Technical Tip: FortiGate IKEv1 VPN Setup with StrongSwan on Linux

Description

This article describes how to configure an IKEv1 site-to-site VPN tunnel between a FortiGate and a StrongSwan VPN gateway on a Linux system.

Scope

FortiGate.

Solution

On Linux

• Install StrongSwan:

sudo apt-get update
sudo apt-get install strongswan

• To allow Ubuntu to function as a router in this setup, kernel IP packet forwarding must be enabled:

nano /etc/sysctl.conf

Uncomment these 4 lines:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

• Make sure the Strongswan service is enabled:

systemctl is-enabled strongswan-starter.service

• Configure StrongSwan:

sudo nano /etc/ipsec.conf

ipsec.conf - strongSwan IPsec configuration file:

Basic configuration:

config setup
charondebug = "all"
# strictcrlpolicy=yes
uniqueids = yes

# Add connections here.

# Sample VPN connections

conn strongswan-to-fortigate
type=tunnel
auto=start
keyexchange=ikev1
authby=secret
left=172.16.24.133
leftsubnet=10.1.0.0/16
right=172.16.24.16
rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
ike = aes256-sha256-modp2048
esp = aes256-sha256
aggressive = no
keyingtries = %forever
ikelifetime = 28800s
lifetime = 3600s
dpddelay = 20s
dpdtimeout = 120s
dpdaction = restart

• Edit the secrets file to configure the pre-shared key for authentication:
  • This file holds shared secrets or RSA private keys for authentication.
  • RSA private key for this host, authenticating it to any other host.
  • which knows the public part.

nano /etc/ipsec.secrets

17.16.24.133 172.16.24.16 : PSK "fortinet"

• Restart StrongSwan:

sudo systemctl restart strongswan

Configure IPSEC VPN IKEV1 on FortiGate:

erbium-kvm56 # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "FGT_to-strong"
set interface "port3"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dhgrp 14
set remote-gw 172.16.24.133
set psksecret ENC 8GbtvmwzU6TMIH8vyeYSf9pfF1NusGtY7sClP/iMQtvH74tu7NlfG/rL5URglviwSBLWehuOBoRKGRXHqBiXLmtXjXFpwQ23I/gwID8HEP2rQOxQ1WkI1l2YveB9PmWJJcU6k3pzvbnmFAfShnyTQyf3TxC+U2HDVsNVbEe8Bgi1Z26VUcZqhubBzhSsRALAnZGBUllmMjY3dkVA
next
end

erbium-kvm56 # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "FGT_to-strong"
set phase1name "FGT_to-strong"
set proposal aes256-sha256
set pfs disable
set auto-negotiate enable
set src-subnet 10.2.0.0 255.255.0.0
set dst-subnet 10.1.0.0 255.255.0.0
next
end

Make sure the firewall policy is in place for the tunnel interface.

Post that the VPN will come up:

erbium-kvm56 # diagnose vpn ike gateway list

vd: root/0
name: FGT_to-strong
version: 1
interface: port3 5
addr: 172.16.24.16:500 -> 172.16.24.133:500
tun_id: 172.16.24.133/::172.16.24.133
remote_location: 0.0.0.0
network-id: 0
transport: UDP
created: 1422s ago
peer-id: 172.16.24.133
peer-id-auth: no
pending-queue: 0
IKE SA: created 1/2 established 1/1 time 10/10/10 ms
IPsec SA: created 1/2 established 1/1 time 10/10/10 ms

id/spi: 59 c5cfba11aa98e4fc/4a6449e7b7970a03
direction: responder
status: established 1400-1400s ago = 10ms
proposal: aes256-sha256
key: 1e033f2ce9730933-ce1d15199a7b5336-2f1023ed50db2467-b856267a19b7574c
QKD: no
lifetime/rekey: 28800/27129
DPD sent/recv: 00000000/7ca56d8a
peer-id: 172.16.24.133

Troubleshooting:

• Logs: Review StrongSwan logs in /var/log/syslog or /var/log/daemon.log for errors or connection issues.
• Firewall: Make sure both firewalls permit UDP traffic on ports 500 and 4500.
• Routing: Confirm that proper routing is configured on both VPN endpoints to allow traffic between networks.

Related articles:

Technical Tip: IPsec connection between FortiGate and Ubuntu via Dialup