Technical Tip: How to configure and troubleshoot a IPsec client to site VPN using an opensource client

Here is a sample of a standard configuration on the FortiGate :

config vpn ipsec phase1-interface
    edit "strongSwan"
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-start-ip 10.10.10.10
        set ipv4-end-ip 10.10.10.100
        set ipv4-netmask 255.255.255.0
        set ipv4-split-include "strongSwan_split"
        set proposal aes256-sha256
        set psksecret "YourPresharedKeyHere"
    next
end

config vpn ipsec phase2-interface
    edit "strongSwan"
        set phase1name "strongSwan"
        set src-subnet 10.10.10.0 255.255.255.0
        set dst-subnet 192.168.2.0 255.255.255.0
        set proposal aes256-sha256
        set auto-negotiate enable
    next
end

config firewall address
    edit "strongSwan_split"
        set subnet 192.168.2.0 255.255.255.0
    next
end

config firewall policy
    edit 0
        set name "VPN_to_LAN"
        set srcintf "strongSwan"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat disable
        set logtraffic all
    next
end

Install StrongSwan:

sudo apt update
sudo apt install strongswan

Configure the StrongSwan client (Linux)

Here is a sample of a standard configuration of the Linux IPsec client:

/etc/ipsec.conf

config setup
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2"

conn fortigate-vpn
    keyexchange=ikev2
    auto=start
    type=tunnel
    ikelifetime=28800s
    lifetime=3600s
    dpdaction=restart
    dpddelay=30s
    dpdtimeout=120s

    authby=secret
    ike=aes256-sha256-modp2048!
    esp=aes256-sha256!

    leftsourceip=%config
    leftauth=psk
    leftsubnet=10.10.10.0/24
    right=YourFortiGatePublicIP
    rightsubnet=192.168.2.0/24
    rightauth=psk

/etc/ipsec.secrets

: PSK "YourPresharedKeyHere"

Diagnosis could be performed on both sides.

Linux side.

Ensure the tunnel is up:

sudo ipsec statusall

Check routing:

ip route

Verify that traffic is routed over IPsec.

On FortiGate, ensure Phase 2 proxy IDs are installed:

diagnose vpn tunnel list name strongSwan

Expected:

proxyid_num=1
  local: 10.10.10.0/255.255.255.0
  remote: 192.168.2.0/255.255.255.0

Use debug flow to confirm packet path:

diagnose debug reset
diagnose debug flow filter addr 10.10.10.10
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug flow trace start 20

Then, a ping from the client:

ping 192.168.2.1

Expected: Allowed by Policy and return traffic via the VPN.

Diagnose missing routes or dropped responses on Linux:

Use tcpdump to check if replies are arriving:

sudo tcpdump -i any icmp

Check Linux firewall (for example, ufw, iptables) is not dropping responses.

Conclusion.

This article describes how to configure a remote user IPsec VPN tunnel using IKEv2 between a FortiGate firewall and a Linux client running StrongSwan. It covers both configuration steps and troubleshooting techniques to ensure successful connectivity and traffic flow. Ensure Phase 2 selectors are defined, NAT is disabled, routes are clean, IPsec policies are installed, and firewall policies allow traffic from the VPN to internal networks.