New Member

Question

Strongswan with /etc/swanctl.conf settings

Forum|Forum|8 months ago
October 9, 2025
3 replies
3003 views

Hello I couldn't find any examples with debian linux strongswan using swanctl.conf on the forums, the only examples I've found are for ipsec.conf.

Here is what I know we are using:

1. FortiClient VPN -> IPsec VPN

2. Pre-Shared Key

3. XAuth

Screenshot from 2025-10-08 21-41-45.png

Here is my non-working strongswan swanctl.conf:

connections { 	thecompanyvpn { 		remote_addrs = sa.company.com 		version = 1 		aggressive = yes 		proposals = aes256-sha256-modp1536 		local { 			auth = psk 			id = "Tunnel-A" 		} 		remote { 			auth = psk 		} 		local-xauth { 			auth = xauth 			eap_id = worker1 		} 		children { 			child_1 { 				start_action = start 				esp_proposals = aes256-sha256-modp1536 			} 		} 	} }  secrets { 	ike-company { 		secret = "our preshared key" 	} 	eap-employee { 		id = worker1 		secret = "my secret password" 	} }

This is the logs:

Oct 08 21:22:04 nova charon-systemd[116776]: parsed TRANSACTION request 853593004 [ HASH CPRQ(X_TYPE X_USER X_PWD) ] Oct 08 21:22:04 nova charon-systemd[116776]: no XAuth password found for 'Tunnel-A' - '12.27.149.2' Oct 08 21:22:04 nova charon-systemd[116776]: generating TRANSACTION response 853593004 [ HASH CP ] Oct 08 21:22:04 nova charon-systemd[116776]: sending packet: from 192.168.5.110[4500] to 12.27.149.2[4500] (76 bytes) Oct 08 21:22:24 nova charon-systemd[116776]: sending keep alive to 15.27.149.2[4500] Oct 08 21:22:34 nova charon-systemd[116776]: peer did not initiate expected exchange, reestablishing IKE_SA Oct 08 21:22:34 nova charon-systemd[116776]: reinitiating IKE_SA thecompanyvpn[1] Oct 08 21:22:34 nova charon-systemd[116776]: initiating Aggressive Mode IKE_SA thecompanyvpn[1] to 15.27.149.2 Oct 08 21:22:34 nova charon-systemd[116776]: generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] Oct 08 21:22:34 nova charon-systemd[116776]: sending packet: from 192.168.5.110[4500] to 15.27.149.2[4500] (428 bytes)

I would really appreciate some help fixing my configuration so that I can connect to the VPN. Thanks for anyone reading out there!

Stephen_G

Moderator

Hi refrainblue,

Thanks for using our forum! We'll try to get you an answer as soon as we can.

If anybody seeing this has any ideas, feel free to contribute!

Stephen_G - Fortinet Community Team

Stephen_G

Moderator

Hi refrainblue,

We're still trying to get you an answer or help. We'll respond to your post as soon as we have one.

Thanks,

Stephen_G - Fortinet Community Team

xshkurti

Staff

@refrainblue

It seems like xauth is not working in your case.

Error message states that no xauth was found for tunnel-A "no XAuth password found for 'Tunnel-A' - '12.27.149.2'"

This means that xauth secret is not defined in. You have to define Xauth secret in order for that step to complete.

In this case it seems like you have mixed xauth with eap.
I would suggest you try the below config:

connections {
thecompanyvpn {
remote_addrs = sa.company.com
version = 1
aggressive = yes

proposals = aes128-sha1-modp1536, aes256-sha256-modp1536

local {
auth = psk
id = "Tunnel-A"
}
remote {
auth = psk
}
children {
child_1 {
start_action = start
esp_proposals = aes128-sha1, aes256-sha256
}
}
}
}

secrets {
ike-company {
secret = "our preshared key"
}

xauth-worker1 {
# This 'id' must match the username sent by FortiClient ('worker1' in your old config)
id = worker1
secret = "my secret password"
}
}

The 'local-xauth' block is NOT needed for XAuth to work because strongSwan will automatically handle the XAuth request once the IKE SA is up.
Also DH Group 5 (PFS) in the child section is removed because it is handled implicitly for IKEv1.

Try this or at least change the secrets section from eap to xauth for this to work.
To help others with the same issue, please mark this as the solution if it was helpful.

Regards

refrainblueAuthor

New Member

Hello,

I tried using your suggested configuration, but I still could not connect to servers within the vpn network. Additionally, I did not get the duo mobile MFA notification either. If there is any further information I could provide please let me know.

Here is the logs from trying

sudo swanctl --initiate --child child_1

[IKE] initiating Aggressive Mode IKE_SA thecompanyvpn[902] to 12.34.56.7 [ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] [NET] sending packet: from 192.168.0.110[500] to 12.34.56.7[500] (464 bytes) [NET] received packet: from 12.34.56.7[500] to 192.168.0.110[500] (536 bytes) [ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ] [IKE] received NAT-T (RFC 3947) vendor ID [IKE] received DPD vendor ID [IKE] received XAuth vendor ID [ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00 [IKE] received FRAGMENTATION vendor ID [IKE] received FRAGMENTATION vendor ID [CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536 [IKE] local host is behind NAT, sending keep alives [IKE] IKE_SA lambsivy[902] established between 192.168.0.110[Tunnel-A]...12.34.56.7[12.34.56.7] [IKE] scheduling rekeying in 13068s [IKE] maximum IKE_SA lifetime 14508s [ENC] generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ] [NET] sending packet: from 192.168.0.110[4500] to 12.34.56.7[4500] (140 bytes) [ENC] generating QUICK_MODE request 848870923 [ HASH SA No ID ID ] [NET] sending packet: from 192.168.0.110[4500] to 12.34.56.7[4500] (220 bytes) [IKE] sending retransmit 1 of request message ID 848870923, seq 3 [NET] sending packet: from 192.168.0.110[4500] to 12.34.56.7[4500] (220 bytes)  [IKE] sending retransmit 2 of request message ID 848870923, seq 3 [NET] sending packet: from 192.168.0.110[4500] to 12.34.56.7[4500] (220 bytes)  [IKE] sending retransmit 3 of request message ID 848870923, seq 3 [NET] sending packet: from 192.168.0.110[4500] to 12.34.56.7[4500] (220 bytes) [IKE] sending keep alive to 12.34.56.7[4500] [IKE] sending retransmit 4 of request message ID 848870923, seq 3 [NET] sending packet: from 192.168.0.110[4500] to 12.34.56.7[4500] (220 bytes) [IKE] sending keep alive to 12.34.56.7[4500] [IKE] sending keep alive to 12.34.56.7[4500] [IKE] sending retransmit 5 of request message ID 848870923, seq 3 [NET] sending packet: from 192.168.0.110[4500] to 12.34.56.7[4500] (220 bytes) [IKE] sending keep alive to 12.34.56.7[4500] [IKE] sending keep alive to 12.34.56.7[4500] [IKE] sending keep alive to 12.34.56.7[4500]

sudo swanctl --list-conn thecompanyvpn: IKEv1, reauthentication every 14400s   local:  %any   remote: sa.company.com   local pre-shared key authentication:     id: Tunnel-A   remote pre-shared key authentication:   child_1: TUNNEL, rekeying every 3600s     local:  dynamic     remote: dynamic

ii  libstrongswan                             6.0.2-1                              amd64        strongSwan utility and crypto library ii  libstrongswan-extra-plugins               6.0.2-1                              amd64        strongSwan utility and crypto library (extra plugins) ii  libstrongswan-standard-plugins            6.0.2-1                              amd64        strongSwan utility and crypto library (standard plugins) ii  strongswan                                6.0.2-1                              all          IPsec VPN solution metapackage ii  strongswan-libcharon                      6.0.2-1                              amd64        strongSwan charon library ii  strongswan-pki                            6.0.2-1                              amd64        strongSwan IPsec client, pki command ii  strongswan-swanctl                        6.0.2-1                              amd64        strongSwan IPsec client, swanctl command

Alf007

New Member

Are you using a smartcard ?
I'm also stuck using strongswan to mount an ipsec tunnel with fortigate (IKEv2 tunnel with double authentication : smartcard + EAP).
I will open another thread to explain my concern

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded