Skip to main content
Palamar
Palamar
New Member
October 4, 2017
Question

fortiwifi 80c connect to strongswan server

  • October 4, 2017
  • 1 reply
  • 5516 views

hi,

i need connect to strongswan server from my fortigate.

help me please.I did not work in cli

 

my ipsec.conf

 

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup # strictcrlpolicy=yes uniqueids = yes

include /var/lib/strongswan/ipsec.conf.inc

conn %default dpdaction=clear dpddelay=35s dpdtimeout=300s

fragmentation=yes rekey=no

ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!

esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!

# left - local (server) side left=%any leftauth=pubkey leftcert=194.87.147.234.crt leftsendcert=always leftsubnet=0.0.0.0/0 # right - remote (client) side right=%any rightauth=pubkey rightsourceip=192.168.103.0/24 rightdns=8.8.8.8

conn ikev2-pubkey keyexchange=ikev2 auto=add

conn ikev2-pubkey-osx also="ikev2-pubkey" leftid=194.87.147.234

conn ikev1-fakexauth keyexchange=ikev1 rightauth2=xauth-noauth auto=add

conn ikev2-eap-tls also="ikev2-pubkey" rightauth=eap-tls eap_identity=%identity

    1 reply

    Palamar
    PalamarAuthor
    New Member
    October 5, 2017

    I want traffic from my local network to redirect through VPN strongswan

    emnoc
    emnoc
    New Member
    October 5, 2017

    Okay do a search but numerous examples  exist for strong/openswan.

     

    http://socpuppet.blogspot.com/2015/07/openswan-cmds-you-should-get-use-to.html

    https://forum.fortinet.com/tm.aspx?m=152615

     

    Your config does not look too bad but here's some quick suggestions;

     

    1: I would drop all of those  Enc-Algo and just pick one e.g

     

     

     ( example of a basic  ipsec.conf )

    rightauth=pubkey-sha1

    ike=aes128-sha1-modp1024  (  aes128 enc-algo  sha1 auth-algo DiffieHellMan group1 )

    esp=aes128-sha1-modp1024

    keyingtries=%forever

    leftsubnet=10.10.10.0/24

    rightsubnet=10.10.11.0/24

     

    2:  defined the left/right-subnets with anything that's not a  0.0.0.0/0:0 if your goal is to send ALL traffic thru the  tunnel than you can change that later but on the FGT and Strongswan-linux , just set a src/dst-subnet  for encrypted data

     

    3: ensure the ipsec key is correct inyour ipsec.secrets key file and don't use  certificate for the 1st trial run ( and yes certifcate does work , and works very good  betweeen FGT and StrongSwan ) :)

     

    ken

     

     

     

     

    Palamar
    PalamarAuthor
    New Member
    October 6, 2017

    on the StrongSwan only the public address(93.95.97.67), how to configure the Fortigate?

    Terms & ConditionsAccessibility statement