Skip to main content
aamin
Staff
aamin
Staff
March 19, 2022

Technical Tip: IPsec connection between FortiGate and Ubuntu via dial-up

  • March 19, 2022
  • 0 replies
  • 82750 views

Description

 

This article describes how to connect Ubuntu PC to FortiGate via IPsec dialup connection.

 

Scope

 

FortiClient Linux version does not support dial-up IPsec, FortiClient connects to IPsec VPN only when it is connected to EMS. Otherwise, FortiClient cannot connect to the IPsec VPN tunnel, especially on v7.4.0: Configuring an IPsec VPN connection.


In this case, the IPsec connection can be configured using the strongSwan package on Linux.

 

The reference document below shows the configuration on Ubuntu 22.04.

 

Solution

 

Configuration on FortiGate:

To configure VPN on FortiGate, go to GUI IPsec Wizard -> Template Type: Remote Access -> Remote Device Type: Client-Based -> FortiClient or Cisco (any option can be selected).

 

2026-03-20 16_58_07-FortiGate - FW2 — Mozilla Firefox.png

 

Select the incoming interface, the pre-shared key, and the User group.

 

aamin_1-1647673476227.png

 

Select the appropriate LAN interface, Subnet, and IP range for the VPN.

 

aamin_2-1647673684565.png

 

To enable split tunnel:

 

2026-03-20 17_07_09-FortiGate - FW2 — Mozilla Firefox.png

 

IKEv1 aggressive/main mode with XAuth and IKEv2 with EAP scenarios can be used; the Linux script and FortiGate configuration need to be adjusted as per the network requirements. For that, select 'Convert To Custom Tunnel' and proceed with the adjustments:

 

2026-03-20 17_45_13-FortiGate - FW2 — Mozilla Firefox.png

 

FortiClient Linux does not support IPsec Dialup connection at the moment.

 

To connect to the VPN from Ubuntu using the IPsec Protocol, a native VPN package 'strongswan' needs to be installed.

 

Configuration on Ubuntu 22.04:

 

Install strongSwan on Ubuntu using apt package manager.

 

sudo apt install strongswan

 

Also, install the package below:

 

sudo apt install charon-systemd

 

To enable the kernel to forward packets, edit/etc/sysctl.conf and uncomment the lines below. To edit sysctl.conf, use the following command: sudo nano /etc/sysctl.conf.

 

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

 

To check the status of the strongSwan service, run the command below:

 

sudo systemctl status strongswan.service

 

The message below will appear if the process is running.

 

strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2022-03-19 08:19:10 CET; 46s ago
Process: 6903 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS)
Main PID: 6886 (charon-systemd)
Status: "charon-systemd running, strongSwan 5.8.2, Linux 5.4.0-104-generic, x86_64"
Tasks: 17 (limit: 2268)
Memory: 2.5M
CGroup: /system.slice/strongswan.service
└─6886 /usr/sbin/charon-systemd

Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded IKE secret for 10.5.21.252
Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded EAP secret for ubuntu_VPN
Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded plugins: charon-systemd aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 p>
Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: dropped capabilities, running as uid 0, gid 0
Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: spawning 16 worker threads
Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no files found matching '/etc/swanctl/conf.d/*.conf'
Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no authorities found, 0 unloaded
Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no pools found, 0 unloaded
Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no connections found, 0 unloaded
Mar 19 08:19:10 xenon-kvm33 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
...skipping...

 

strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2022-03-19 08:19:10 CET; 46s ago
Process: 6903 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS)
Main PID: 6886 (charon-systemd)
Status: "charon-systemd running, strongSwan 5.8.2, Linux 5.4.0-104-generic, x86_64"
Tasks: 17 (limit: 2268)
Memory: 2.5M
CGroup: /system.slice/strongswan.service
└─6886 /usr/sbin/charon-systemd

Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded IKE secret for 10.5.21.252
Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded EAP secret for ubuntu_VPN
Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded plugins: charon-systemd aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 p>
Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: dropped capabilities, running as uid 0, gid 0
Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: spawning 16 worker threads
Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no files found matching '/etc/swanctl/conf.d/*.conf'
Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no authorities found, 0 unloaded
Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no pools found, 0 unloaded
Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no connections found, 0 unloaded
Mar 19 08:19:10 xenon-kvm33 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.

Furthermore, strongSwan has two files that can be edited to configure VPN.

 

In this case, it is necessary to configure the following settings:

 

Fortigate Gateway IP: 10.5.21.252

Tunnel Type Ikev1 Main Mode

Fortigate LAN IP: 10.140.0.0/20

Authentication Type: Preshared Key & Xauth

Preshared Key: abcd1234

Xauth Username: ubuntu_VPN

Xauth Password: ubuntu

 

The first file that has to be edited is /etc/ipsec.conf, which can be edited via the vi text editor:

 

conn "FGT"                                                                                   
    keyexchange=ikev1
    ikelifetime=1440m
    keylife=60m
    aggressive=no
    ike=aes256-sha256-modp1024 <----- Phase 1 proposal, adjust modp/DH group as required.
    esp=aes256-sha256-modp1024 <----- Phase 2 proposal, adjust modp/DH group as required.
    xauth=client
    left=%defaultroute
    leftsourceip=%config
    leftauth=psk
    rightauth=psk
    leftauth2=xauth
    right=10.5.21.252 <----- FortiGate WAN IP.

    rightid=10.5.21.252 <----- Specify the private WAN IP as rightid (peerid) when behind NAT.
    rightsubnet=0.0.0.0/0 <----- Specify the remote subnets
    xauth_identity= ubuntu_VPN <----- VPN username.
    auto=add

 

It is necessary to indent the lines after conn 'FGT', or the connection will not be recognized and will throw the error 'no config named 'FGT''.

 

2026-02-02 17_47_59-() (1).png


Another option is to set 'auto=start', which starts the tunnel automatically every time the Ubuntu client is restarted.

Another file that has to be edited is /etc/ipsec.secrets with the below lines.

 

10.5.21.252 : PSK "abcd1234"
ubuntu_VPN : XAUTH "ubuntu"

 

Once completed, it is necessary to restart the strongSwan service with the following commands as root.

 

sudo systemctl restart strongswan

sudo ipsec update

sudo ipsec reload

 

To connect the tunnel, run the following command as the root user.

 

sudo ipsec up FGT

 

Here 'FGT' is the tunnel name configured in /etc/ipsec.conf.

 

Bringing up the tunnel will show the below information.

 

ipsec up FGT
initiating Main Mode IKE_SA FGT[1] to 10.5.21.252
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.5.21.133[500] to 10.5.21.252[500] (252 bytes)
received packet: from 10.5.21.252[500] to 10.5.21.133[500] (204 bytes)
parsed ID_PROT response 0 [ SA V V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.5.21.133[500] to 10.5.21.252[500] (268 bytes)
received packet: from 10.5.21.252[500] to 10.5.21.133[500] (252 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.5.21.133[500] to 10.5.21.252[500] (108 bytes)
received packet: from 10.5.21.252[500] to 10.5.21.133[500] (92 bytes)
queueing TRANSACTION request as tasks still active
received packet: from 10.5.21.252[500] to 10.5.21.133[500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH ]
parsed TRANSACTION request 3840560674 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 3840560674 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 10.5.21.133[500] to 10.5.21.252[500] (108 bytes)
received packet: from 10.5.21.252[500] to 10.5.21.133[500] (92 bytes)
parsed TRANSACTION request 21457498 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'ubuntu_VPN' (myself) successful
IKE_SA FGT[1] established between 10.5.21.133[10.5.21.133]...10.5.21.252[10.5.21.252]
scheduling reauthentication in 85803s
maximum IKE_SA lifetime 86343s
generating TRANSACTION response 21457498 [ HASH CPA(X_STATUS) ]
sending packet: from 10.5.21.133[500] to 10.5.21.252[500] (92 bytes)
generating TRANSACTION request 2585688889 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 10.5.21.133[500] to 10.5.21.252[500] (92 bytes)
received packet: from 10.5.21.252[500] to 10.5.21.133[500] (108 bytes)
parsed TRANSACTION response 2585688889 [ HASH CPRP(ADDR DNS DNS) ]
installing DNS server 10.5.31.253 to /etc/resolv.conf
installing DNS server 96.45.46.46 to /etc/resolv.conf
installing new virtual IP 192.168.50.10
generating QUICK_MODE request 3030603905 [ HASH SA No ID ID ]
sending packet: from 10.5.21.133[500] to 10.5.21.252[500] (220 bytes)
received packet: from 10.5.21.252[500] to 10.5.21.133[500] (172 bytes)
parsed QUICK_MODE response 3030603905 [ HASH SA No ID ID ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
CHILD_SA FGT{1} established with SPIs c72cb7eb_i 32618946_o and TS 192.168.50.10/32 === 10.140.0.0/20
generating QUICK_MODE request 3030603905 [ HASH ]
connection 'FGT' established successfully

 

Here the Ubuntu PC has received an IP address of 192.168.50.10 from the range defined on FortiGate.

 

It is possible to check the tunnel status using the command below:

 

sudo ipsec status
Security Associations (1 up, 0 connecting):
FGT[1]: ESTABLISHED 10 minutes ago, 10.5.21.133[10.5.21.133]...10.5.21.252[10.5.21.252]
FGT{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c72cb7eb_i 32618946_o
FGT{1}: 192.168.50.10/32 === 10.140.0.0/20

 

Testing connectivity using a ping from the Ubuntu CLI:

 

ping 10.140.5.252
PING 10.140.5.252 (10.140.5.252) 56(84) bytes of data.
64 bytes from 10.140.5.252: icmp_seq=1 ttl=255 time=0.839 ms
64 bytes from 10.140.5.252: icmp_seq=2 ttl=255 time=0.432 ms
64 bytes from 10.140.5.252: icmp_seq=3 ttl=255 time=0.493 ms

 

aamin_0-1647677990346.png

 

To bring down the tunnel, use the below command:

 

ipsec down FGT

 

To see more options for ipsec.conf and ipsec.secrets refer to the man pages in Ubuntu.

 

man ipsec.conf

man ipsec.secrets

 

To see the user ID details, run the following command line:

 

vi /etc/ipsec/ipsec.conf

 

Note:

For issues related to strongSwan installation and configuration, or any other issue, post them in the strongSwan / ubuntu forums.

If the Linux environment is Fedora, note that the IPsec command is replaced with the command 'strongswan'.

 

For more information on strongSwan, see the strongSwan Documentation.

    Terms & ConditionsAccessibility statement