Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
WelingtonMatias
Staff
Staff

Created on ‎06-28-2025 07:22 AM

Article Id 398009

Technical Tip: FortiGate Dialup VPN IKEv2 RADIUS NPS with Strongswan on Ubuntu

Description This article describes how to configure an IKEv2 client-to-site VPN tunnel between a FortiGate and a StrongSwan VPN gateway on a Linux Ubuntu.
Scope FortiGate v6.x,v 7.x.
Solution

On RADIUS NPS.

Follow this KB article: Technical Tip IKEv2 Dialup IPsec tunnel with RADIUS.

 

On Linux.

Install StrongSwan:

 

sudo apt-get update
sudo apt install strongswan libcharon-extra-plugins -y 

 

Edit the file /etc/ipsec.conf and input the correct configuration:

 

config setup
       charondebug="ike 2, cfg 2, knl 2, net 2"

conn ikev2-vpn
     auto=start
     keyexchange=ikev2
     type=tunnel
     left=%defaultroute
     leftid=wells@mylab.local
     leftauth=eap
     leftsourceip=%config
     leftsubnet=0.0.0.0/0
     right=172.16.20.104
     rightid=%any
     rightauth=psk
     rightsubnet=192.168.100.0/24
     eap_identity="wells@mylab.local"
     ike=aes256-sha256-modp2048
     esp=aes256-sha256-modp2048
     dpdaction=restart
     dpddelay=30s
     fragmentation=yes
     compress=no

* The left side is client vpn strongswan

* the right side is FortiGate firewall.

     right=172.16.20.104 ---- "Wan Interface"

     rightsubnet=192.168.100.0/24 ---  "Network bellow the FortiGate firewall"

 

Edit the file /etc/ipsec.secrets:

 

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.
: PSK "1234Mudar"

wells@mylab.local : EAP "1234Mudar 

 

On FortiGate:

User & Authentication Menu -> RADIUS Server -> Create New.

 
 

fortigate2.png

 

Test User Credentials.

 

fortigate3.png

 

Create RADIUS User on FortiGate:

User & Authentication -> User Definition -> Create New.

 

fortigate4.png

 

fortigate5.png

 

fortigate6.png

 

On FortiGate CLI.

VPN IPsec configuration.

 

config vpn ipsec phase1-interface
    edit "radius"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set dpd on-idle
        set dhgrp 14
        set eap enable
        set eap-identity send-request
        set authusrgrp "Radius"   <--- RADIUS Group name.
        set assign-ip-from name
        set dns-mode auto
        set ipv4-split-include "LocalNetwork"
        set ipv4-name "SSLVPN_TUNNEL_ADDR1"
        set save-password enable
        set psksecret ENC wmXqS5qSQSOygTxhHPVEZ7HpNEblsplFWFk9M589dl/OD5rz2sRPUSeCVPw7DLv644qh66xHnZUmOWxN2JVQB3p

u75jaUFDnmQ0gUUCsUv42rr9mSqyOiQBTSgrrWc92C0RuTEb14q2/7duJtvwDdK2jBpD0

I3wbcQ6q5nb4FxUy8IstumlO2bl+CHPehEG1Cjg51lmMjY3dkVA
        set dpd-retryinterval 60
    next
end

 

config vpn ipsec phase2-interface
    edit "radius"
        set phase1name "radius"
        set proposal aes256-sha256
        set dhgrp 14
        set keepalive enable
    next
end

 

Test connection on Ubuntu Stronswan.

Before the IPsec connection: The FortiGate has no active IPsec connections.

 

fortigate7.png

 

Start ping to 192.168.100.2 -> IP of the RADIUS server LAN. 

 

Screenshot 2025-06-27 153411.png

 

IPsec up ikev2-vpn starts the VPN connection.

 

Screenshot 2025-06-27 153544.png

 

Screenshot 2025-06-27 154008.png

 

fortigate11.png

 

Related article:

Technical Tip: FortiGate Site-to-Site VPN with Strongswan on Ubuntu  
669
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.