode>1</mode>
                    </traffic_control>
                </connection>
                <connection>
                    <name>IPSec-V2-SAML-LM0</name>
                    <uid>186A1714-E2EA-44D1-AC8D-60B21922C48A</uid>
                    <machine>0</machine>
                    <keep_running>0</keep_running>
                    <disclaimer_msg/>
                    <sso_enabled>1</sso_enabled>
                    <single_user_mode>0</single_user_mode>
                    <type>manual</type>
                    <ui>
                        <show_remember_password>1</show_remember_password>
                        <show_alwaysup>1</show_alwaysup>
                        <show_autoconnect>1</show_autoconnect>
                        <show_passcode>0</show_passcode>
                        <save_username>0</save_username>
                    </ui>
                    <redundant_sort_method>0</redundant_sort_method>
                    <tags>
                        <allowed/>
                        <prohibited/>
                    </tags>
                    <host_check_fail_warning/>
                    <ike_settings>
                        <server>remote...de01</server>
                        <authentication_method>System Store X509 Certificate</authentication_method>
                        <fgt>1</fgt>
                        <prompt_certificate>1</prompt_certificate>
                        <xauth>
                            <use_otp>0</use_otp>
                            <enabled>1</enabled>
                            <prompt_username>1</prompt_username>
                        </xauth>
                        <version>2</version>
                        <mode>aggressive</mode>
                        <key_life>86400</key_life>
                        <localid/>
                        <implied_SPDO>0</implied_SPDO>
                        <implied_SPDO_timeout>0</implied_SPDO_timeout>
                        <nat_traversal>1</nat_traversal>
                        <nat_alive_freq>5</nat_alive_freq>
                        <enable_local_lan>0</enable_local_lan>
                        <enable_ike_fragmentation>0</enable_ike_fragmentation>
                        <mode_config>1</mode_config>
                        <dpd>1</dpd>
                        <run_fcauth_system>0</run_fcauth_system>
                        <sso_enabled>1</sso_enabled>
                        <ike_saml_port>10428</ike_saml_port>
                        <dpd_retry_count>3</dpd_retry_count>
                        <dpd_retry_interval>5</dpd_retry_interval>
                        <xauth_timeout>120</xauth_timeout>
                        <dhgroup>5</dhgroup>
                        <proposals>
                            <proposal>AES128|SHA1</proposal>
                            <proposal>AES256|SHA256</proposal>
                        </proposals>
                        <auth_data/>
                    </ike_settings>
                    <ipsec_settings>
                        <remote_networks>
                            <network>
                                <addr>0.0.0.0</addr>
                                <mask>0.0.0.0</mask>
                            </network>
                            <network>
                                <addr>::/0</addr>
                                <mask>::/0</mask>
                            </network>
                        </remote_networks>
                        <dhgroup>5</dhgroup>
                        <key_life_type>seconds</key_life_type>
                        <key_life_seconds>43200</key_life_seconds>
                        <key_life_Kbytes>5200</key_life_Kbytes>
                        <replay_detection>1</replay_detection>
                        <pfs>1</pfs>
                        <use_vip>1</use_vip>
                        <virtualip>
                            <type>modeconfig</type>
                            <ip>0.0.0.0</ip>
                            <mask>0.0.0.0</mask>
                            <dnsserver>0.0.0.0</dnsserver>
                            <winserver>0.0.0.0</winserver>
                        </virtualip>
                        <proposals>
                            <proposal>AES128|SHA1</proposal>
                            <proposal>AES256|SHA256</proposal>
                        </proposals>
                    </ipsec_settings>
                    <android_cert_path/>
                    <warn_invalid_server_certificate>1</warn_invalid_server_certificate>
                    <on_connect>
                        <script>
                            <os>windows</os>
                            <script/>
                        </script>
                        <script>
                            <os>MacOSX</os>
                            <script/>
                        </script>
                        <script>
                            <os>linux</os>
                            <script/>
                        </script>
                    </on_connect>
                    <on_disconnect>
                        <script>
                            <os>windows</os>
                            <script/>
                        </script>
                        <script>
                            <os>MacOSX</os>
                            <script/>
                        </script>
                        <script>
                            <os>linux</os>
                            <script/>
                        </script>
                    </on_disconnect>
                    <traffic_control>
                        <enabled>0</enabled>
                        <mode>1</mode>
                    </traffic_control>
                </connection>
            </connections>
        </ipsecvpn>
        <lockdown>
            <exceptions>
                <ips/>
                <apps/>
            </exceptions>
            <max_attempts>3</max_attempts>
            <grace_period>120</grace_period>
            <enabled>0</enabled>
        </lockdown>
        <options>
            <show_vpn_before_logon>1</show_vpn_before_logon>
            <keep_running_max_tries>0</keep_running_max_tries>
            <on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
            <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
            <secure_remote_access>1</secure_remote_access>
            <minimize_window_on_connect>1</minimize_window_on_connect>
            <show_negotiation_wnd>0</show_negotiation_wnd>
            <allow_personal_vpns>1</allow_personal_vpns>
            <on_os_start_connect/>
            <autoconnect_on_install>0</autoconnect_on_install>
            <suppress_vpn_notification>1</suppress_vpn_notification>
            <disable_connect_disconnect>0</disable_connect_disconnect>
            <use_windows_credentials>0</use_windows_credentials>
            <use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
        </options>
    </vpn>
    <endpoint_control>
        <ui>
            <display_vpn>1</display_vpn>
        </ui>
    </endpoint_control>
</forticlient_configuration>

IKE debug log reference

Following is a FortiOS IKE debug log as reference:

VPN-ZTNA-FGT1 # diagnose debug reset VPN-ZTNA-FGT1 # diagnose debug application ike -1 Debug messages will be on for 30 minutes. VPN-ZTNA-FGT1 # diagnose debug application samld -1 VPN-ZTNA-FGT1 # diagnose debug enable VPN-ZTNA-FGT1 # ike :config update start ike :ike_embryonic_conn_limit = 10000 ike :ikecrypt DH multi-process enabled ike V=root:0: sync=no FGCP:disabled role:master, FGSP:disabled id:0 slave-add-routes:disabled ike V=root:0:V4-PSK: local-addr 10.152.35.161 ike V=root:0:V4-PSK: oif 3, vrf 0 ike V=root:0:v4-Cert: local-addr 10.152.35.161 ike V=root:0:v4-Cert: oif 3, vrf 0 ike V=root:0:v4-PSK-IKEv2: local-addr 10.152.35.161 ike V=root:0:v4-PSK-IKEv2: oif 3, vrf 0 ike V=root:0:port3: add addr 192.168.235.0-192.168.235.255 ike V=root:0:ipsec-saml-group:6: update auth group ike config clean start 10 ike config clean done 10 ike :config update done samld_process_request [145]: len=453, cmd=0, pid=2293, job_id=563454 samld_process_request [162]: Received 453, 0x1272e30 __samld_sp_create_auth_req [433]: SAML SP algo: 0 -> lasso=1. Binding Method: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST __samld_sp_create_auth_req [453]: **** AuthnRequest URL **** https://login.microsoftonline.com/f1a72219-.../saml2?SAMLRequest=lZJBb9swDIX%2FiqG7bcl2EkdIAtjxigXoNqNJd9hlkGW6FSBLmSh327%2Bf4nRrd1iBHUW%2B R%2FF74AbFqM%2B8mvyjuYNvE6CPfozaIJ8bWzI5w61AhdyIEZB7yY%2FVh1ueJZSfnfVWWk1eWd52CERwXllDokOzJV9ZUZdlnjf7Zbmu6HpRsTqvbqqGvqsXjNYFiT6Dw6DfkmAPJsQJDga9MD6UaFbENI%2Fp8kR zvljxrPxCoiYwKCP87Hr0%2Fow8TbV9UCYZlXQW7eCt0cpAIu2YDkyssoyt464TeVwMS4jXeVfGEvIuL1i3kkORXsgyEt1YJ2HOaksGoREuG7UBSj3Bn0r7nEqtTK%2FMw9uBdFcR8venUxu3n44nElW%2FQ9pbg9MI 7gjuSUm4v7t9AXIwWh8IlHfKoNXCJT1QxhktsvK5O699RSe7zeXB5wDd7v%2BnjOBFL7zYpK%2FnbK7n8zFwHZrWaiV%2FXkIahf83NkvYXFF9PMxSPhk8g1SDgj7Qa22%2F7x0IHyL1bgKS7q6f%2Fn2mu18%3D&Re layState=magic%3D060806859681f2ed&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=RkHlyfm3PThl8ei43dJ%2BERS%2B42ngKeo%2FQGxdcbl7pfcuipF%2 B0tt%2FctYzOQYMXmai3zBrmOWL%2FT6UHdySEPB3xy1puf%2BxwPfBYh%2BWnR6S6OQKwkYpsBwUsXWbgrENrQxRFv1RRxm9TFiORyyWJCSCf94THDC0Uu%2BNmG2lyfoDXnmWUfy3hpBdMAKAQL3DJs2l2cKotLmS pPRvK9%2BG%2BYxDcUwDDXyfTzIW7pvo57qmO3L9DRDF1woftJ4Psn4p44LTxvV7bcW4WdhSfji7Z%2F%2FyXzcg7TGnFC1pAw%2FsSXfzp%2FdHSym3TT%2FMIWtpa8JuKrmRWhBMzCP5IIUVxNQr5WiaIA%3D%3D *********************** __samld_sp_create_auth_req [467]: **** AuthnRequest **** <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_14B8833DC689A095A1B3AFAD0EB510B4" Ve rsion="2.0" IssueInstant="2024-03-06T03:57:28Z" Destination="https://login.microsoftonline.com/f1a72219-.../saml2" SignType="0" SignMethod= "0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://remote...d e01:10428/remote/saml/login"><saml:Issuer>https://remote...de01:10428/remote/saml/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SA ML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest> *********************** __samld_sp_create_auth_req [472]: **** SP Login Dump **** <lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2. 0:assertion" LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_14B8833DC689A095A1B3AFAD0EB510B4" Version="2.0" IssueInstant="2024-03-06T03:57:28Z" Desti nation="https://login.microsoftonline.com/f1a72219-.../saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBind ing="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://remote...de01:10428/remote/saml/login"><saml:Issuer>https://rem ote...de01:10428/remote/saml/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/ ></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>https://sts.windows.net/f1a72219-.../</lasso:RemoteProviderID><lasso:MsgUrl>h ttps://login.microsoftonline.com/f1a72219-.../saml2?SAMLRequest=lZJBb9swDIX%2FiqG7bcl2EkdIAtjxigXoNqNJd9hlkGW6FSBLmSh327%2Bf4nRrd1iBHUW%2BR %2FF74AbFqM%2B8mvyjuYNvE6CPfozaIJ8bWzI5w61AhdyIEZB7yY%2FVh1ueJZSfnfVWWk1eWd52CERwXllDokOzJV9ZUZdlnjf7Zbmu6HpRsTqvbqqGvqsXjNYFiT6Dw6DfkmAPJsQJDga9MD6UaFbENI%2Fp8kRz vljxrPxCoiYwKCP87Hr0%2Fow8TbV9UCYZlXQW7eCt0cpAIu2YDkyssoyt464TeVwMS4jXeVfGEvIuL1i3kkORXsgyEt1YJ2HOaksGoREuG7UBSj3Bn0r7nEqtTK%2FMw9uBdFcR8venUxu3n44nElW%2FQ9pbg9MI7 gjuSUm4v7t9AXIwWh8IlHfKoNXCJT1QxhktsvK5O699RSe7zeXB5wDd7v%2BnjOBFL7zYpK%2FnbK7n8zFwHZrWaiV%2FXkIahf83NkvYXFF9PMxSPhk8g1SDgj7Qa22%2F7x0IHyL1bgKS7q6f%2Fn2mu18%3D&amp ;RelayState=magic%3D060806859681f2ed&amp;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&amp;Signature=RkHlyfm3PThl8ei43dJ%2BERS%2B42ngKeo%2FQGxdcb l7pfcuipF%2B0tt%2FctYzOQYMXmai3zBrmOWL%2FT6UHdySEPB3xy1puf%2BxwPfBYh%2BWnR6S6OQKwkYpsBwUsXWbgrENrQxRFv1RRxm9TFiORyyWJCSCf94THDC0Uu%2BNmG2lyfoDXnmWUfy3hpBdMAKAQL3DJ s2l2cKotLmSpPRvK9%2BG%2BYxDcUwDDXyfTzIW7pvo57qmO3L9DRDF1woftJ4Psn4p44LTxvV7bcW4WdhSfji7Z%2F%2FyXzcg7TGnFC1pAw%2FsSXfzp%2FdHSym3TT%2FMIWtpa8JuKrmRWhBMzCP5IIUVxNQr5W iaIA%3D%3D</lasso:MsgUrl><lasso:MsgRelayState>magic=060806859681f2ed</lasso:MsgRelayState><lasso:HttpRequestMethod>4</lasso:HttpRequestMethod><lasso:RequestID>_14B 8833DC689A095A1B3AFAD0EB510B4</lasso:RequestID></lasso:Login> *********************** samld_send_common_reply [91]: Code: 0, id: 563454, pid: 2293, len: 3517, data_len 3501 samld_send_common_reply [99]: Attr: 14, 2352, <lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns:samlp="urn:oasis:names:tc:SAML:2. 0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_14B8833DC689A095A1B3AFAD0EB510B4" Versi on="2.0" IssueInstant="2024-03-06T03:57:28Z" Destination="https://login.microsoftonline.com/f1a72219-.../saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://remote...de01 :10428/remote/saml/login"><saml:Issuer>https://remote...de01:10428/remote/saml/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML: 1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>https://sts.windows.net/f1a72219-.../</lasso:RemoteProviderID><lasso:MsgUrl>https://login.microsoftonline.com/f1a72219-.../saml2?SAMLRequest=lZJBb9swDIX%2FiqG7bcl2Ekd IAtjxigXoNqNJd9hlkGW6FSBLmSh327%2Bf4nRrd1iBHUW%2BR%2FF74AbFqM%2B8mvyjuYNvE6CPfozaIJ8bWzI5w61AhdyIEZB7yY%2FVh1ueJZSfnfVWWk1eWd52CERwXllDokOzJV9ZUZdlnjf7Zbmu6HpRsTqv bqqGvqsXjNYFiT6Dw6DfkmAPJsQJDga9MD6UaFbENI%2Fp8kRzvljxrPxCoiYwKCP87Hr0%2Fow8TbV9UCYZlXQW7eCt0cpAIu2YDkyssoyt464TeVwMS4jXeVfGEvIuL1i3kkORXsgyEt1YJ2HOaksGoREuG7UBSj3 Bn0r7nEqtTK%2FMw9uBdFcR8venUxu3n44nElW%2FQ9pbg9MI7gjuSUm4v7t9AXIwWh8IlHfKoNXCJT1QxhktsvK5O699RSe7zeXB5wDd7v%2BnjOBFL7zYpK%2FnbK7n8zFwHZrWaiV%2FXkIahf83NkvYXFF9PMxS Phk8g1SDgj7Qa22%2F7x0IHyL1bgKS7q6f%2Fn2mu18%3D&amp;RelayState=magic%3D060806859681f2ed&amp;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&amp;Sign ature=RkHlyfm3PThl8ei43dJ%2BERS%2B42ngKeo%2FQGxdcbl7pfcuipF%2B0tt%2FctYzOQYMXmai3zBrmOWL%2FT6UHdySEPB3xy1puf%2BxwPfBYh%2BWnR6S6OQKwkYpsBwUsXWbgrENrQxRFv1RRxm9TFiOR yyWJCSCf94THDC0Uu%2BNmG2lyfoDXnmWUfy3hpBdMAKAQL3DJs2l2cKotLmSpPRvK9%2BG%2BYxDcUwDDXyfTzIW7pvo57qmO3L9DRDF1woftJ4Psn4p44LTxvV7bcW4WdhSfji7Z%2F%2FyXzcg7TGnFC1pAw%2Fs SXfzp%2FdHSym3TT%2FMIWtpa8JuKrmRWhBMzCP5IIUVxNQr5WiaIA%3D%3D</lasso:MsgUrl><lasso:MsgRelayState>magic=060806859681f2ed</lasso:MsgRelayState><lasso:HttpRequestMetho d>4</lasso:HttpRequestMethod><lasso:RequestID>_14B8833DC689A095A1B3AFAD0EB510B4</lasso:RequestID></lasso:Login> samld_send_common_reply [99]: Attr: 11, 1149, https://login.microsoftonline.com/f1a72219-.../saml2?SAMLRequest=lZJBb9swDIX%2FiqG7bcl2Ek dIAtjxigXoNqNJd9hlkGW6FSBLmSh327%2Bf4nRrd1iBHUW%2BR%2FF74AbFqM%2B8mvyjuYNvE6CPfozaIJ8bWzI5w61AhdyIEZB7yY%2FVh1ueJZSfnfVWWk1eWd52CERwXllDokOzJV9ZUZdlnjf7Zbmu6HpRsTq vbqqGvqsXjNYFiT6Dw6DfkmAPJsQJDga9MD6UaFbENI%2Fp8kRzvljxrPxCoiYwKCP87Hr0%2Fow8TbV9UCYZlXQW7eCt0cpAIu2YDkyssoyt464TeVwMS4jXeVfGEvIuL1i3kkORXsgyEt1YJ2HOaksGoREuG7UBSj 3Bn0r7nEqtTK%2FMw9uBdFcR8venUxu3n44nElW%2FQ9pbg9MI7gjuSUm4v7t9AXIwWh8IlHfKoNXCJT1QxhktsvK5O699RSe7zeXB5wDd7v%2BnjOBFL7zYpK%2FnbK7n8zFwHZrWaiV%2FXkIahf83NkvYXFF9PMx SPhk8g1SDgj7Qa22%2F7x0IHyL1bgKS7q6f%2Fn2mu18%3D&RelayState=magic%3D060806859681f2ed&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=RkHly fm3PThl8ei43dJ%2BERS%2B42ngKeo%2FQGxdcbl7pfcuipF%2B0tt%2FctYzOQYMXmai3zBrmOWL%2FT6UHdySEPB3xy1puf%2BxwPfBYh%2BWnR6S6OQKwkYpsBwUsXWbgrENrQxRFv1RRxm9TFiORyyWJCSCf94T HDC0Uu%2BNmG2lyfoDXnmWUfy3hpBdMAKAQL3DJs2l2cKotLmSpPRvK9%2BG%2BYxDcUwDDXyfTzIW7pvo57qmO3L9DRDF1woftJ4Psn4p44LTxvV7bcW4WdhSfji7Z%2F%2FyXzcg7TGnFC1pAw%2FsSXfzp%2FdHS ym3TT%2FMIWtpa8JuKrmRWhBMzCP5IIUVxNQr5WiaIA%3D%3D samld_send_common_reply [119]: Sent resp: 3517, pid=2293, job_id=563454. samld_process_request [145]: len=10189, cmd=2, pid=2293, job_id=563454 samld_process_request [162]: Received 10189, 0x1272e30 __samld_sp_login_resp [815]: SP Login Response Msg Body (7536) <samlp:Response ID="_d41828f1-07df-448b-af4d-d59b291280eb" Version="2.0" IssueInstant="2024-03-06T03:57:28.827Z" Destination="https://remote...de01:10428 /remote/saml/login" InResponseTo="_14B8833DC689A095A1B3AFAD0EB510B4" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0: assertion">https://sts.windows.net/f1a72219-.../</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_af843ea7-5620-4f6b-bf20-4fb6db7f1100" IssueInstant="2024-03-06T03:57:28.824Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:ass ertion"><Issuer>https://sts.windows.net/f1a72219-.../</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><Canonicali zationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="# _af843ea7-5620-4f6b-bf20-4fb6db7f1100"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w 3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>SxoMOgM7+7Chj+VhUVBdW5moKwv+PwCErZyb49+g CSY=</DigestValue></Reference></SignedInfo><SignatureValue>fgdYi3m3yz3ns7pdC3GFNg6Lu4OwvXiw1qh4AR5zXlcq0uQiXMgqQzRKFb1fWuI8zGtOfb451kOlACyD7gLjmdVTcNe4mQJHAKxOWWRi VpUw10r2NMXOvxF1hlCxpYdAYljAUt/Omu94QYShzZHQI49JrF9wA49cEPptiH83kYR+xU3u11jCpwovz1y4CRX/g6/png6cqstX2nDvwvYPbnsAsMSYovUAvG/pqGjtwzO771TdYSDDCEPVTvGZMzYgJdLfZB2qVzc 0pU419vIYgoFitgJZG9sP1WOecOBJO2ozaU69QxpRIZsNBntnOm2nzPqEAwpXUmmF6xiDV5R/SQ==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQReSC88H5bbBLd kflSF49uzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzEwMTUwNDQwMDhaFw0yNjEwMTUwNDQwMDhaMDQxMjAwBgNVBAMTKU1p Y3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtwvk0AblPyElViGWIIup8qDUBeFoBV469YOUY87DFmQNGyTPbujE6iheWrLtBPwAnIZ 1A75FBaUNXY980vj/Oc6E+kbOy7nCm9GWueI0NvGLnS7HUKi2TrM+EcHhAR+ftV0egq/3MrdBKFKITYYYwO6P0W0JtBjyCMY+XwGoxzREkajSXJnpsscNPwj/XdUBio7I6hnLCRzrTNy9l84nxXIFLZk+O/jzfdaYur blfJJVa8895sMu/Ka5PBow5KJHGnFpjbOJegPBc5kdXjNGisAgpLoZEMNjA8kFSGhlOD6BBs4XGMx7SvM7w/+BPGGbjVyRn94YCoII9KWd7ZHpmQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAs1OVASBqPuz09n0Xqt koSnCgmQufBObUF5FpY990LBEPs/0Uv8LfPUuOukiJJOzbqewgBeIAJLtxfs8ckq40kiL+PjZWvRRVolJGUOiuUO+l+WqdI6O2D3euadlguERdOK3yjs7tFTPhgqtEcQ60QuAWjwEdpjZL0UT2NTdlJz67LRXAjCjB+ bXHQ7SndSQfbMtI+DhGo6n+J5XDWQRvhrKI4f1XqzvhkwlPvxUH1f3xo+KnhCYNPY8Ge0yRHHKzS+pHKv4O16GeG34SmJX0Rv17xr8xXuSY2fDQOK9JnHiLWHYRVuB+Mp5lyY+5EpGd7zErPjU7jycmSJcbWMgNH</X 509Certificate></X509Data></KeyInfo></Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@example.onmicrosoft.com</ NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_14B8833DC689A095A1B3AFAD0EB510B4" NotOnOrAfter=" 2024-03-06T04:57:28.694Z" Recipient="https://remote...de01:10428/remote/saml/login"/></SubjectConfirmation></Subject><Conditions NotBefore="2024-03-06T03 :52:28.694Z" NotOnOrAfter="2024-03-06T04:57:28.694Z"><AudienceRestriction><Audience>https://remote...de01:10428/remote/saml/metadata</Audience></Audience Restriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"><AttributeValue>f1a72219-...</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>a6de82a6-05c4-4093-8288-65af3624 2d67</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeValue>Yuyue Li</AttributeValue></Attribute><A ttribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><AttributeValue>https://sts.windows.net/f1a72219-.../</Attrib uteValue></Attribute><Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/ authenticationmethod/password</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/wids"><AttributeValue>88d8e3e3-8 f55-4a1e-953a-9b9898b8876b</AttributeValue><AttributeValue>62e90394-69f5-4237-9190-012177145e10</AttributeValue><AttributeValue>b79fbf4d-3ef9-4689-8143-76b194e8550 9</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"><AttributeValue>Yuyue</AttributeValue></Attribute>< Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"><AttributeValue>Li</AttributeValue></Attribute><Attribute Name="http://schemas.xmlso ap.org/ws/2005/05/identity/claims/name"><AttributeValue>user@example.onmicrosoft.com</AttributeValue></Attribute><Attribute Name="username"><AttributeValue>yyl i@fortinetvan.onmicrosoft.com</AttributeValue></Attribute><Attribute Name="group"><AttributeValue>e6bbee59-c1d8-49e6-916b-2fe6339a3d1e</AttributeValue><AttributeVa lue>1cd4e267-054c-4e6c-b1ed-fc0f62dde5e6</AttributeValue><AttributeValue>3ccdd7c1-b59c-41c3-a985-229ab4ded5a2</AttributeValue></Attribute></AttributeStatement><Aut hnStatement AuthnInstant="2024-03-06T03:51:23.739Z" SessionIndex="_af843ea7-5620-4f6b-bf20-4fb6db7f1100"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAM L:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response> __samld_sp_login_resp [836]: **** Assertion Dump **** <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_af843ea7-5620-4f6b-bf20-4fb6db7f1100" IssueInstant ="2024-03-06T03:57:28.824Z" Version="2.0"><Issuer>https://sts.windows.net/f1a72219-.../</Issuer><Signature xmlns="http://www.w3.org/2000/09 /xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-m ore#rsa-sha256"/><Reference URI="#_af843ea7-5620-4f6b-bf20-4fb6db7f1100"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>SxoMOg M7+7Chj+VhUVBdW5moKwv+PwCErZyb49+gCSY=</DigestValue></Reference></SignedInfo><SignatureValue>fgdYi3m3yz3ns7pdC3GFNg6Lu4OwvXiw1qh4AR5zXlcq0uQiXMgqQzRKFb1fWuI8zGtOfb 451kOlACyD7gLjmdVTcNe4mQJHAKxOWWRiVpUw10r2NMXOvxF1hlCxpYdAYljAUt/Omu94QYShzZHQI49JrF9wA49cEPptiH83kYR+xU3u11jCpwovz1y4CRX/g6/png6cqstX2nDvwvYPbnsAsMSYovUAvG/pqGjtw zO771TdYSDDCEPVTvGZMzYgJdLfZB2qVzc0pU419vIYgoFitgJZG9sP1WOecOBJO2ozaU69QxpRIZsNBntnOm2nzPqEAwpXUmmF6xiDV5R/SQ==</SignatureValue><KeyInfo><X509Data><X509Certificate >MIIC8DCCAdigAwIBAgIQReSC88H5bbBLdkflSF49uzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzEwMTUwNDQwMDhaFw0yNj EwMTUwNDQwMDhaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtwvk0AblPyElViGWIIup8qDUBeFoBV469 YOUY87DFmQNGyTPbujE6iheWrLtBPwAnIZ1A75FBaUNXY980vj/Oc6E+kbOy7nCm9GWueI0NvGLnS7HUKi2TrM+EcHhAR+ftV0egq/3MrdBKFKITYYYwO6P0W0JtBjyCMY+XwGoxzREkajSXJnpsscNPwj/XdUBio7I 6hnLCRzrTNy9l84nxXIFLZk+O/jzfdaYurblfJJVa8895sMu/Ka5PBow5KJHGnFpjbOJegPBc5kdXjNGisAgpLoZEMNjA8kFSGhlOD6BBs4XGMx7SvM7w/+BPGGbjVyRn94YCoII9KWd7ZHpmQIDAQABMA0GCSqGSIb 3DQEBCwUAA4IBAQAs1OVASBqPuz09n0XqtkoSnCgmQufBObUF5FpY990LBEPs/0Uv8LfPUuOukiJJOzbqewgBeIAJLtxfs8ckq40kiL+PjZWvRRVolJGUOiuUO+l+WqdI6O2D3euadlguERdOK3yjs7tFTPhgqtEcQ6 0QuAWjwEdpjZL0UT2NTdlJz67LRXAjCjB+bXHQ7SndSQfbMtI+DhGo6n+J5XDWQRvhrKI4f1XqzvhkwlPvxUH1f3xo+KnhCYNPY8Ge0yRHHKzS+pHKv4O16GeG34SmJX0Rv17xr8xXuSY2fDQOK9JnHiLWHYRVuB+Mp 5lyY+5EpGd7zErPjU7jycmSJcbWMgNH</X509Certificate></X509Data></KeyInfo></Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> user@example.onmicrosoft.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_14B8833DC689A0 95A1B3AFAD0EB510B4" NotOnOrAfter="2024-03-06T04:57:28.694Z" Recipient="https://remote...de01:10428/remote/saml/login"/></SubjectConfirmation></Subject><C onditions NotBefore="2024-03-06T03:52:28.694Zike :shrank heap by 172032 bytes ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=456.... ike V=root:0: IKEv2 exchange=SA_INIT id=91d7e3bfd6eb8287/0000000000000000 len=456 ike 0: in 91D7E3BFD6EB828700000000000000002120220800000000000001C82200005C0200002C010100040300000C0100000C800E00800300000802000002030000080300000200000008040000050 000002C020100040300000C0100000C800E01000300000802000005030000080300000C0000000804000005280000C800050000A5F0F0154C1F23D09D2C498ABD86C9875EFFC0E746A12E55AE182E3FBAFA D9BA91FCAA52E25EB1E78AD3C6BD6A389E119BDBB8D07480F81680DACAF5D162042DF7FDAD3A091A9E0C2A026388A39B658D8913B2376AF01B2F02E2AC22E6FC9309393388CF76676F136DB18B5BCE96EE1 87E06C3F481C0214A4392641C4F0163F2DA7A8B4F2C7168FE09C7F485C17A02360BA1A3358DEC4992DA2784338ACD23A03ADABB04146732E3D51C4A4F1530F66E5951E668DAD51BB9FA1EF9D9C45F302B2B 000014FC1604191670582A2C223ECA5E6FD1862B0000144C53427B6D465D1B337BB755A37A7FEF2B000014B4F01CA951E9DA8D0BAFBBD34AD3044E29000014C1DC4350476B98A429B91781914CA43E29000 01C000040049CFF24AC5C389CA04560B76DE2EA4DAD3980D4E90000001C00004005C736780986F56FDCFB69E529BD4EFEB9405FBB47 ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: responder received SA_INIT msg ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: VID unknown (16): C1DC4350476B98A429B91781914CA43E ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: received notify type NAT_DETECTION_SOURCE_IP ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: received notify type NAT_DETECTION_DESTINATION_IP ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: incoming proposal: ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: proposal id = 1: ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: protocol = IKEv2: ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: encapsulation = IKEv2/none ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=ENCR, val=AES_CBC (key_len = 128) ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=INTEGR, val=AUTH_HMAC_SHA_96 ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=PRF, val=PRF_HMAC_SHA ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=DH_GROUP, val=MODP1536. ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: proposal id = 2: ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: protocol = IKEv2: ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: encapsulation = IKEv2/none ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=ENCR, val=AES_CBC (key_len = 256) ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=PRF, val=PRF_HMAC_SHA2_256 ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=DH_GROUP, val=MODP1536. ike V=root:0: cache rebuild start ike V=root:0:V4-PSK: cached as dynamic ike V=root:0:v4-Cert: cached as dynamic ike V=root:0:v4-PSK-IKEv2: cached as dynamic ike V=root:0: cache rebuild done ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: matched proposal id 1 ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: proposal id = 1: ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: protocol = IKEv2: ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: encapsulation = IKEv2/none ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=ENCR, val=AES_CBC (key_len = 128) ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=INTEGR, val=AUTH_HMAC_SHA_96 ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=PRF, val=PRF_HMAC_SHA ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=DH_GROUP, val=MODP1536. ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: lifetime=86400 ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: SA proposal chosen, matched gateway v4-PSK-IKEv2 ike V=root:0:v4-PSK-IKEv2: created connection: 0xe9bf900 3 10.152.35.161->10.152.35.170:500. ike V=root:0:v4-PSK-IKEv2:14: processing notify type NAT_DETECTION_SOURCE_IP ike V=root:0:v4-PSK-IKEv2:14: processing NAT-D payload ike V=root:0:v4-PSK-IKEv2:14: NAT not detected ike V=root:0:v4-PSK-IKEv2:14: process NAT-D ike V=root:0:v4-PSK-IKEv2:14: processing notify type NAT_DETECTION_DESTINATION_IP ike V=root:0:v4-PSK-IKEv2:14: processing NAT-D payload ike V=root:0:v4-PSK-IKEv2:14: NAT not detected ike V=root:0:v4-PSK-IKEv2:14: process NAT-D ike V=root:0:v4-PSK-IKEv2:14: FEC vendor ID received FEC but IP not set ike V=root:0:v4-PSK-IKEv2:14: responder preparing SA_INIT msg ike V=root:0:v4-PSK-IKEv2:14: generate DH public value request queued ike V=root:0:v4-PSK-IKEv2:14: responder preparing SA_INIT msg ike V=root:0:v4-PSK-IKEv2:14: compute DH shared secret request queued ike V=root:0:v4-PSK-IKEv2:14: responder preparing SA_INIT msg ike V=root:0:v4-PSK-IKEv2:14: create NAT-D hash local 10.152.35.161/500 remote 10.152.35.170/500 ike 0:v4-PSK-IKEv2:14: out 91D7E3BFD6EB8287032B6561653DE267212022200000000000000160220000300000002C010100040300000C0100000C800E008003000008020000020300000803000002 0000000804000005280000C80005000065955E1E4681E843C5618C637FE43851C15AD4D34C8E1738B09188C6B3DA57CFFC88346E35095286C904E5751B1722F8FA0455F59AE7489A67180C2A36D65DAC6FA FA4B9DADCE79F8B35851C2A22B8F452110665B6D16342709F5979D43F95CCE0617C40786355FF35D5E458646564356ED08A1A1CF29EA7C046246F09EFD49D3574DCC9D980EAFB1D08685642169ECB1E7081 9DB02E208F0C130FA97F071ADBD53F16E79384BA05CB0B8B18C6A0D125834119877FE45C11E7CDC77FFFA63B8729000014473843BD329EC550DD27667C37BFDA7A2900001C00004004B752F27710DE7BFDF FDDC48461DDFE77FE24B70F0000001C000040054F2308001BB502EDADE2CF75B498CCFD47FCEE4A ike V=root:0:v4-PSK-IKEv2:14: sent IKE msg (SA_INIT_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=352, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267, oif=3 ike 0:v4-PSK-IKEv2:14: IKE SA 91d7e3bfd6eb8287/032b6561653de267 SK_ei 16:8B1FC416E2A711C0A33BF3074485A78F ike 0:v4-PSK-IKEv2:14: IKE SA 91d7e3bfd6eb8287/032b6561653de267 SK_er 16:A4BB868B7D8FBB81EDE5C9FD1555365E ike 0:v4-PSK-IKEv2:14: IKE SA 91d7e3bfd6eb8287/032b6561653de267 SK_ai 20:2CB9528C9AE4B625B6F4A931ED07641416A51DCA ike 0:v4-PSK-IKEv2:14: IKE SA 91d7e3bfd6eb8287/032b6561653de267 SK_ar 20:7F182EEB73D4DE03695AF202E620B2C741CF503A ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=620.... ike V=root:0: IKEv2 exchange=AUTH id=91d7e3bfd6eb8287/032b6561653de267:00000001 len=620 ike 0: in 91D7E3BFD6EB8287032B6561653DE2672E202308000000010000026C230002508DC5174C77E069C310D8A8382293B7125A27239C47932A34F2C27458FC9774DC6FB3E3E179F8777D69A7E54EE CDC0F4291E3B33E953B0761FC06B39882FA1EC00FFCB4CEB559AAD7272918C485A2A125CCD4B35B34CE7244BDD04B5183E43AFF419452A1AE12917BDF31AB2D758983B60ED97A2183EE38A98BCD8FEFA0CD 4DF478699267107DC508EFF092359589355084DAEC722EBF52DD7699B409295987A6648989CF760D2FD44F2EB83B2F897D2653D52FB5A073BAD3687CE0913A55CD36C6D481F362F5133CEBA3D623C64F360 4F2D7187A5130A479A7029EE4291F9A9E54AC3338AC79B151F97CE9900B50FC3C986F348FABDC430B5A5357477AA0B58F4E29C08904A43DDA6938BCE9520D0CE4193B904CED247770B70F62A0BFE41C4396 DB9386B505910AE947DFDC37E8D75C6F71E202CF163EB4B90C5E68FF5F9817D7255EA3C3AB8C8DDAE99B04D619BC1E56CD282EAE3873316290E349578360AC5F8136C69A7C2ABD0E4F2F419AE710899F1AD 6AE8A3A50EDC29574AC4D9F3ED065D6504344E2FA553E620F7D488D19FC4232556CC35EF4A84BE3A865E31AB4C169F0280975271DEDFCD43E53B1E60D75DFACC56801D09E0AE14B3D39161963AB92402263 65F39E975EF85E988A3BD1D2419E2CA7C0A1B354CF920DC0B453B5FCBED5CC48F5617C15869185F0501380F2687B30709328485EE6520AFCB174F49B2292FFAE97F11474672E1AE754A5132CCFB5A0DBEC4 AD9BCF9DEEE1EC905E464F83A8448CEA16FFE33938A96485B283A40732CA6B25AF0870A974239DA5ED7CD8362308A4C438FC7DC4512E4 ike 0:v4-PSK-IKEv2:14: dec 91D7E3BFD6EB8287032B6561653DE2672E2023080000000100000244230000042900000C010000000A9823AA29000008000040002F0001380000F1005645523D310A4643 545645523D372E322E342E303937320A5549443D45363946374145304438343434344634413141463844463039424445383539330A49503D31302E3135322E33352E3137300A4D41433D30302D31352D356 42D32332D61382D30313B0A484F53543D4445534B544F502D5550494E42524A0A555345523D45363946374145304438343434344634413141463844463039424445383539330A4F535645523D4D6963726F 736F66742057696E646F777320313020456E74657270726973652045646974696F6E2C2036342D62697420286275696C64203139303435290A5245475F5354415455533D300A454D53534E3D464354454D5 3313034333537353533320A454D5349443D30303030303030303030303030303030303030303030303030303030303030300A00210000540100000000070010464354383030313434383131303439300001 0000000200000003000000040000000D00000019000000080000000F0000000A0000000B000070010000540A0000540B0000700000002C0000540200002801030403E03A386C0300000C0100000C800E008 0030000080300000200000008050000000000002802030403E03A386C0300000C0100000C800E0100030000080300000C00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF00 00001801000000070000100000FFFF00000000FFFFFFFF ike V=root:0:v4-PSK-IKEv2:14: responder received AUTH msg ike V=root:0:v4-PSK-IKEv2:14: processing notify type INITIAL_CONTACT ike V=root:0:v4-PSK-IKEv2:14: processing notify type FORTICLIENT_CONNECT ike V=root:0:v4-PSK-IKEv2:14: received FCT data len = 304, data = 'VER=1 FCTVER=7.2.4.0972 UID=E69F7AE0D84444F4A1AF8DF09BDE8593 IP=10.152.35.170 MAC=00-15-5d-23-a8-01; HOST=DESKTOP-UPINBRJ USER=E69F7AE0D84444F4A1AF8DF09BDE8593 OSVER=Microsoft Windows 10 Enterprise Edition, 64-bit (build 19045) REG_STATUS=0 EMSSN=FCTEMS1043575532 EMSID=00000000000000000000000000000000 ' ike V=root:0:v4-PSK-IKEv2:14: received FCT-UID : E69F7AE0D84444F4A1AF8DF09BDE8593 ike V=root:0:v4-PSK-IKEv2:14: peer identifier IPV4_ADDR 10.152.35.170 ike V=root:0:v4-PSK-IKEv2:14: re-validate gw ID ike V=root:0:v4-PSK-IKEv2:14: gw validation OK ike V=root:0:v4-PSK-IKEv2:14: responder preparing EAP identity request ike 0:v4-PSK-IKEv2:14: enc 2700000C010000000A9823A13000001C0200000066323F7A3C4C726A3D4D29D163A1D2EE26A29F1600000009018C0005010E0D0C0B0A0908070605040302010E ike 0:v4-PSK-IKEv2:14: out 91D7E3BFD6EB8287032B6561653DE2672E202320000000010000007C2400006019975696D3E610D0A55FCE2141CE07B6CADD98E08E17E48B28D411CC7807751490126226 6AC460CEB8EF355E8DF5E1990674923144292715C8A7FFBE5186369083671645EB6300E98FAEE17C0613A79BBE3934314FCE2BABD0835112 ike V=root:0:v4-PSK-IKEv2:14: sent IKE msg (AUTH_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=124, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00000001, oi f=3 ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=108.... ike V=root:0: IKEv2 exchange=AUTH id=91d7e3bfd6eb8287/032b6561653de267:00000002 len=108 ike 0: in 91D7E3BFD6EB8287032B6561653DE2672E202308000000020000006C30000050D355C65E627AB11AA4880DB9B65E4660D5CE9F3414AD9C4ED0F64CCF1A4A250265D56EE573F5AF208A1E4EA6F BC2CEED73E7EE8AB356C80FEC7B02D78C7CC1E7328CEF9F039CA8F6D3D9175B ike 0:v4-PSK-IKEv2:14: dec 91D7E3BFD6EB8287032B6561653DE2672E20230800000002000000493000000400000029028C002501453639463741453044383434343446344131414638444630394244 4538353933 ike V=root:0:v4-PSK-IKEv2:14: responder received EAP msg ike V=root:0:v4-PSK-IKEv2:14: send EAP message to FNBAM ike V=root:0:v4-PSK-IKEv2:14: initiating EAP authentication ike V=root:0:v4-PSK-IKEv2: EAP user "E69F7AE0D84444F4A1AF8DF09BDE8593" ike V=root:0:v4-PSK-IKEv2: auth candidate group 'ipsec-saml-group' 6 ike V=root:0:v4-PSK-IKEv2: EAP 300162803 pending ike V=root:0:v4-PSK-IKEv2:14 EAP 300162803 result FNBAM_CHALLENGED ike V=root:0:v4-PSK-IKEv2: EAP challenged for user "E69F7AE0D84444F4A1AF8DF09BDE8593" ike V=root:0:v4-PSK-IKEv2:14: responder preparing EAP pass through message ike 0:v4-PSK-IKEv2:14: enc 00000025018D00211A018D001C10127D990A0E60029A5973F7E9DB3C302D686F73746170640A0908070605040302010A ike 0:v4-PSK-IKEv2:14: out 91D7E3BFD6EB8287032B6561653DE2672E202320000000020000006C3000005023BDD3F892B81FF71C36F5A1F8818AAC1B5E266CA932E002099308830C1AD89103AE2A6C BF22418D54EF94C27A081D1BDF9AFC403110DF51F2ACDC00FDCF48A3CB4FAC40AAEC2DA278FD1019 ike V=root:0:v4-PSK-IKEv2:14: sent IKE msg (AUTH_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=108, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00000002, oi f=3 ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=156.... ike V=root:0: IKEv2 exchange=AUTH id=91d7e3bfd6eb8287/032b6561653de267:00000003 len=156 ike 0: in 91D7E3BFD6EB8287032B6561653DE2672E202308000000030000009C30000080C3287818C3211DB53758AFFEA523DCFCA3299F4AFBEBBBE50EC3DB44EA5D914B612529B169CD10D41F0220488 8F1AEEB193BA3640B87DA27AF7772921FC74494B837E26EEA63393ABF21AC2CD3532B128AF2BFBE362DE8A10A4DD97775353B65175262B421E4483DBA79842E0CA09D2C3F52DD7149658445582DC8C1 ike 0:v4-PSK-IKEv2:14: dec 91D7E3BFD6EB8287032B6561653DE2672E202308000000030000007F300000040000005F028D005B1A028D005631C828BD1F5DC09E2EAE44A295D803BD5E000000000000 00000D807F3A068A31FDCDBEA9D6273968C91D3F1F5EB1CFFB7E004536394637414530443834343434463441314146384446303942444538353933 ike V=root:0:v4-PSK-IKEv2:14: responder received EAP msg ike V=root:0:v4-PSK-IKEv2:14: send EAP message to FNBAM ike V=root:0:v4-PSK-IKEv2: EAP 300162803 pending ike V=root:0:v4-PSK-IKEv2:14 EAP 300162803 result FNBAM_CHALLENGED ike V=root:0:v4-PSK-IKEv2: EAP challenged for user "E69F7AE0D84444F4A1AF8DF09BDE8593" ike V=root:0:v4-PSK-IKEv2:14: responder preparing EAP pass through message ike 0:v4-PSK-IKEv2:14: enc 0000003C018E00381A038D0033533D43303737373636354142344433373642363239393634363642454438353036354246413742433338204D3D4F4B03020103 ike 0:v4-PSK-IKEv2:14: out 91D7E3BFD6EB8287032B6561653DE2672E202320000000030000007C3000006062B69000FB6AEE38971A70EACE9897104893B4B65D8E8CB390C129332713613C9F1EE27F B09FDDBCA849ACA0E9852F3BA62AF9472271F3A29BFF603E74E5BF2B45A818A679B93D29F4C24B1A33761B950B654B4EF14D417BF1E40510 ike V=root:0:v4-PSK-IKEv2:14: sent IKE msg (AUTH_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=124, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00000003, oi f=3 ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=76.... ike V=root:0: IKEv2 exchange=AUTH id=91d7e3bfd6eb8287/032b6561653de267:00000004 len=76 ike 0: in 91D7E3BFD6EB8287032B6561653DE2672E202308000000040000004C30000030BC217F9ADF27626EC3E13C22D86598BEC75E9887C9407B868045ED29084660F870974CD011CFAFDEF02D58C5 ike 0:v4-PSK-IKEv2:14: dec 91D7E3BFD6EB8287032B6561653DE2672E202308000000040000002A300000040000000A028E00061A03 ike V=root:0:v4-PSK-IKEv2:14: responder received EAP msg ike V=root:0:v4-PSK-IKEv2:14: send EAP message to FNBAM ike V=root:0:v4-PSK-IKEv2: EAP 300162803 pending ike V=root:0:v4-PSK-IKEv2:14 EAP 300162803 result FNBAM_SUCCESS ike V=root:0:v4-PSK-IKEv2: user 'user@example.onmicrosoft.com' authenticated group 'ipsec-saml-group' 6 ike V=root:0:v4-PSK-IKEv2:14: responder preparing EAP pass through message ike 0:v4-PSK-IKEv2:14: enc 00000008038E00040706050403020107 ike 0:v4-PSK-IKEv2:14: out 91D7E3BFD6EB8287032B6561653DE2672E202320000000040000004C300000309A60CF863B708309D8C1418333CF21EC2A32E00615FDDF53EF5072DE9422A4D280605F88 257E11FED22FF0D5 ike V=root:0:v4-PSK-IKEv2:14: sent IKE msg (AUTH_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=76, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00000004, oif =3 ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=92.... ike V=root:0: IKEv2 exchange=AUTH id=91d7e3bfd6eb8287/032b6561653de267:00000005 len=92 ike 0: in 91D7E3BFD6EB8287032B6561653DE2672E202308000000050000005C270000409F291281AD48EC4CD1DFEF5961D33BE185A04F1810661E66FBC1F5846796CD0A535C063D19A0E930A51130F3D 9413512EF92EC71E582D10991B7FE42 ike 0:v4-PSK-IKEv2:14: dec 91D7E3BFD6EB8287032B6561653DE2672E202308000000050000003C270000040000001C0200000063A2A164BD0FE9F4D29DDA752517ACD373B1567E ike V=root:0:v4-PSK-IKEv2:14: responder received AUTH msg ike V=root:0:v4-PSK-IKEv2:14: auth verify done ike V=root:0:v4-PSK-IKEv2:14: responder AUTH continuation ike V=root:0:v4-PSK-IKEv2:14: authentication succeeded ike V=root:0:v4-PSK-IKEv2:14: responder creating new child ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 7 request 16:'46435438303031343438313130343930' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg received APPLICATION_VERSION 'FCT8001448110490' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 1 request 0:'' ike V=root:0:v4-PSK-IKEv2: mode-cfg allocate 192.168.1.100/0.0.0.0 ike V=root:0:v4-PSK-IKEv2:14: mode-cfg using allocated IPv4 192.168.1.100 ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 2 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 3 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 4 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg WINS ignored, no WINS servers configured ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 13 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 25 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 8 request 0:'' ike V=root:0:v4-PSK-IKEv2: IPv6 pool is not configured ike V=root:0:v4-PSK-IKEv2:14: mode-cfg could not allocate IPv6 address ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 15 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 10 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 11 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 11 not supported, ignoring ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 28673 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg UNITY type 28673 requested ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 21514 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 21514 requested ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 21515 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 21515 requested ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 28672 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg UNITY type 28672 requested ike V=root:0:v4-PSK-IKEv2:14: mode-cfg no banner configured, ignoring ike V=root:0:v4-PSK-IKEv2:14:10: peer proposal: ike V=root:0:v4-PSK-IKEv2:14:10: TSi_0 0:0.0.0.0-255.255.255.255:0 ike V=root:0:v4-PSK-IKEv2:14:10: TSr_0 0:0.0.0.0-255.255.255.255:0 ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: comparing selectors ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: matched by rfc-rule-2 ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: phase2 matched by subset ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: using mode-cfg override 0:192.168.1.100-192.168.1.100:0 ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: accepted proposal: ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: TSi_0 0:192.168.1.100-192.168.1.100:0 ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: TSr_0 0:0.0.0.0-255.255.255.255:0 ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: dialup ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: incoming child SA proposal: ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: proposal id = 1: ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: protocol = ESP: ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: encapsulation = TUNNEL ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=ENCR, val=AES_CBC (key_len = 128) ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=INTEGR, val=SHA ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=ESN, val=NO ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: PFS is disabled ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: matched proposal id 1 ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: proposal id = 1: ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: protocol = ESP: ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: encapsulation = TUNNEL ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=ENCR, val=AES_CBC (key_len = 128) ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=INTEGR, val=SHA ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=ESN, val=NO ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: PFS is disabled ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: lifetime=43200 ike V=root:0:v4-PSK-IKEv2:14: responder preparing AUTH msg ike V=root:0:v4-PSK-IKEv2: IPv6 pool is not configured ike V=root:0:v4-PSK-IKEv2: adding new dynamic tunnel for 10.152.35.170:500 ike V=root:0:v4-PSK-IKEv2_0: tunnel created tun_id 192.168.1.100/::10.0.0.11 remote_location 0.0.0.0 ike V=root:0:v4-PSK-IKEv2_0: added new dynamic tunnel for 10.152.35.170:500 ike V=root:0:v4-PSK-IKEv2_0:14: established IKE SA 91d7e3bfd6eb8287/032b6561653de267 ike V=root:0:v4-PSK-IKEv2_0:14: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=1 ike V=root:0:v4-PSK-IKEv2_0:14: processing INITIAL-CONTACT ike V=root:0:v4-PSK-IKEv2_0: flushing ike V=root:0:v4-PSK-IKEv2_0: flushed ike V=root:0:v4-PSK-IKEv2_0:14: processed INITIAL-CONTACT ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg assigned (1) IPv4 address 192.168.1.100 ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg assigned (2) IPv4 netmask 255.255.255.255 ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (13) 0:192.168.235.0/255.255.255.0:0 ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (3) IPv4 DNS(1) 172.17.60.6 ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (3) IPv4 DNS(2) 8.8.8.8 ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send INTERNAL_IP6_SUBNET ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg IPv6 DNS ignored, no IPv6 DNS servers found ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send APPLICATION_VERSION 'FortiGate-VM64-HV v7.4.3,build2573,240201 (GA.F)' ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (28673) UNITY_SAVE_PASSWD ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (21514) FNT_AUTO_NEGOTIATE ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (21515) FNT_KEEP_ALIVE ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: replay protection enabled ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: set sa life soft seconds=43189. ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: set sa life hard seconds=43200. ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: IPsec SA selectors #src=1 #dst=1 ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: src 0 7 0:0.0.0.0-255.255.255.255:0 ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: dst 0 7 0:192.168.1.100-192.168.1.100:0 ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: add dynamic IPsec SA selectors 682 ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: added dynamic IPsec SA proxyids new 1 682 ike V=root:0:v4-PSK-IKEv2:10: add route 192.168.1.100/255.255.255.255 gw 192.168.1.100 oif v4-PSK-IKEv2(14) metric 15 priority 1 ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: tunnel 1 of VDOM limit 0/0 ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: add IPsec SA: SPIs=758626b2/e03a386c ike 0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: IPsec SA dec spi 758626b2 key 16:5F6D51E51801CDD3C5DDFFCD55CEBF18 auth 20:4284FFE8D12D3E617DDEEADE9E71ECBEBE07918E ike 0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: IPsec SA enc spi e03a386c key 16:CF5000829B184D71E97B4839BB221801 auth 20:1C9497F99E0EEFD7091A20EECA7CC95E6672FDFB ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: added IPsec SA: SPIs=758626b2/e03a386c ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: sending SNMP tunnel UP trap ike V=root:0:v4-PSK-IKEv2_0: tunnel up event assigned address 192.168.1.100 ike V=root:0:v4-PSK-IKEv2_0: sent tunnel-up message to EMS: (fct-uid=E69F7AE0D84444F4A1AF8DF09BDE8593, intf=v4-PSK-IKEv2_0, addr=192.168.1.100, vdom=root) ike V=root:0:v4-PSK-IKEv2_0: user 'user@example.onmicrosoft.com' 192.168.1.100 groups 1 ike 0:v4-PSK-IKEv2_0:14: enc 2700000C010000000A9823A12F00001C02000000DE195F007E8D93462142A62E9452006F4D98B2682100008F0200000000010004C0A8016400020004FFFFFFFF000D00 08C0A8EB00FFFFFF0000030004AC113C060003000408080808000F0011000000000000000000000000000000000000070030466F727469476174652D564D36342D48562076372E342E332C6275696C64323 537332C323430323031202847412E4629700100020001540A00020001540B000200012C00002C0000002801030403758626B20300000C0100000C800E0080030000080300000200000008050000002D0000 1801000000070000100000FFFFC0A80164C0A801640000001801000000070000100000FFFF00000000FFFFFFFF0C0B0A0908070605040302010C ike 0:v4-PSK-IKEv2_0:14: out 91D7E3BFD6EB8287032B6561653DE2672E202320000000050000015C24000140F73C9BCD7A9F971B02F6A48AE9B37644762FCA3FB4E3D0E2136A72A1BBC4113F7A87F3 9A611CBE1B0E5036D73020A46B6455BEE66FFC5F95E237337C4CFF0A4CCA52BB18DC3A17F497E12FDDE5D8A6953B4295109F0BEDBA72459E3750D6924159BE555D8011EF5B9C0EA1EA91BFA6F0E850A7296 B813DE95FF47F40545584CCC00264377258E6C3769A64834AE9161B286DD9067B689E53EC59C6C3E28BE798401730A6E01CC23756A75142244140C1EA6FE3D771F24E768D2E092888F08E3BFC3CE5486819 1B5BFB6CE6E97764CF75B6AE068B5C7398EF72C0E963FC15EDAD00A166AFECCFE35EB6314C7FD27C2C5F718777FE73ADBB8472255BB4FDDD9CE39E397432585200246F891A68A86CEE05748502CC58770BB 128F31D2FFAF62526C987A9CEFBFD15644DEB317102BB51DDD54D7C206DF42F010FC7ACCE ike V=root:0:v4-PSK-IKEv2_0:14: sent IKE msg (AUTH_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=348, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00000005, oif=3 ike V=root:0:v4-PSK-IKEv2_0: link is idle 3 10.152.35.161->10.152.35.170:0 dpd=1 seqno=1 rr=0 ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=76.... ike V=root:0: IKEv2 exchange=INFORMATIONAL id=91d7e3bfd6eb8287/032b6561653de267:00000006 len=76 ike 0: in 91D7E3BFD6EB8287032B6561653DE2672E202508000000060000004C000000308313D182BDFE6429ACF9CD754A0CAA19E6997AD0F915E69445D9C1256C6CBF7694582330F8AED0C6F892FD1D ike 0:v4-PSK-IKEv2_0:14: dec 91D7E3BFD6EB8287032B6561653DE2672E202508000000060000002000000004 ike V=root:0:v4-PSK-IKEv2_0:14: received informational request ike 0:v4-PSK-IKEv2_0:14: enc 0F0E0D0C0B0A0908070605040302010F ike 0:v4-PSK-IKEv2_0:14: out 91D7E3BFD6EB8287032B6561653DE2672E202520000000060000004C00000030E74A78C1B6607A4209955C934EBD0486354D124282E51DAEF58CBFB26AAABE8E4E905A 2ED459F3DD076CFD23 ike V=root:0:v4-PSK-IKEv2_0:14: sent IKE msg (INFORMATIONAL_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=76, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00 000006, oif=3 ike :shrank heap by 331776 bytes ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=76.... ike V=root:0: IKEv2 exchange=INFORMATIONAL id=91d7e3bfd6eb8287/032b6561653de267:00000007 len=76 ike 0: in 91D7E3BFD6EB8287032B6561653DE2672E202508000000070000004C00000030B7731C94B7CD08C9325F550EC0EABE733FC5DA5E50A1440AE3FE358726D1DE7EFE61CC3D02674FE0155CE28F ike 0:v4-PSK-IKEv2_0:14: dec 91D7E3BFD6EB8287032B6561653DE2672E202508000000070000002000000004 ike V=root:0:v4-PSK-IKEv2_0:14: received informational request ike 0:v4-PSK-IKEv2_0:14: enc 0F0E0D0C0B0A0908070605040302010F ike 0:v4-PSK-IKEv2_0:14: out 91D7E3BFD6EB8287032B6561653DE2672E202520000000070000004C0000003042E9544F9024C5ED6F72E90A613C99A7EA7AFE3534D71E8FEC8CA3B65DB1708473F80D 5395ABBD30500A38DA ike V=root:0:v4-PSK-IKEv2_0:14: sent IKE msg (INFORMATIONAL_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=76, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00 000007, oif=3 ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=76.... ike V=root:0: IKEv2 exchange=INFORMATIONAL id=91d7e3bfd6eb8287/032b6561653de267:00000008 len=76 ike 0: in 91D7E3BFD6EB8287032B6561653DE2672E202508000000080000004C00000030D72FA651DD9192B8390213F8D30CF93C1F47EAC9934E09391EBB7F7E55C8DF0574AAFA1CCCBFD5C34F93AFD8 ike 0:v4-PSK-IKEv2_0:14: dec 91D7E3BFD6EB8287032B6561653DE2672E202508000000080000002000000004 ike V=root:0:v4-PSK-IKEv2_0:14: received informational request ike 0:v4-PSK-IKEv2_0:14: enc 0F0E0D0C0B0A0908070605040302010F ike 0:v4-PSK-IKEv2_0:14: out 91D7E3BFD6EB8287032B6561653DE2672E202520000000080000004C00000030494190DE9E0047C7B17F642218C27C46615E9AA717E1BDEFA2B56938BD8990C9B54783 49D4AD0420063AE9B4 ike V=root:0:v4-PSK-IKEv2_0:14: sent IKE msg (INFORMATIONAL_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=76, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00 000008, oif=3

IPsec VPN SAML-based authentication

IPsec VPN SAML-based authentication

FortiClient IPsec VPN IKEv2 supports SAML authentication with identity providers (IdP) such as Microsoft Entra ID, Okta, and FortiAuthenticator. This configuration also supports pushing authentication tokens. This provides a similar experience as using SAML-based authentication for SSL VPN.

The following instructions assume that you have already configured your Entra ID environment, that your FortiClient EMS and FortiGate are part of a Fortinet Security Fabric, and that the FortiGate has been configured in Azure as an enterprise application for SAML single sign on.

The following provide configuration examples for Entra ID, Okta, and FortiAuthenticator:

The examples use the following product versions:

Product

Version

FortiClient

7.2.4

FortiClient EMS

FortiGate

7.4.3

FortiAuthenticator

6.5.3

Use case 1: SAML authentication with Entra ID as IdP

To configure SAML authentication with Entra ID as IdP:
  1. The following shows an example enterprise application for SAML single sign on in Azure. Key to this configuration is that the endpoint can resolve the FortiGate fully qualified domain name (FQDN) (in this example, it is remote...de01). Also note the port number, which in this example is 10428. Under SAML Certificates, beside Certificate (Base64), click Download.

  2. Configure FortiOS:
    1. Import the certificate that you downloaded from the Azure portal to FortiOS by going to System > Certificates > Create/Import > Remote Certificate and selecting the desired certificate.
    2. Define a user IKE SAML authentication port:

      config system global

      set auth-ike-saml-port 10428

      end

    3. Configure SAML user settings. In this example, remote...de01 is the remote gateway. Port 10428 is the IKE SAML authentication port that you defined in step 2a:
      1. Configure a SAML user:

        config user saml

        edit "IPSec-SAML-FAC"

        set cert "Fortinet_Factory"

        set entity-id "https://remote...de01:10428/remote/saml/metadata"

        set single-sign-on-url "https://remote...de01:10428/remote/saml/login"

        set single-logout-url "https://remote...de01:10428/remote/saml/logout"

        set idp-entity-id "https://sts.windows.net/f1a72219-.../"

        set idp-single-sign-on-url "https://login.microsoftonline.com/f1a72219-.../saml2"

        set idp-single-logout-url "https://login.microsoftonline.com/f1a72219-.../saml2"

        set idp-cert "REMOTE_Cert_2"

        set user-name "username"

        set group-name "saml-group"

        set digest-method sha1

        next

        end

      2. Configure a user group. The example user group is ipsec-saml-group, which includes the SAML user that you configured. You will use this group in a FortiOS firewall policy to control access permission to protected resources:

        config user group

        edit "ipsec-saml-group"

        set member "IPSec-SAML-FAC"

        next

        end

    4. Configure the IKE SAML server for the FortiOS interface used for VPN connection. This example uses port1 as the WAN interface, which the configuration uses for IPsec VPN IKEv2 connection:

      config system interface

      edit "port1"

      set ike-saml-server IPSec-SAML-FAC

      next

      end

    5. Configure the IPsec VPN IKEv2 tunnel:
      1. Configure an IP address range for the IPsec VPN tunnel to use. In this example, there is a file server with IP address 192.168.235.180 sitting on the FortiOS LAN network 192.168.235.0/24. Substitute your own values as needed.

        config firewall address

        edit "IPSec_Tunnel_Addr1"

        set type iprange

        set start-ip 192.168.1.100

        set end-ip 192.168.1.108

        next

        end

        config firewall address

        edit "LAN2-192.168.235.0"

        set subnet 192.168.235.0 255.255.255.0

        next

        end

      2. Create an IPsec VPN IKEv2 tunnel. This example uses a preshared key as the authentication method. Ensure that you set eap enable and eap-identity send-request correctly:

        config vpn ipsec phase1-interface

        edit "v4-PSK-IKEv2"

        set type dynamic

        set interface "port1"

        set ike-version 2

        set peertype any

        set net-device disable

        set mode-cfg enable

        set ipv4-dns-server1 172.17.60.6

        set ipv4-dns-server2 8.8.8.8

        set proposal aes128-sha1 aes256-sha256

        set dpd on-idle

        set dhgrp 5

        set eap enable

        set eap-identity send-request

        set assign-ip-from name

        set ipv4-split-include "LAN2-192.168.235.0"

        set ipv4-name "IPSec_Tunnel_Addr1"

        set save-password enable

        set client-auto-negotiate enable

        set client-keep-alive enable

        set psksecret 11111111

        set dpd-retryinterval 60

        next

        end

        config vpn ipsec phase2-interface

        edit "v4-PSK-IKEv2"

        set phase1name "v4-PSK-IKEv2"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256

        set dhgrp 5

        next

        end

      3. Add the SAML group to the firewall policy for the VPN tunnel. In this example, ipsec-saml-group is the SAML group name, and port3 is the FortiGate LAN interface. Modify the commands to fit your environment:

        config firewall address

        edit "LAN2_port3 address"

        set type interface-subnet

        set subnet 192.168.235.0 255.255.255.0

        set interface "port3"

        next

        end

        config firewall policy

        edit 117

        set name "v4-PSK-IKEv2 -> LAN"

        set srcintf "v4-PSK-IKEv2"

        set dstintf "port3"

        set action accept

        set srcaddr "IPSec_Tunnel_Addr1"

        set dstaddr "LAN2_port3 address"

        set schedule "always"

        set service "ALL"

        set nat enable

        set groups "ipsec-saml-group"

        next

        end

      4. (Optional) FortiClient validates the certificate configured in FortiOS. To prevent an invalid server certificate prompt, the certificate common name (CN) should match the VPN remote gateway FQDN (remote...de01 in this example) and you should import the certificate authority (CA) as a trusted root CA authority. FortiClient also verifies certificates for IdPs such as FortiAuthenciator, Azure, and Okta.

        config user setting

        set auth-cert "remote...de01-oldca"

        end

  3. Configure a new IPsec VPN IKEv2 tunnel in EMS:
    1. In EMS, go to Endpoint Profiles > Remote Access.
    2. Create a new profile or edit an existing one.
    3. Under VPN Tunnels, click Add Tunnel.
    4. Select Manual.
    5. Configure Basic Settings:
      1. In the Name field, configure the desired tunnel name.
      2. For Type, select IPsec VPN.
      3. In the Remote Gateway field, enter the remote gateway. In this example it is remote...de01.
      4. From the Authentication Method dropdown list, select Pre Shared Key.
      5. In the Pre-Shared Key field, enter the same key that you configured in step 2.e.ii.

    6. Configure Advanced Settings:
      1. Disable Prompt for Certificate.
      2. Toggle on Enable SAML Login.
      3. In the SAML Port field, enter the port that you noted from the Azure portal. In this example, it is 10428.
      4. Enable Show "Remember Password" Option.
      5. Enable Show "Always Up" Option.
      6. Enable Show "Auto Connect" Option.
    7. Leave other fields at their default values, and save. For the XML configuration for the tunnel, see IPsec VPN tunnel XML configuration.
  4. After FortiClient receives the configuration changes from EMS, connect to the tunnel:
    1. In FortiClient, go to the Remote Access tab.
    2. From the VPN Name dropdown list, select the IPsec VPN tunnel.
    3. Click Connect.
    4. An authentication dialog appears. Enter the Entra ID credentials to establish the VPN connection.

  5. After the VPN tunnel is up, attempt access to a resource that a FortiOS firewall policy protects. The following shows diagnose firewall auth list output for such access:
    192.168.1.100, user@example.onmicrosoft.com
            type: fw, id: 0, duration: 74, idled: 74
            server: IPSec-SAML-FAC
            packets: in 0 out 0, bytes: in 0 out 0
            group_id: 6
            group_name: ipsec-saml-group
    
    ----- 1 listed, 0 filtered ------

    To view IKE debug log output for this access, see IKE debug log reference.

Use case 2: SAML authentication with Okta as IdP

Configuring IPsec VPN SAML authentication using Okta as the IdP is similar to Use case 1: SAML authentication with Entra ID as IdP. The following shows an example configuring the SAML user for Okta (step 2.c.i):

config user saml

edit "IPSec-SAML-FAC"

set cert "Fortinet_Factory"

set entity-id "https://remote...de01:10428/remote/saml/metadata/"

set single-sign-on-url "https://remote...de01:10428/remote/saml/login/"

set single-logout-url "https://remote...de01:10428/remote/saml/logout/"

set idp-entity-id "http://www.okta.com/exk5v..."

set idp-single-sign-on-url "https://dev-....okta.com/app/dev-..._samlloginfgt39_1/exk5v.../sso/saml"

set idp-single-logout-url "https://dev-....okta.com/app/dev-..._samlloginfgt39_1/exk5v.../slo/saml"

set idp-cert "REMOTE_Cert_4"

set user-name "username"

set group-name "saml-group"

set digest-method sha1

next

end

To verify the configuration:
  1. After the VPN tunnel is up, attempt access to a resource that a FortiOS firewall policy protects. Run get ipsec vpn tunnel details in the FortiOS CLI. Following is the expected output:

    gateway name: 'v4-PSK-IKEv2_0' local-gateway: 10.152.35.161:0 (static) remote-gateway: 10.152.35.170:0 (dynamic) dpd-link: on mode: ike-v2 interface: 'port1' (3) vrf:0 rx packets: 18 bytes: 2259 errors: 13 tx packets: 0 bytes: 0 errors: 0 dpd: on-idle/negotiated idle: 60000ms retry: 3 count: 0 selectors name: 'v4-PSK-IKEv2' auto-negotiate: disable mode: tunnel src: 0:0.0.0.0-255.255.255.255:0 dst: 0:192.168.1.100-192.168.1.100:0 SA lifetime/rekey: 43200/43101 mtu: 1438 tx-esp-seq: 1 replay: enabled qat: 0 inbound spi: 758626b4 enc: aes-cb 37491f896e23475bcbc98cb98fe6511c auth: sha1 01cfde3affa4edcca94626c9fcc474fe55113e36 outbound spi: 80b1a046 enc: aes-cb 88c755eec85f512ca31ce65b687932bb auth: sha1 d2953b6376c145b82e88a05983dfec180e33dbc4 NPU acceleration: none

  2. Run diagnose sniffer packet <gateway name> to view the packet sniffer information. Following is the expected output:

    Using Original Sniffing Mode interfaces=[v4-PSK-IKEv2] filters=[none] pcap_lookupnet: v4-PSK-IKEv2: no IPv4 address assigned 8.902304 192.168.1.100 -> 192.168.235.180: icmp: echo request 8.902770 192.168.235.180 -> 192.168.1.100: icmp: echo reply 9.910247 192.168.1.100 -> 192.168.235.180: icmp: echo request 9.910518 192.168.235.180 -> 192.168.1.100: icmp: echo reply 10.925738 192.168.1.100 -> 192.168.235.180: icmp: echo request 10.926070 192.168.235.180 -> 192.168.1.100: icmp: echo reply 11.941364 192.168.1.100 -> 192.168.235.180: icmp: echo request 11.942012 192.168.235.180 -> 192.168.1.100: icmp: echo reply 49.060511 192.168.1.100 -> 192.168.235.180: icmp: echo request 49.061039 192.168.235.180 -> 192.168.1.100: icmp: echo reply 50.066813 192.168.1.100 -> 192.168.235.180: icmp: echo request 50.067084 192.168.235.180 -> 192.168.1.100: icmp: echo reply 51.082305 192.168.1.100 -> 192.168.235.180: icmp: echo request 51.082633 192.168.235.180 -> 192.168.1.100: icmp: echo reply 52.097539 192.168.1.100 -> 192.168.235.180: icmp: echo request 52.097898 192.168.235.180 -> 192.168.1.100: icmp: echo reply

  3. Run diagnose firewall auth list. Following is the expected output:

    192.168.1.100, example@fortinet.com type: fw, id: 0, duration: 664, idled: 458 server: IPSec-SAML-FAC packets: in 8 out 8, bytes: in 480 out 480 group_id: 6 group_name: ipsec-saml-group ----- 1 listed, 0 filtered ------

Use case 3: SAML authentication with FortiAuthenticator as IdP

Configuring IPsec VPN SAML authentication using FortiAuthenticator as the IdP is similar to Use case 1: SAML authentication with Entra ID as IdP. The following shows an example configuring the SAML user for FortiAuthenticator (step 2.c.i). Ensure the endpoint can resolve the remote gateway FQDN (in this example remote...de01) and the FortiAuthenticator FQDN (in this example fac.example.fct.local):

config user saml

edit "IPSec-SAML-FAC"

set cert "Fortinet_Factory"

set entity-id "https://remote...de01:10428/remote/saml/metadata/"

set single-sign-on-url "https://remote...de01:10428/remote/saml/login/"

set single-logout-url "https://remote...de01:10428/remote/saml/logout/"

set idp-entity-id "http://fac.example.fct.local/saml-idp/lxat.../metadata/"

set idp-single-sign-on-url "https://fac.example.fct.local/saml-idp/lxat.../login/"

set idp-single-logout-url "https://fac.example.fct.local/saml-idp/lxat.../logout/"

set idp-cert "REMOTE_Cert_3"

set user-name "username"

set group-name "saml-group"

set digest-method sha1

next

end

IPsec VPN tunnel XML configuration

The following shows the XML configuration for the IPsec VPN tunnel configured in Use case 1: SAML authentication with Entra ID as IdP step 3. Note the <sso_enabled> and <ike_saml_port> elements:

<?xml version="1.0" ?>
<forticlient_configuration>
    <vpn>
        <enabled>1</enabled>
        <sslvpn>
            <options>
                <negative_split_tunnel_metric/>
                <dnscache_service_control>0</dnscache_service_control>
                <warn_invalid_server_certificate>1</warn_invalid_server_certificate>
                <no_dns_registration>0</no_dns_registration>
                <use_gui_saml_auth>0</use_gui_saml_auth>
                <preferred_dtls_tunnel>0</preferred_dtls_tunnel>
                <prefer_sslvpn_dns>1</prefer_sslvpn_dns>
                <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
                <enabled>1</enabled>
            </options>
            <connections/>
        </sslvpn>
        <ipsecvpn>
            <options>
                <use_win_local_computer_cert>1</use_win_local_computer_cert>
                <disallow_invalid_server_certificate>1</disallow_invalid_server_certificate>
                <usesmcardcert>1</usesmcardcert>
                <show_auth_cert_only>0</show_auth_cert_only>
                <no_dns_registration>0</no_dns_registration>
                <enable_udp_checksum>0</enable_udp_checksum>
                <beep_if_error>0</beep_if_error>
                <disable_default_route>0</disable_default_route>
                <block_ipv6>1</block_ipv6>
                <check_for_cert_private_key>0</check_for_cert_private_key>
                <enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory>
                <usewincert>1</usewincert>
                <uselocalcert>0</uselocalcert>
                <use_win_current_user_cert>1</use_win_current_user_cert>
                <enabled>1</enabled>
            </options>
            <connections>
                <connection>
                    <name>IPSec-V2-EAP-SAML</name>
                    <uid>BA387F1D-E421-4753-AAA4-657C4C8202AF</uid>
                    <machine>0</machine>
                    <keep_running>0</keep_running>
                    <disclaimer_msg/>
                    <sso_enabled>1</sso_enabled>
                    <single_user_mode>0</single_user_mode>
                    <type>manual</type>
                    <ui>
                        <show_remember_password>1</show_remember_password>
                        <show_alwaysup>1</show_alwaysup>
                        <show_autoconnect>1</show_autoconnect>
                        <show_passcode>0</show_passcode>
                        <save_username>0</save_username>
                    </ui>
                    <redundant_sort_method>0</redundant_sort_method>
                    <tags>
                        <allowed/>
                        <prohibited/>
                    </tags>
                    <host_check_fail_warning/>
                    <ike_settings>
                        <server>remote...de01</server>
                        <authentication_method>Preshared Key</authentication_method>
                        <fgt>1</fgt>
                        <prompt_certificate>0</prompt_certificate>
                        <xauth>
                            <use_otp>0</use_otp>
                            <enabled>1</enabled>
                            <prompt_username>1</prompt_username>
                        </xauth>
                        <version>2</version>
                        <mode>aggressive</mode>
                        <key_life>86400</key_life>
                        <localid/>
                        <implied_SPDO>0</implied_SPDO>
                        <implied_SPDO_timeout>0</implied_SPDO_timeout>
                        <nat_traversal>1</nat_traversal>
                        <nat_alive_freq>5</nat_alive_freq>
                        <enable_local_lan>0</enable_local_lan>
                        <enable_ike_fragmentation>0</enable_ike_fragmentation>
                        <mode_config>1</mode_config>
                        <dpd>1</dpd>
                        <run_fcauth_system>0</run_fcauth_system>
                        <sso_enabled>1</sso_enabled>
                        <ike_saml_port>10428</ike_saml_port>
                        <dpd_retry_count>3</dpd_retry_count>
                        <dpd_retry_interval>5</dpd_retry_interval>
                        <auth_data>
                            <preshared_key>Enc 380ffd71e1570436106bf459ff8fc41e43a7279260bec9b01e7dd3bfc3c8dfc0</preshared_key>
                        </auth_data>
                        <xauth_timeout>120</xauth_timeout>
                        <dhgroup>5</dhgroup>
                        <proposals>
                            <proposal>AES128|SHA1</proposal>
                            <proposal>AES256|SHA256</proposal>
                        </proposals>
                    </ike_settings>
                    <ipsec_settings>
                        <remote_networks>
                            <network>
                                <addr>0.0.0.0</addr>
                                <mask>0.0.0.0</mask>
                            </network>
                            <network>
                                <addr>::/0</addr>
                                <mask>::/0</mask>
                            </network>
                        </remote_networks>
                        <dhgroup>5</dhgroup>
                        <key_life_type>seconds</key_life_type>
                        <key_life_seconds>43200</key_life_seconds>
                        <key_life_Kbytes>5200</key_life_Kbytes>
                        <replay_detection>1</replay_detection>
                        <pfs>1</pfs>
                        <use_vip>1</use_vip>
                        <virtualip>
                            <type>modeconfig</type>
                            <ip>0.0.0.0</ip>
                            <mask>0.0.0.0</mask>
                            <dnsserver>0.0.0.0</dnsserver>
                            <winserver>0.0.0.0</winserver>
                        </virtualip>
                        <proposals>
                            <proposal>AES128|SHA1</proposal>
                            <proposal>AES256|SHA256</proposal>
                        </proposals>
                    </ipsec_settings>
                    <android_cert_path/>
                    <warn_invalid_server_certificate>1</warn_invalid_server_certificate>
                    <on_connect>
                        <script>
                            <os>windows</os>
                            <script/>
                        </script>
                        <script>
                            <os>MacOSX</os>
                            <script/>
                        </script>
                        <script>
                            <os>linux</os>
                            <script/>
                        </script>
                    </on_connect>
                    <on_disconnect>
                        <script>
                            <os>windows</os>
                            <script/>
                        </script>
                        <script>
                            <os>MacOSX</os>
                            <script/>
                        </script>
                        <script>
                            <os>linux</os>
                            <script/>
                        </script>
                    </on_disconnect>
                    <traffic_control>
                        <enabled>0</enabled>
                        <mode>1</mode>
                    </traffic_control>
                </connection>
                <connection>
                    <name>IPSec-V2-SAML-LM0</name>
                    <uid>186A1714-E2EA-44D1-AC8D-60B21922C48A</uid>
                    <machine>0</machine>
                    <keep_running>0</keep_running>
                    <disclaimer_msg/>
                    <sso_enabled>1</sso_enabled>
                    <single_user_mode>0</single_user_mode>
                    <type>manual</type>
                    <ui>
                        <show_remember_password>1</show_remember_password>
                        <show_alwaysup>1</show_alwaysup>
                        <show_autoconnect>1</show_autoconnect>
                        <show_passcode>0</show_passcode>
                        <save_username>0</save_username>
                    </ui>
                    <redundant_sort_method>0</redundant_sort_method>
                    <tags>
                        <allowed/>
                        <prohibited/>
                    </tags>
                    <host_check_fail_warning/>
                    <ike_settings>
                        <server>remote...de01</server>
                        <authentication_method>System Store X509 Certificate</authentication_method>
                        <fgt>1</fgt>
                        <prompt_certificate>1</prompt_certificate>
                        <xauth>
                            <use_otp>0</use_otp>
                            <enabled>1</enabled>
                            <prompt_username>1</prompt_username>
                        </xauth>
                        <version>2</version>
                        <mode>aggressive</mode>
                        <key_life>86400</key_life>
                        <localid/>
                        <implied_SPDO>0</implied_SPDO>
                        <implied_SPDO_timeout>0</implied_SPDO_timeout>
                        <nat_traversal>1</nat_traversal>
                        <nat_alive_freq>5</nat_alive_freq>
                        <enable_local_lan>0</enable_local_lan>
                        <enable_ike_fragmentation>0</enable_ike_fragmentation>
                        <mode_config>1</mode_config>
                        <dpd>1</dpd>
                        <run_fcauth_system>0</run_fcauth_system>
                        <sso_enabled>1</sso_enabled>
                        <ike_saml_port>10428</ike_saml_port>
                        <dpd_retry_count>3</dpd_retry_count>
                        <dpd_retry_interval>5</dpd_retry_interval>
                        <xauth_timeout>120</xauth_timeout>
                        <dhgroup>5</dhgroup>
                        <proposals>
                            <proposal>AES128|SHA1</proposal>
                            <proposal>AES256|SHA256</proposal>
                        </proposals>
                        <auth_data/>
                    </ike_settings>
                    <ipsec_settings>
                        <remote_networks>
                            <network>
                                <addr>0.0.0.0</addr>
                                <mask>0.0.0.0</mask>
                            </network>
                            <network>
                                <addr>::/0</addr>
                                <mask>::/0</mask>
                            </network>
                        </remote_networks>
                        <dhgroup>5</dhgroup>
                        <key_life_type>seconds</key_life_type>
                        <key_life_seconds>43200</key_life_seconds>
                        <key_life_Kbytes>5200</key_life_Kbytes>
                        <replay_detection>1</replay_detection>
                        <pfs>1</pfs>
                        <use_vip>1</use_vip>
                        <virtualip>
                            <type>modeconfig</type>
                            <ip>0.0.0.0</ip>
                            <mask>0.0.0.0</mask>
                            <dnsserver>0.0.0.0</dnsserver>
                            <winserver>0.0.0.0</winserver>
                        </virtualip>
                        <proposals>
                            <proposal>AES128|SHA1</proposal>
                            <proposal>AES256|SHA256</proposal>
                        </proposals>
                    </ipsec_settings>
                    <android_cert_path/>
                    <warn_invalid_server_certificate>1</warn_invalid_server_certificate>
                    <on_connect>
                        <script>
                            <os>windows</os>
                            <script/>
                        </script>
                        <script>
                            <os>MacOSX</os>
                            <script/>
                        </script>
                        <script>
                            <os>linux</os>
                            <script/>
                        </script>
                    </on_connect>
                    <on_disconnect>
                        <script>
                            <os>windows</os>
                            <script/>
                        </script>
                        <script>
                            <os>MacOSX</os>
                            <script/>
                        </script>
                        <script>
                            <os>linux</os>
                            <script/>
                        </script>
                    </on_disconnect>
                    <traffic_control>
                        <enabled>0</enabled>
                        <mode>1</mode>
                    </traffic_control>
                </connection>
            </connections>
        </ipsecvpn>
        <lockdown>
            <exceptions>
                <ips/>
                <apps/>
            </exceptions>
            <max_attempts>3</max_attempts>
            <grace_period>120</grace_period>
            <enabled>0</enabled>
        </lockdown>
        <options>
            <show_vpn_before_logon>1</show_vpn_before_logon>
            <keep_running_max_tries>0</keep_running_max_tries>
            <on_os_start_connect_has_priority>0</on_os_start_connect_has_priority>
            <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
            <secure_remote_access>1</secure_remote_access>
            <minimize_window_on_connect>1</minimize_window_on_connect>
            <show_negotiation_wnd>0</show_negotiation_wnd>
            <allow_personal_vpns>1</allow_personal_vpns>
            <on_os_start_connect/>
            <autoconnect_on_install>0</autoconnect_on_install>
            <suppress_vpn_notification>1</suppress_vpn_notification>
            <disable_connect_disconnect>0</disable_connect_disconnect>
            <use_windows_credentials>0</use_windows_credentials>
            <use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
        </options>
    </vpn>
    <endpoint_control>
        <ui>
            <display_vpn>1</display_vpn>
        </ui>
    </endpoint_control>
</forticlient_configuration>

IKE debug log reference

Following is a FortiOS IKE debug log as reference:

VPN-ZTNA-FGT1 # diagnose debug reset VPN-ZTNA-FGT1 # diagnose debug application ike -1 Debug messages will be on for 30 minutes. VPN-ZTNA-FGT1 # diagnose debug application samld -1 VPN-ZTNA-FGT1 # diagnose debug enable VPN-ZTNA-FGT1 # ike :config update start ike :ike_embryonic_conn_limit = 10000 ike :ikecrypt DH multi-process enabled ike V=root:0: sync=no FGCP:disabled role:master, FGSP:disabled id:0 slave-add-routes:disabled ike V=root:0:V4-PSK: local-addr 10.152.35.161 ike V=root:0:V4-PSK: oif 3, vrf 0 ike V=root:0:v4-Cert: local-addr 10.152.35.161 ike V=root:0:v4-Cert: oif 3, vrf 0 ike V=root:0:v4-PSK-IKEv2: local-addr 10.152.35.161 ike V=root:0:v4-PSK-IKEv2: oif 3, vrf 0 ike V=root:0:port3: add addr 192.168.235.0-192.168.235.255 ike V=root:0:ipsec-saml-group:6: update auth group ike config clean start 10 ike config clean done 10 ike :config update done samld_process_request [145]: len=453, cmd=0, pid=2293, job_id=563454 samld_process_request [162]: Received 453, 0x1272e30 __samld_sp_create_auth_req [433]: SAML SP algo: 0 -> lasso=1. Binding Method: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST __samld_sp_create_auth_req [453]: **** AuthnRequest URL **** https://login.microsoftonline.com/f1a72219-.../saml2?SAMLRequest=lZJBb9swDIX%2FiqG7bcl2EkdIAtjxigXoNqNJd9hlkGW6FSBLmSh327%2Bf4nRrd1iBHUW%2B R%2FF74AbFqM%2B8mvyjuYNvE6CPfozaIJ8bWzI5w61AhdyIEZB7yY%2FVh1ueJZSfnfVWWk1eWd52CERwXllDokOzJV9ZUZdlnjf7Zbmu6HpRsTqvbqqGvqsXjNYFiT6Dw6DfkmAPJsQJDga9MD6UaFbENI%2Fp8kR zvljxrPxCoiYwKCP87Hr0%2Fow8TbV9UCYZlXQW7eCt0cpAIu2YDkyssoyt464TeVwMS4jXeVfGEvIuL1i3kkORXsgyEt1YJ2HOaksGoREuG7UBSj3Bn0r7nEqtTK%2FMw9uBdFcR8venUxu3n44nElW%2FQ9pbg9MI 7gjuSUm4v7t9AXIwWh8IlHfKoNXCJT1QxhktsvK5O699RSe7zeXB5wDd7v%2BnjOBFL7zYpK%2FnbK7n8zFwHZrWaiV%2FXkIahf83NkvYXFF9PMxSPhk8g1SDgj7Qa22%2F7x0IHyL1bgKS7q6f%2Fn2mu18%3D&Re layState=magic%3D060806859681f2ed&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=RkHlyfm3PThl8ei43dJ%2BERS%2B42ngKeo%2FQGxdcbl7pfcuipF%2 B0tt%2FctYzOQYMXmai3zBrmOWL%2FT6UHdySEPB3xy1puf%2BxwPfBYh%2BWnR6S6OQKwkYpsBwUsXWbgrENrQxRFv1RRxm9TFiORyyWJCSCf94THDC0Uu%2BNmG2lyfoDXnmWUfy3hpBdMAKAQL3DJs2l2cKotLmS pPRvK9%2BG%2BYxDcUwDDXyfTzIW7pvo57qmO3L9DRDF1woftJ4Psn4p44LTxvV7bcW4WdhSfji7Z%2F%2FyXzcg7TGnFC1pAw%2FsSXfzp%2FdHSym3TT%2FMIWtpa8JuKrmRWhBMzCP5IIUVxNQr5WiaIA%3D%3D *********************** __samld_sp_create_auth_req [467]: **** AuthnRequest **** <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_14B8833DC689A095A1B3AFAD0EB510B4" Ve rsion="2.0" IssueInstant="2024-03-06T03:57:28Z" Destination="https://login.microsoftonline.com/f1a72219-.../saml2" SignType="0" SignMethod= "0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://remote...d e01:10428/remote/saml/login"><saml:Issuer>https://remote...de01:10428/remote/saml/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SA ML:1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest> *********************** __samld_sp_create_auth_req [472]: **** SP Login Dump **** <lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2. 0:assertion" LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_14B8833DC689A095A1B3AFAD0EB510B4" Version="2.0" IssueInstant="2024-03-06T03:57:28Z" Desti nation="https://login.microsoftonline.com/f1a72219-.../saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBind ing="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://remote...de01:10428/remote/saml/login"><saml:Issuer>https://rem ote...de01:10428/remote/saml/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/ ></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>https://sts.windows.net/f1a72219-.../</lasso:RemoteProviderID><lasso:MsgUrl>h ttps://login.microsoftonline.com/f1a72219-.../saml2?SAMLRequest=lZJBb9swDIX%2FiqG7bcl2EkdIAtjxigXoNqNJd9hlkGW6FSBLmSh327%2Bf4nRrd1iBHUW%2BR %2FF74AbFqM%2B8mvyjuYNvE6CPfozaIJ8bWzI5w61AhdyIEZB7yY%2FVh1ueJZSfnfVWWk1eWd52CERwXllDokOzJV9ZUZdlnjf7Zbmu6HpRsTqvbqqGvqsXjNYFiT6Dw6DfkmAPJsQJDga9MD6UaFbENI%2Fp8kRz vljxrPxCoiYwKCP87Hr0%2Fow8TbV9UCYZlXQW7eCt0cpAIu2YDkyssoyt464TeVwMS4jXeVfGEvIuL1i3kkORXsgyEt1YJ2HOaksGoREuG7UBSj3Bn0r7nEqtTK%2FMw9uBdFcR8venUxu3n44nElW%2FQ9pbg9MI7 gjuSUm4v7t9AXIwWh8IlHfKoNXCJT1QxhktsvK5O699RSe7zeXB5wDd7v%2BnjOBFL7zYpK%2FnbK7n8zFwHZrWaiV%2FXkIahf83NkvYXFF9PMxSPhk8g1SDgj7Qa22%2F7x0IHyL1bgKS7q6f%2Fn2mu18%3D&amp ;RelayState=magic%3D060806859681f2ed&amp;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&amp;Signature=RkHlyfm3PThl8ei43dJ%2BERS%2B42ngKeo%2FQGxdcb l7pfcuipF%2B0tt%2FctYzOQYMXmai3zBrmOWL%2FT6UHdySEPB3xy1puf%2BxwPfBYh%2BWnR6S6OQKwkYpsBwUsXWbgrENrQxRFv1RRxm9TFiORyyWJCSCf94THDC0Uu%2BNmG2lyfoDXnmWUfy3hpBdMAKAQL3DJ s2l2cKotLmSpPRvK9%2BG%2BYxDcUwDDXyfTzIW7pvo57qmO3L9DRDF1woftJ4Psn4p44LTxvV7bcW4WdhSfji7Z%2F%2FyXzcg7TGnFC1pAw%2FsSXfzp%2FdHSym3TT%2FMIWtpa8JuKrmRWhBMzCP5IIUVxNQr5W iaIA%3D%3D</lasso:MsgUrl><lasso:MsgRelayState>magic=060806859681f2ed</lasso:MsgRelayState><lasso:HttpRequestMethod>4</lasso:HttpRequestMethod><lasso:RequestID>_14B 8833DC689A095A1B3AFAD0EB510B4</lasso:RequestID></lasso:Login> *********************** samld_send_common_reply [91]: Code: 0, id: 563454, pid: 2293, len: 3517, data_len 3501 samld_send_common_reply [99]: Attr: 14, 2352, <lasso:Login xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0" xmlns:samlp="urn:oasis:names:tc:SAML:2. 0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" LoginDumpVersion="2"><lasso:Request><samlp:AuthnRequest ID="_14B8833DC689A095A1B3AFAD0EB510B4" Versi on="2.0" IssueInstant="2024-03-06T03:57:28Z" Destination="https://login.microsoftonline.com/f1a72219-.../saml2" SignType="0" SignMethod="0" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://remote...de01 :10428/remote/saml/login"><saml:Issuer>https://remote...de01:10428/remote/saml/metadata</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML: 1.1:nameid-format:unspecified" AllowCreate="true"/></samlp:AuthnRequest></lasso:Request><lasso:RemoteProviderID>https://sts.windows.net/f1a72219-.../</lasso:RemoteProviderID><lasso:MsgUrl>https://login.microsoftonline.com/f1a72219-.../saml2?SAMLRequest=lZJBb9swDIX%2FiqG7bcl2Ekd IAtjxigXoNqNJd9hlkGW6FSBLmSh327%2Bf4nRrd1iBHUW%2BR%2FF74AbFqM%2B8mvyjuYNvE6CPfozaIJ8bWzI5w61AhdyIEZB7yY%2FVh1ueJZSfnfVWWk1eWd52CERwXllDokOzJV9ZUZdlnjf7Zbmu6HpRsTqv bqqGvqsXjNYFiT6Dw6DfkmAPJsQJDga9MD6UaFbENI%2Fp8kRzvljxrPxCoiYwKCP87Hr0%2Fow8TbV9UCYZlXQW7eCt0cpAIu2YDkyssoyt464TeVwMS4jXeVfGEvIuL1i3kkORXsgyEt1YJ2HOaksGoREuG7UBSj3 Bn0r7nEqtTK%2FMw9uBdFcR8venUxu3n44nElW%2FQ9pbg9MI7gjuSUm4v7t9AXIwWh8IlHfKoNXCJT1QxhktsvK5O699RSe7zeXB5wDd7v%2BnjOBFL7zYpK%2FnbK7n8zFwHZrWaiV%2FXkIahf83NkvYXFF9PMxS Phk8g1SDgj7Qa22%2F7x0IHyL1bgKS7q6f%2Fn2mu18%3D&amp;RelayState=magic%3D060806859681f2ed&amp;SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&amp;Sign ature=RkHlyfm3PThl8ei43dJ%2BERS%2B42ngKeo%2FQGxdcbl7pfcuipF%2B0tt%2FctYzOQYMXmai3zBrmOWL%2FT6UHdySEPB3xy1puf%2BxwPfBYh%2BWnR6S6OQKwkYpsBwUsXWbgrENrQxRFv1RRxm9TFiOR yyWJCSCf94THDC0Uu%2BNmG2lyfoDXnmWUfy3hpBdMAKAQL3DJs2l2cKotLmSpPRvK9%2BG%2BYxDcUwDDXyfTzIW7pvo57qmO3L9DRDF1woftJ4Psn4p44LTxvV7bcW4WdhSfji7Z%2F%2FyXzcg7TGnFC1pAw%2Fs SXfzp%2FdHSym3TT%2FMIWtpa8JuKrmRWhBMzCP5IIUVxNQr5WiaIA%3D%3D</lasso:MsgUrl><lasso:MsgRelayState>magic=060806859681f2ed</lasso:MsgRelayState><lasso:HttpRequestMetho d>4</lasso:HttpRequestMethod><lasso:RequestID>_14B8833DC689A095A1B3AFAD0EB510B4</lasso:RequestID></lasso:Login> samld_send_common_reply [99]: Attr: 11, 1149, https://login.microsoftonline.com/f1a72219-.../saml2?SAMLRequest=lZJBb9swDIX%2FiqG7bcl2Ek dIAtjxigXoNqNJd9hlkGW6FSBLmSh327%2Bf4nRrd1iBHUW%2BR%2FF74AbFqM%2B8mvyjuYNvE6CPfozaIJ8bWzI5w61AhdyIEZB7yY%2FVh1ueJZSfnfVWWk1eWd52CERwXllDokOzJV9ZUZdlnjf7Zbmu6HpRsTq vbqqGvqsXjNYFiT6Dw6DfkmAPJsQJDga9MD6UaFbENI%2Fp8kRzvljxrPxCoiYwKCP87Hr0%2Fow8TbV9UCYZlXQW7eCt0cpAIu2YDkyssoyt464TeVwMS4jXeVfGEvIuL1i3kkORXsgyEt1YJ2HOaksGoREuG7UBSj 3Bn0r7nEqtTK%2FMw9uBdFcR8venUxu3n44nElW%2FQ9pbg9MI7gjuSUm4v7t9AXIwWh8IlHfKoNXCJT1QxhktsvK5O699RSe7zeXB5wDd7v%2BnjOBFL7zYpK%2FnbK7n8zFwHZrWaiV%2FXkIahf83NkvYXFF9PMx SPhk8g1SDgj7Qa22%2F7x0IHyL1bgKS7q6f%2Fn2mu18%3D&RelayState=magic%3D060806859681f2ed&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=RkHly fm3PThl8ei43dJ%2BERS%2B42ngKeo%2FQGxdcbl7pfcuipF%2B0tt%2FctYzOQYMXmai3zBrmOWL%2FT6UHdySEPB3xy1puf%2BxwPfBYh%2BWnR6S6OQKwkYpsBwUsXWbgrENrQxRFv1RRxm9TFiORyyWJCSCf94T HDC0Uu%2BNmG2lyfoDXnmWUfy3hpBdMAKAQL3DJs2l2cKotLmSpPRvK9%2BG%2BYxDcUwDDXyfTzIW7pvo57qmO3L9DRDF1woftJ4Psn4p44LTxvV7bcW4WdhSfji7Z%2F%2FyXzcg7TGnFC1pAw%2FsSXfzp%2FdHS ym3TT%2FMIWtpa8JuKrmRWhBMzCP5IIUVxNQr5WiaIA%3D%3D samld_send_common_reply [119]: Sent resp: 3517, pid=2293, job_id=563454. samld_process_request [145]: len=10189, cmd=2, pid=2293, job_id=563454 samld_process_request [162]: Received 10189, 0x1272e30 __samld_sp_login_resp [815]: SP Login Response Msg Body (7536) <samlp:Response ID="_d41828f1-07df-448b-af4d-d59b291280eb" Version="2.0" IssueInstant="2024-03-06T03:57:28.827Z" Destination="https://remote...de01:10428 /remote/saml/login" InResponseTo="_14B8833DC689A095A1B3AFAD0EB510B4" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0: assertion">https://sts.windows.net/f1a72219-.../</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="_af843ea7-5620-4f6b-bf20-4fb6db7f1100" IssueInstant="2024-03-06T03:57:28.824Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:ass ertion"><Issuer>https://sts.windows.net/f1a72219-.../</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><Canonicali zationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI="# _af843ea7-5620-4f6b-bf20-4fb6db7f1100"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transform Algorithm="http://www.w 3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>SxoMOgM7+7Chj+VhUVBdW5moKwv+PwCErZyb49+g CSY=</DigestValue></Reference></SignedInfo><SignatureValue>fgdYi3m3yz3ns7pdC3GFNg6Lu4OwvXiw1qh4AR5zXlcq0uQiXMgqQzRKFb1fWuI8zGtOfb451kOlACyD7gLjmdVTcNe4mQJHAKxOWWRi VpUw10r2NMXOvxF1hlCxpYdAYljAUt/Omu94QYShzZHQI49JrF9wA49cEPptiH83kYR+xU3u11jCpwovz1y4CRX/g6/png6cqstX2nDvwvYPbnsAsMSYovUAvG/pqGjtwzO771TdYSDDCEPVTvGZMzYgJdLfZB2qVzc 0pU419vIYgoFitgJZG9sP1WOecOBJO2ozaU69QxpRIZsNBntnOm2nzPqEAwpXUmmF6xiDV5R/SQ==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQReSC88H5bbBLd kflSF49uzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzEwMTUwNDQwMDhaFw0yNjEwMTUwNDQwMDhaMDQxMjAwBgNVBAMTKU1p Y3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtwvk0AblPyElViGWIIup8qDUBeFoBV469YOUY87DFmQNGyTPbujE6iheWrLtBPwAnIZ 1A75FBaUNXY980vj/Oc6E+kbOy7nCm9GWueI0NvGLnS7HUKi2TrM+EcHhAR+ftV0egq/3MrdBKFKITYYYwO6P0W0JtBjyCMY+XwGoxzREkajSXJnpsscNPwj/XdUBio7I6hnLCRzrTNy9l84nxXIFLZk+O/jzfdaYur blfJJVa8895sMu/Ka5PBow5KJHGnFpjbOJegPBc5kdXjNGisAgpLoZEMNjA8kFSGhlOD6BBs4XGMx7SvM7w/+BPGGbjVyRn94YCoII9KWd7ZHpmQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAs1OVASBqPuz09n0Xqt koSnCgmQufBObUF5FpY990LBEPs/0Uv8LfPUuOukiJJOzbqewgBeIAJLtxfs8ckq40kiL+PjZWvRRVolJGUOiuUO+l+WqdI6O2D3euadlguERdOK3yjs7tFTPhgqtEcQ60QuAWjwEdpjZL0UT2NTdlJz67LRXAjCjB+ bXHQ7SndSQfbMtI+DhGo6n+J5XDWQRvhrKI4f1XqzvhkwlPvxUH1f3xo+KnhCYNPY8Ge0yRHHKzS+pHKv4O16GeG34SmJX0Rv17xr8xXuSY2fDQOK9JnHiLWHYRVuB+Mp5lyY+5EpGd7zErPjU7jycmSJcbWMgNH</X 509Certificate></X509Data></KeyInfo></Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user@example.onmicrosoft.com</ NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_14B8833DC689A095A1B3AFAD0EB510B4" NotOnOrAfter=" 2024-03-06T04:57:28.694Z" Recipient="https://remote...de01:10428/remote/saml/login"/></SubjectConfirmation></Subject><Conditions NotBefore="2024-03-06T03 :52:28.694Z" NotOnOrAfter="2024-03-06T04:57:28.694Z"><AudienceRestriction><Audience>https://remote...de01:10428/remote/saml/metadata</Audience></Audience Restriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"><AttributeValue>f1a72219-...</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"><AttributeValue>a6de82a6-05c4-4093-8288-65af3624 2d67</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeValue>Yuyue Li</AttributeValue></Attribute><A ttribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"><AttributeValue>https://sts.windows.net/f1a72219-.../</Attrib uteValue></Attribute><Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"><AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/ authenticationmethod/password</AttributeValue></Attribute><Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/wids"><AttributeValue>88d8e3e3-8 f55-4a1e-953a-9b9898b8876b</AttributeValue><AttributeValue>62e90394-69f5-4237-9190-012177145e10</AttributeValue><AttributeValue>b79fbf4d-3ef9-4689-8143-76b194e8550 9</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"><AttributeValue>Yuyue</AttributeValue></Attribute>< Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"><AttributeValue>Li</AttributeValue></Attribute><Attribute Name="http://schemas.xmlso ap.org/ws/2005/05/identity/claims/name"><AttributeValue>user@example.onmicrosoft.com</AttributeValue></Attribute><Attribute Name="username"><AttributeValue>yyl i@fortinetvan.onmicrosoft.com</AttributeValue></Attribute><Attribute Name="group"><AttributeValue>e6bbee59-c1d8-49e6-916b-2fe6339a3d1e</AttributeValue><AttributeVa lue>1cd4e267-054c-4e6c-b1ed-fc0f62dde5e6</AttributeValue><AttributeValue>3ccdd7c1-b59c-41c3-a985-229ab4ded5a2</AttributeValue></Attribute></AttributeStatement><Aut hnStatement AuthnInstant="2024-03-06T03:51:23.739Z" SessionIndex="_af843ea7-5620-4f6b-bf20-4fb6db7f1100"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAM L:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response> __samld_sp_login_resp [836]: **** Assertion Dump **** <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_af843ea7-5620-4f6b-bf20-4fb6db7f1100" IssueInstant ="2024-03-06T03:57:28.824Z" Version="2.0"><Issuer>https://sts.windows.net/f1a72219-.../</Issuer><Signature xmlns="http://www.w3.org/2000/09 /xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-m ore#rsa-sha256"/><Reference URI="#_af843ea7-5620-4f6b-bf20-4fb6db7f1100"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>SxoMOg M7+7Chj+VhUVBdW5moKwv+PwCErZyb49+gCSY=</DigestValue></Reference></SignedInfo><SignatureValue>fgdYi3m3yz3ns7pdC3GFNg6Lu4OwvXiw1qh4AR5zXlcq0uQiXMgqQzRKFb1fWuI8zGtOfb 451kOlACyD7gLjmdVTcNe4mQJHAKxOWWRiVpUw10r2NMXOvxF1hlCxpYdAYljAUt/Omu94QYShzZHQI49JrF9wA49cEPptiH83kYR+xU3u11jCpwovz1y4CRX/g6/png6cqstX2nDvwvYPbnsAsMSYovUAvG/pqGjtw zO771TdYSDDCEPVTvGZMzYgJdLfZB2qVzc0pU419vIYgoFitgJZG9sP1WOecOBJO2ozaU69QxpRIZsNBntnOm2nzPqEAwpXUmmF6xiDV5R/SQ==</SignatureValue><KeyInfo><X509Data><X509Certificate >MIIC8DCCAdigAwIBAgIQReSC88H5bbBLdkflSF49uzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzEwMTUwNDQwMDhaFw0yNj EwMTUwNDQwMDhaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtwvk0AblPyElViGWIIup8qDUBeFoBV469 YOUY87DFmQNGyTPbujE6iheWrLtBPwAnIZ1A75FBaUNXY980vj/Oc6E+kbOy7nCm9GWueI0NvGLnS7HUKi2TrM+EcHhAR+ftV0egq/3MrdBKFKITYYYwO6P0W0JtBjyCMY+XwGoxzREkajSXJnpsscNPwj/XdUBio7I 6hnLCRzrTNy9l84nxXIFLZk+O/jzfdaYurblfJJVa8895sMu/Ka5PBow5KJHGnFpjbOJegPBc5kdXjNGisAgpLoZEMNjA8kFSGhlOD6BBs4XGMx7SvM7w/+BPGGbjVyRn94YCoII9KWd7ZHpmQIDAQABMA0GCSqGSIb 3DQEBCwUAA4IBAQAs1OVASBqPuz09n0XqtkoSnCgmQufBObUF5FpY990LBEPs/0Uv8LfPUuOukiJJOzbqewgBeIAJLtxfs8ckq40kiL+PjZWvRRVolJGUOiuUO+l+WqdI6O2D3euadlguERdOK3yjs7tFTPhgqtEcQ6 0QuAWjwEdpjZL0UT2NTdlJz67LRXAjCjB+bXHQ7SndSQfbMtI+DhGo6n+J5XDWQRvhrKI4f1XqzvhkwlPvxUH1f3xo+KnhCYNPY8Ge0yRHHKzS+pHKv4O16GeG34SmJX0Rv17xr8xXuSY2fDQOK9JnHiLWHYRVuB+Mp 5lyY+5EpGd7zErPjU7jycmSJcbWMgNH</X509Certificate></X509Data></KeyInfo></Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> user@example.onmicrosoft.com</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_14B8833DC689A0 95A1B3AFAD0EB510B4" NotOnOrAfter="2024-03-06T04:57:28.694Z" Recipient="https://remote...de01:10428/remote/saml/login"/></SubjectConfirmation></Subject><C onditions NotBefore="2024-03-06T03:52:28.694Zike :shrank heap by 172032 bytes ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=456.... ike V=root:0: IKEv2 exchange=SA_INIT id=91d7e3bfd6eb8287/0000000000000000 len=456 ike 0: in 91D7E3BFD6EB828700000000000000002120220800000000000001C82200005C0200002C010100040300000C0100000C800E00800300000802000002030000080300000200000008040000050 000002C020100040300000C0100000C800E01000300000802000005030000080300000C0000000804000005280000C800050000A5F0F0154C1F23D09D2C498ABD86C9875EFFC0E746A12E55AE182E3FBAFA D9BA91FCAA52E25EB1E78AD3C6BD6A389E119BDBB8D07480F81680DACAF5D162042DF7FDAD3A091A9E0C2A026388A39B658D8913B2376AF01B2F02E2AC22E6FC9309393388CF76676F136DB18B5BCE96EE1 87E06C3F481C0214A4392641C4F0163F2DA7A8B4F2C7168FE09C7F485C17A02360BA1A3358DEC4992DA2784338ACD23A03ADABB04146732E3D51C4A4F1530F66E5951E668DAD51BB9FA1EF9D9C45F302B2B 000014FC1604191670582A2C223ECA5E6FD1862B0000144C53427B6D465D1B337BB755A37A7FEF2B000014B4F01CA951E9DA8D0BAFBBD34AD3044E29000014C1DC4350476B98A429B91781914CA43E29000 01C000040049CFF24AC5C389CA04560B76DE2EA4DAD3980D4E90000001C00004005C736780986F56FDCFB69E529BD4EFEB9405FBB47 ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: responder received SA_INIT msg ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: VID unknown (16): C1DC4350476B98A429B91781914CA43E ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: received notify type NAT_DETECTION_SOURCE_IP ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: received notify type NAT_DETECTION_DESTINATION_IP ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: incoming proposal: ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: proposal id = 1: ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: protocol = IKEv2: ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: encapsulation = IKEv2/none ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=ENCR, val=AES_CBC (key_len = 128) ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=INTEGR, val=AUTH_HMAC_SHA_96 ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=PRF, val=PRF_HMAC_SHA ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=DH_GROUP, val=MODP1536. ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: proposal id = 2: ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: protocol = IKEv2: ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: encapsulation = IKEv2/none ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=ENCR, val=AES_CBC (key_len = 256) ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=PRF, val=PRF_HMAC_SHA2_256 ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=DH_GROUP, val=MODP1536. ike V=root:0: cache rebuild start ike V=root:0:V4-PSK: cached as dynamic ike V=root:0:v4-Cert: cached as dynamic ike V=root:0:v4-PSK-IKEv2: cached as dynamic ike V=root:0: cache rebuild done ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: matched proposal id 1 ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: proposal id = 1: ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: protocol = IKEv2: ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: encapsulation = IKEv2/none ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=ENCR, val=AES_CBC (key_len = 128) ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=INTEGR, val=AUTH_HMAC_SHA_96 ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=PRF, val=PRF_HMAC_SHA ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: type=DH_GROUP, val=MODP1536. ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: lifetime=86400 ike V=root:0:91d7e3bfd6eb8287/0000000000000000:14: SA proposal chosen, matched gateway v4-PSK-IKEv2 ike V=root:0:v4-PSK-IKEv2: created connection: 0xe9bf900 3 10.152.35.161->10.152.35.170:500. ike V=root:0:v4-PSK-IKEv2:14: processing notify type NAT_DETECTION_SOURCE_IP ike V=root:0:v4-PSK-IKEv2:14: processing NAT-D payload ike V=root:0:v4-PSK-IKEv2:14: NAT not detected ike V=root:0:v4-PSK-IKEv2:14: process NAT-D ike V=root:0:v4-PSK-IKEv2:14: processing notify type NAT_DETECTION_DESTINATION_IP ike V=root:0:v4-PSK-IKEv2:14: processing NAT-D payload ike V=root:0:v4-PSK-IKEv2:14: NAT not detected ike V=root:0:v4-PSK-IKEv2:14: process NAT-D ike V=root:0:v4-PSK-IKEv2:14: FEC vendor ID received FEC but IP not set ike V=root:0:v4-PSK-IKEv2:14: responder preparing SA_INIT msg ike V=root:0:v4-PSK-IKEv2:14: generate DH public value request queued ike V=root:0:v4-PSK-IKEv2:14: responder preparing SA_INIT msg ike V=root:0:v4-PSK-IKEv2:14: compute DH shared secret request queued ike V=root:0:v4-PSK-IKEv2:14: responder preparing SA_INIT msg ike V=root:0:v4-PSK-IKEv2:14: create NAT-D hash local 10.152.35.161/500 remote 10.152.35.170/500 ike 0:v4-PSK-IKEv2:14: out 91D7E3BFD6EB8287032B6561653DE267212022200000000000000160220000300000002C010100040300000C0100000C800E008003000008020000020300000803000002 0000000804000005280000C80005000065955E1E4681E843C5618C637FE43851C15AD4D34C8E1738B09188C6B3DA57CFFC88346E35095286C904E5751B1722F8FA0455F59AE7489A67180C2A36D65DAC6FA FA4B9DADCE79F8B35851C2A22B8F452110665B6D16342709F5979D43F95CCE0617C40786355FF35D5E458646564356ED08A1A1CF29EA7C046246F09EFD49D3574DCC9D980EAFB1D08685642169ECB1E7081 9DB02E208F0C130FA97F071ADBD53F16E79384BA05CB0B8B18C6A0D125834119877FE45C11E7CDC77FFFA63B8729000014473843BD329EC550DD27667C37BFDA7A2900001C00004004B752F27710DE7BFDF FDDC48461DDFE77FE24B70F0000001C000040054F2308001BB502EDADE2CF75B498CCFD47FCEE4A ike V=root:0:v4-PSK-IKEv2:14: sent IKE msg (SA_INIT_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=352, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267, oif=3 ike 0:v4-PSK-IKEv2:14: IKE SA 91d7e3bfd6eb8287/032b6561653de267 SK_ei 16:8B1FC416E2A711C0A33BF3074485A78F ike 0:v4-PSK-IKEv2:14: IKE SA 91d7e3bfd6eb8287/032b6561653de267 SK_er 16:A4BB868B7D8FBB81EDE5C9FD1555365E ike 0:v4-PSK-IKEv2:14: IKE SA 91d7e3bfd6eb8287/032b6561653de267 SK_ai 20:2CB9528C9AE4B625B6F4A931ED07641416A51DCA ike 0:v4-PSK-IKEv2:14: IKE SA 91d7e3bfd6eb8287/032b6561653de267 SK_ar 20:7F182EEB73D4DE03695AF202E620B2C741CF503A ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=620.... ike V=root:0: IKEv2 exchange=AUTH id=91d7e3bfd6eb8287/032b6561653de267:00000001 len=620 ike 0: in 91D7E3BFD6EB8287032B6561653DE2672E202308000000010000026C230002508DC5174C77E069C310D8A8382293B7125A27239C47932A34F2C27458FC9774DC6FB3E3E179F8777D69A7E54EE CDC0F4291E3B33E953B0761FC06B39882FA1EC00FFCB4CEB559AAD7272918C485A2A125CCD4B35B34CE7244BDD04B5183E43AFF419452A1AE12917BDF31AB2D758983B60ED97A2183EE38A98BCD8FEFA0CD 4DF478699267107DC508EFF092359589355084DAEC722EBF52DD7699B409295987A6648989CF760D2FD44F2EB83B2F897D2653D52FB5A073BAD3687CE0913A55CD36C6D481F362F5133CEBA3D623C64F360 4F2D7187A5130A479A7029EE4291F9A9E54AC3338AC79B151F97CE9900B50FC3C986F348FABDC430B5A5357477AA0B58F4E29C08904A43DDA6938BCE9520D0CE4193B904CED247770B70F62A0BFE41C4396 DB9386B505910AE947DFDC37E8D75C6F71E202CF163EB4B90C5E68FF5F9817D7255EA3C3AB8C8DDAE99B04D619BC1E56CD282EAE3873316290E349578360AC5F8136C69A7C2ABD0E4F2F419AE710899F1AD 6AE8A3A50EDC29574AC4D9F3ED065D6504344E2FA553E620F7D488D19FC4232556CC35EF4A84BE3A865E31AB4C169F0280975271DEDFCD43E53B1E60D75DFACC56801D09E0AE14B3D39161963AB92402263 65F39E975EF85E988A3BD1D2419E2CA7C0A1B354CF920DC0B453B5FCBED5CC48F5617C15869185F0501380F2687B30709328485EE6520AFCB174F49B2292FFAE97F11474672E1AE754A5132CCFB5A0DBEC4 AD9BCF9DEEE1EC905E464F83A8448CEA16FFE33938A96485B283A40732CA6B25AF0870A974239DA5ED7CD8362308A4C438FC7DC4512E4 ike 0:v4-PSK-IKEv2:14: dec 91D7E3BFD6EB8287032B6561653DE2672E2023080000000100000244230000042900000C010000000A9823AA29000008000040002F0001380000F1005645523D310A4643 545645523D372E322E342E303937320A5549443D45363946374145304438343434344634413141463844463039424445383539330A49503D31302E3135322E33352E3137300A4D41433D30302D31352D356 42D32332D61382D30313B0A484F53543D4445534B544F502D5550494E42524A0A555345523D45363946374145304438343434344634413141463844463039424445383539330A4F535645523D4D6963726F 736F66742057696E646F777320313020456E74657270726973652045646974696F6E2C2036342D62697420286275696C64203139303435290A5245475F5354415455533D300A454D53534E3D464354454D5 3313034333537353533320A454D5349443D30303030303030303030303030303030303030303030303030303030303030300A00210000540100000000070010464354383030313434383131303439300001 0000000200000003000000040000000D00000019000000080000000F0000000A0000000B000070010000540A0000540B0000700000002C0000540200002801030403E03A386C0300000C0100000C800E008 0030000080300000200000008050000000000002802030403E03A386C0300000C0100000C800E0100030000080300000C00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF00 00001801000000070000100000FFFF00000000FFFFFFFF ike V=root:0:v4-PSK-IKEv2:14: responder received AUTH msg ike V=root:0:v4-PSK-IKEv2:14: processing notify type INITIAL_CONTACT ike V=root:0:v4-PSK-IKEv2:14: processing notify type FORTICLIENT_CONNECT ike V=root:0:v4-PSK-IKEv2:14: received FCT data len = 304, data = 'VER=1 FCTVER=7.2.4.0972 UID=E69F7AE0D84444F4A1AF8DF09BDE8593 IP=10.152.35.170 MAC=00-15-5d-23-a8-01; HOST=DESKTOP-UPINBRJ USER=E69F7AE0D84444F4A1AF8DF09BDE8593 OSVER=Microsoft Windows 10 Enterprise Edition, 64-bit (build 19045) REG_STATUS=0 EMSSN=FCTEMS1043575532 EMSID=00000000000000000000000000000000 ' ike V=root:0:v4-PSK-IKEv2:14: received FCT-UID : E69F7AE0D84444F4A1AF8DF09BDE8593 ike V=root:0:v4-PSK-IKEv2:14: peer identifier IPV4_ADDR 10.152.35.170 ike V=root:0:v4-PSK-IKEv2:14: re-validate gw ID ike V=root:0:v4-PSK-IKEv2:14: gw validation OK ike V=root:0:v4-PSK-IKEv2:14: responder preparing EAP identity request ike 0:v4-PSK-IKEv2:14: enc 2700000C010000000A9823A13000001C0200000066323F7A3C4C726A3D4D29D163A1D2EE26A29F1600000009018C0005010E0D0C0B0A0908070605040302010E ike 0:v4-PSK-IKEv2:14: out 91D7E3BFD6EB8287032B6561653DE2672E202320000000010000007C2400006019975696D3E610D0A55FCE2141CE07B6CADD98E08E17E48B28D411CC7807751490126226 6AC460CEB8EF355E8DF5E1990674923144292715C8A7FFBE5186369083671645EB6300E98FAEE17C0613A79BBE3934314FCE2BABD0835112 ike V=root:0:v4-PSK-IKEv2:14: sent IKE msg (AUTH_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=124, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00000001, oi f=3 ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=108.... ike V=root:0: IKEv2 exchange=AUTH id=91d7e3bfd6eb8287/032b6561653de267:00000002 len=108 ike 0: in 91D7E3BFD6EB8287032B6561653DE2672E202308000000020000006C30000050D355C65E627AB11AA4880DB9B65E4660D5CE9F3414AD9C4ED0F64CCF1A4A250265D56EE573F5AF208A1E4EA6F BC2CEED73E7EE8AB356C80FEC7B02D78C7CC1E7328CEF9F039CA8F6D3D9175B ike 0:v4-PSK-IKEv2:14: dec 91D7E3BFD6EB8287032B6561653DE2672E20230800000002000000493000000400000029028C002501453639463741453044383434343446344131414638444630394244 4538353933 ike V=root:0:v4-PSK-IKEv2:14: responder received EAP msg ike V=root:0:v4-PSK-IKEv2:14: send EAP message to FNBAM ike V=root:0:v4-PSK-IKEv2:14: initiating EAP authentication ike V=root:0:v4-PSK-IKEv2: EAP user "E69F7AE0D84444F4A1AF8DF09BDE8593" ike V=root:0:v4-PSK-IKEv2: auth candidate group 'ipsec-saml-group' 6 ike V=root:0:v4-PSK-IKEv2: EAP 300162803 pending ike V=root:0:v4-PSK-IKEv2:14 EAP 300162803 result FNBAM_CHALLENGED ike V=root:0:v4-PSK-IKEv2: EAP challenged for user "E69F7AE0D84444F4A1AF8DF09BDE8593" ike V=root:0:v4-PSK-IKEv2:14: responder preparing EAP pass through message ike 0:v4-PSK-IKEv2:14: enc 00000025018D00211A018D001C10127D990A0E60029A5973F7E9DB3C302D686F73746170640A0908070605040302010A ike 0:v4-PSK-IKEv2:14: out 91D7E3BFD6EB8287032B6561653DE2672E202320000000020000006C3000005023BDD3F892B81FF71C36F5A1F8818AAC1B5E266CA932E002099308830C1AD89103AE2A6C BF22418D54EF94C27A081D1BDF9AFC403110DF51F2ACDC00FDCF48A3CB4FAC40AAEC2DA278FD1019 ike V=root:0:v4-PSK-IKEv2:14: sent IKE msg (AUTH_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=108, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00000002, oi f=3 ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=156.... ike V=root:0: IKEv2 exchange=AUTH id=91d7e3bfd6eb8287/032b6561653de267:00000003 len=156 ike 0: in 91D7E3BFD6EB8287032B6561653DE2672E202308000000030000009C30000080C3287818C3211DB53758AFFEA523DCFCA3299F4AFBEBBBE50EC3DB44EA5D914B612529B169CD10D41F0220488 8F1AEEB193BA3640B87DA27AF7772921FC74494B837E26EEA63393ABF21AC2CD3532B128AF2BFBE362DE8A10A4DD97775353B65175262B421E4483DBA79842E0CA09D2C3F52DD7149658445582DC8C1 ike 0:v4-PSK-IKEv2:14: dec 91D7E3BFD6EB8287032B6561653DE2672E202308000000030000007F300000040000005F028D005B1A028D005631C828BD1F5DC09E2EAE44A295D803BD5E000000000000 00000D807F3A068A31FDCDBEA9D6273968C91D3F1F5EB1CFFB7E004536394637414530443834343434463441314146384446303942444538353933 ike V=root:0:v4-PSK-IKEv2:14: responder received EAP msg ike V=root:0:v4-PSK-IKEv2:14: send EAP message to FNBAM ike V=root:0:v4-PSK-IKEv2: EAP 300162803 pending ike V=root:0:v4-PSK-IKEv2:14 EAP 300162803 result FNBAM_CHALLENGED ike V=root:0:v4-PSK-IKEv2: EAP challenged for user "E69F7AE0D84444F4A1AF8DF09BDE8593" ike V=root:0:v4-PSK-IKEv2:14: responder preparing EAP pass through message ike 0:v4-PSK-IKEv2:14: enc 0000003C018E00381A038D0033533D43303737373636354142344433373642363239393634363642454438353036354246413742433338204D3D4F4B03020103 ike 0:v4-PSK-IKEv2:14: out 91D7E3BFD6EB8287032B6561653DE2672E202320000000030000007C3000006062B69000FB6AEE38971A70EACE9897104893B4B65D8E8CB390C129332713613C9F1EE27F B09FDDBCA849ACA0E9852F3BA62AF9472271F3A29BFF603E74E5BF2B45A818A679B93D29F4C24B1A33761B950B654B4EF14D417BF1E40510 ike V=root:0:v4-PSK-IKEv2:14: sent IKE msg (AUTH_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=124, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00000003, oi f=3 ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=76.... ike V=root:0: IKEv2 exchange=AUTH id=91d7e3bfd6eb8287/032b6561653de267:00000004 len=76 ike 0: in 91D7E3BFD6EB8287032B6561653DE2672E202308000000040000004C30000030BC217F9ADF27626EC3E13C22D86598BEC75E9887C9407B868045ED29084660F870974CD011CFAFDEF02D58C5 ike 0:v4-PSK-IKEv2:14: dec 91D7E3BFD6EB8287032B6561653DE2672E202308000000040000002A300000040000000A028E00061A03 ike V=root:0:v4-PSK-IKEv2:14: responder received EAP msg ike V=root:0:v4-PSK-IKEv2:14: send EAP message to FNBAM ike V=root:0:v4-PSK-IKEv2: EAP 300162803 pending ike V=root:0:v4-PSK-IKEv2:14 EAP 300162803 result FNBAM_SUCCESS ike V=root:0:v4-PSK-IKEv2: user 'user@example.onmicrosoft.com' authenticated group 'ipsec-saml-group' 6 ike V=root:0:v4-PSK-IKEv2:14: responder preparing EAP pass through message ike 0:v4-PSK-IKEv2:14: enc 00000008038E00040706050403020107 ike 0:v4-PSK-IKEv2:14: out 91D7E3BFD6EB8287032B6561653DE2672E202320000000040000004C300000309A60CF863B708309D8C1418333CF21EC2A32E00615FDDF53EF5072DE9422A4D280605F88 257E11FED22FF0D5 ike V=root:0:v4-PSK-IKEv2:14: sent IKE msg (AUTH_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=76, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00000004, oif =3 ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=92.... ike V=root:0: IKEv2 exchange=AUTH id=91d7e3bfd6eb8287/032b6561653de267:00000005 len=92 ike 0: in 91D7E3BFD6EB8287032B6561653DE2672E202308000000050000005C270000409F291281AD48EC4CD1DFEF5961D33BE185A04F1810661E66FBC1F5846796CD0A535C063D19A0E930A51130F3D 9413512EF92EC71E582D10991B7FE42 ike 0:v4-PSK-IKEv2:14: dec 91D7E3BFD6EB8287032B6561653DE2672E202308000000050000003C270000040000001C0200000063A2A164BD0FE9F4D29DDA752517ACD373B1567E ike V=root:0:v4-PSK-IKEv2:14: responder received AUTH msg ike V=root:0:v4-PSK-IKEv2:14: auth verify done ike V=root:0:v4-PSK-IKEv2:14: responder AUTH continuation ike V=root:0:v4-PSK-IKEv2:14: authentication succeeded ike V=root:0:v4-PSK-IKEv2:14: responder creating new child ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 7 request 16:'46435438303031343438313130343930' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg received APPLICATION_VERSION 'FCT8001448110490' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 1 request 0:'' ike V=root:0:v4-PSK-IKEv2: mode-cfg allocate 192.168.1.100/0.0.0.0 ike V=root:0:v4-PSK-IKEv2:14: mode-cfg using allocated IPv4 192.168.1.100 ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 2 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 3 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 4 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg WINS ignored, no WINS servers configured ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 13 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 25 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 8 request 0:'' ike V=root:0:v4-PSK-IKEv2: IPv6 pool is not configured ike V=root:0:v4-PSK-IKEv2:14: mode-cfg could not allocate IPv6 address ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 15 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 10 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 11 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 11 not supported, ignoring ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 28673 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg UNITY type 28673 requested ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 21514 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 21514 requested ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 21515 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 21515 requested ike V=root:0:v4-PSK-IKEv2:14: mode-cfg type 28672 request 0:'' ike V=root:0:v4-PSK-IKEv2:14: mode-cfg UNITY type 28672 requested ike V=root:0:v4-PSK-IKEv2:14: mode-cfg no banner configured, ignoring ike V=root:0:v4-PSK-IKEv2:14:10: peer proposal: ike V=root:0:v4-PSK-IKEv2:14:10: TSi_0 0:0.0.0.0-255.255.255.255:0 ike V=root:0:v4-PSK-IKEv2:14:10: TSr_0 0:0.0.0.0-255.255.255.255:0 ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: comparing selectors ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: matched by rfc-rule-2 ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: phase2 matched by subset ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: using mode-cfg override 0:192.168.1.100-192.168.1.100:0 ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: accepted proposal: ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: TSi_0 0:192.168.1.100-192.168.1.100:0 ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: TSr_0 0:0.0.0.0-255.255.255.255:0 ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: dialup ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: incoming child SA proposal: ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: proposal id = 1: ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: protocol = ESP: ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: encapsulation = TUNNEL ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=ENCR, val=AES_CBC (key_len = 128) ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=INTEGR, val=SHA ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=ESN, val=NO ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: PFS is disabled ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: matched proposal id 1 ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: proposal id = 1: ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: protocol = ESP: ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: encapsulation = TUNNEL ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=ENCR, val=AES_CBC (key_len = 128) ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=INTEGR, val=SHA ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: type=ESN, val=NO ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: PFS is disabled ike V=root:0:v4-PSK-IKEv2:14:v4-PSK-IKEv2:10: lifetime=43200 ike V=root:0:v4-PSK-IKEv2:14: responder preparing AUTH msg ike V=root:0:v4-PSK-IKEv2: IPv6 pool is not configured ike V=root:0:v4-PSK-IKEv2: adding new dynamic tunnel for 10.152.35.170:500 ike V=root:0:v4-PSK-IKEv2_0: tunnel created tun_id 192.168.1.100/::10.0.0.11 remote_location 0.0.0.0 ike V=root:0:v4-PSK-IKEv2_0: added new dynamic tunnel for 10.152.35.170:500 ike V=root:0:v4-PSK-IKEv2_0:14: established IKE SA 91d7e3bfd6eb8287/032b6561653de267 ike V=root:0:v4-PSK-IKEv2_0:14: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=1 ike V=root:0:v4-PSK-IKEv2_0:14: processing INITIAL-CONTACT ike V=root:0:v4-PSK-IKEv2_0: flushing ike V=root:0:v4-PSK-IKEv2_0: flushed ike V=root:0:v4-PSK-IKEv2_0:14: processed INITIAL-CONTACT ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg assigned (1) IPv4 address 192.168.1.100 ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg assigned (2) IPv4 netmask 255.255.255.255 ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (13) 0:192.168.235.0/255.255.255.0:0 ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (3) IPv4 DNS(1) 172.17.60.6 ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (3) IPv4 DNS(2) 8.8.8.8 ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send INTERNAL_IP6_SUBNET ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg IPv6 DNS ignored, no IPv6 DNS servers found ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send APPLICATION_VERSION 'FortiGate-VM64-HV v7.4.3,build2573,240201 (GA.F)' ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (28673) UNITY_SAVE_PASSWD ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (21514) FNT_AUTO_NEGOTIATE ike V=root:0:v4-PSK-IKEv2_0:14: mode-cfg send (21515) FNT_KEEP_ALIVE ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: replay protection enabled ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: set sa life soft seconds=43189. ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: set sa life hard seconds=43200. ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: IPsec SA selectors #src=1 #dst=1 ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: src 0 7 0:0.0.0.0-255.255.255.255:0 ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: dst 0 7 0:192.168.1.100-192.168.1.100:0 ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: add dynamic IPsec SA selectors 682 ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: added dynamic IPsec SA proxyids new 1 682 ike V=root:0:v4-PSK-IKEv2:10: add route 192.168.1.100/255.255.255.255 gw 192.168.1.100 oif v4-PSK-IKEv2(14) metric 15 priority 1 ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: tunnel 1 of VDOM limit 0/0 ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: add IPsec SA: SPIs=758626b2/e03a386c ike 0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: IPsec SA dec spi 758626b2 key 16:5F6D51E51801CDD3C5DDFFCD55CEBF18 auth 20:4284FFE8D12D3E617DDEEADE9E71ECBEBE07918E ike 0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: IPsec SA enc spi e03a386c key 16:CF5000829B184D71E97B4839BB221801 auth 20:1C9497F99E0EEFD7091A20EECA7CC95E6672FDFB ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: added IPsec SA: SPIs=758626b2/e03a386c ike V=root:0:v4-PSK-IKEv2_0:14:v4-PSK-IKEv2:10: sending SNMP tunnel UP trap ike V=root:0:v4-PSK-IKEv2_0: tunnel up event assigned address 192.168.1.100 ike V=root:0:v4-PSK-IKEv2_0: sent tunnel-up message to EMS: (fct-uid=E69F7AE0D84444F4A1AF8DF09BDE8593, intf=v4-PSK-IKEv2_0, addr=192.168.1.100, vdom=root) ike V=root:0:v4-PSK-IKEv2_0: user 'user@example.onmicrosoft.com' 192.168.1.100 groups 1 ike 0:v4-PSK-IKEv2_0:14: enc 2700000C010000000A9823A12F00001C02000000DE195F007E8D93462142A62E9452006F4D98B2682100008F0200000000010004C0A8016400020004FFFFFFFF000D00 08C0A8EB00FFFFFF0000030004AC113C060003000408080808000F0011000000000000000000000000000000000000070030466F727469476174652D564D36342D48562076372E342E332C6275696C64323 537332C323430323031202847412E4629700100020001540A00020001540B000200012C00002C0000002801030403758626B20300000C0100000C800E0080030000080300000200000008050000002D0000 1801000000070000100000FFFFC0A80164C0A801640000001801000000070000100000FFFF00000000FFFFFFFF0C0B0A0908070605040302010C ike 0:v4-PSK-IKEv2_0:14: out 91D7E3BFD6EB8287032B6561653DE2672E202320000000050000015C24000140F73C9BCD7A9F971B02F6A48AE9B37644762FCA3FB4E3D0E2136A72A1BBC4113F7A87F3 9A611CBE1B0E5036D73020A46B6455BEE66FFC5F95E237337C4CFF0A4CCA52BB18DC3A17F497E12FDDE5D8A6953B4295109F0BEDBA72459E3750D6924159BE555D8011EF5B9C0EA1EA91BFA6F0E850A7296 B813DE95FF47F40545584CCC00264377258E6C3769A64834AE9161B286DD9067B689E53EC59C6C3E28BE798401730A6E01CC23756A75142244140C1EA6FE3D771F24E768D2E092888F08E3BFC3CE5486819 1B5BFB6CE6E97764CF75B6AE068B5C7398EF72C0E963FC15EDAD00A166AFECCFE35EB6314C7FD27C2C5F718777FE73ADBB8472255BB4FDDD9CE39E397432585200246F891A68A86CEE05748502CC58770BB 128F31D2FFAF62526C987A9CEFBFD15644DEB317102BB51DDD54D7C206DF42F010FC7ACCE ike V=root:0:v4-PSK-IKEv2_0:14: sent IKE msg (AUTH_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=348, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00000005, oif=3 ike V=root:0:v4-PSK-IKEv2_0: link is idle 3 10.152.35.161->10.152.35.170:0 dpd=1 seqno=1 rr=0 ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=76.... ike V=root:0: IKEv2 exchange=INFORMATIONAL id=91d7e3bfd6eb8287/032b6561653de267:00000006 len=76 ike 0: in 91D7E3BFD6EB8287032B6561653DE2672E202508000000060000004C000000308313D182BDFE6429ACF9CD754A0CAA19E6997AD0F915E69445D9C1256C6CBF7694582330F8AED0C6F892FD1D ike 0:v4-PSK-IKEv2_0:14: dec 91D7E3BFD6EB8287032B6561653DE2672E202508000000060000002000000004 ike V=root:0:v4-PSK-IKEv2_0:14: received informational request ike 0:v4-PSK-IKEv2_0:14: enc 0F0E0D0C0B0A0908070605040302010F ike 0:v4-PSK-IKEv2_0:14: out 91D7E3BFD6EB8287032B6561653DE2672E202520000000060000004C00000030E74A78C1B6607A4209955C934EBD0486354D124282E51DAEF58CBFB26AAABE8E4E905A 2ED459F3DD076CFD23 ike V=root:0:v4-PSK-IKEv2_0:14: sent IKE msg (INFORMATIONAL_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=76, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00 000006, oif=3 ike :shrank heap by 331776 bytes ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=76.... ike V=root:0: IKEv2 exchange=INFORMATIONAL id=91d7e3bfd6eb8287/032b6561653de267:00000007 len=76 ike 0: in 91D7E3BFD6EB8287032B6561653DE2672E202508000000070000004C00000030B7731C94B7CD08C9325F550EC0EABE733FC5DA5E50A1440AE3FE358726D1DE7EFE61CC3D02674FE0155CE28F ike 0:v4-PSK-IKEv2_0:14: dec 91D7E3BFD6EB8287032B6561653DE2672E202508000000070000002000000004 ike V=root:0:v4-PSK-IKEv2_0:14: received informational request ike 0:v4-PSK-IKEv2_0:14: enc 0F0E0D0C0B0A0908070605040302010F ike 0:v4-PSK-IKEv2_0:14: out 91D7E3BFD6EB8287032B6561653DE2672E202520000000070000004C0000003042E9544F9024C5ED6F72E90A613C99A7EA7AFE3534D71E8FEC8CA3B65DB1708473F80D 5395ABBD30500A38DA ike V=root:0:v4-PSK-IKEv2_0:14: sent IKE msg (INFORMATIONAL_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=76, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00 000007, oif=3 ike V=root:0: comes 10.152.35.170:500->10.152.35.161:500,ifindex=3,vrf=0,len=76.... ike V=root:0: IKEv2 exchange=INFORMATIONAL id=91d7e3bfd6eb8287/032b6561653de267:00000008 len=76 ike 0: in 91D7E3BFD6EB8287032B6561653DE2672E202508000000080000004C00000030D72FA651DD9192B8390213F8D30CF93C1F47EAC9934E09391EBB7F7E55C8DF0574AAFA1CCCBFD5C34F93AFD8 ike 0:v4-PSK-IKEv2_0:14: dec 91D7E3BFD6EB8287032B6561653DE2672E202508000000080000002000000004 ike V=root:0:v4-PSK-IKEv2_0:14: received informational request ike 0:v4-PSK-IKEv2_0:14: enc 0F0E0D0C0B0A0908070605040302010F ike 0:v4-PSK-IKEv2_0:14: out 91D7E3BFD6EB8287032B6561653DE2672E202520000000080000004C00000030494190DE9E0047C7B17F642218C27C46615E9AA717E1BDEFA2B56938BD8990C9B54783 49D4AD0420063AE9B4 ike V=root:0:v4-PSK-IKEv2_0:14: sent IKE msg (INFORMATIONAL_RESPONSE): 10.152.35.161:500->10.152.35.170:500, len=76, vrf=0, id=91d7e3bfd6eb8287/032b6561653de267:00 000008, oif=3