This article describes how to configure an IKEv1 site-to-site VPN tunnel between a FortiGate and a StrongSwan VPN gateway on a Linux system.
FortiGate.
On Linux
sudo apt-get update
sudo apt-get install strongswan
nano /etc/sysctl.conf
Uncomment these 4 lines:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
systemctl is-enabled strongswan-starter.service
sudo nano /etc/ipsec.conf
ipsec.conf - strongSwan IPsec configuration file:
Basic configuration:
config setup
charondebug = "all"
# strictcrlpolicy=yes
uniqueids = yes
# Add connections here.
# Sample VPN connections
conn strongswan-to-fortigate
type=tunnel
auto=start
keyexchange=ikev1
authby=secret
left=172.16.24.133
leftsubnet=10.1.0.0/16
right=172.16.24.16
rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
ike = aes256-sha256-modp2048
esp = aes256-sha256
aggressive = no
keyingtries = %forever
ikelifetime = 28800s
lifetime = 3600s
dpddelay = 20s
dpdtimeout = 120s
dpdaction = restart
nano /etc/ipsec.secrets
17.16.24.133 172.16.24.16 : PSK "fortinet"
sudo systemctl restart strongswan
Configure IPSEC VPN IKEV1 on FortiGate:
erbium-kvm56 # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "FGT_to-strong"
set interface "port3"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dhgrp 14
set remote-gw 172.16.24.133
set psksecret ENC 8GbtvmwzU6TMIH8vyeYSf9pfF1NusGtY7sClP/iMQtvH74tu7NlfG/rL5URglviwSBLWehuOBoRKGRXHqBiXLmtXjXFpwQ23I/gwID8HEP2rQOxQ1WkI1l2YveB9PmWJJcU6k3pzvbnmFAfShnyTQyf3TxC+U2HDVsNVbEe8Bgi1Z26VUcZqhubBzhSsRALAnZGBUllmMjY3dkVA
next
end
erbium-kvm56 # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "FGT_to-strong"
set phase1name "FGT_to-strong"
set proposal aes256-sha256
set pfs disable
set auto-negotiate enable
set src-subnet 10.2.0.0 255.255.0.0
set dst-subnet 10.1.0.0 255.255.0.0
next
end
Make sure the firewall policy is in place for the tunnel interface.
Post that the VPN will come up:
erbium-kvm56 # diagnose vpn ike gateway list
vd: root/0
name: FGT_to-strong
version: 1
interface: port3 5
addr: 172.16.24.16:500 -> 172.16.24.133:500
tun_id: 172.16.24.133/::172.16.24.133
remote_location: 0.0.0.0
network-id: 0
transport: UDP
created: 1422s ago
peer-id: 172.16.24.133
peer-id-auth: no
pending-queue: 0
IKE SA: created 1/2 established 1/1 time 10/10/10 ms
IPsec SA: created 1/2 established 1/1 time 10/10/10 ms
id/spi: 59 c5cfba11aa98e4fc/4a6449e7b7970a03
direction: responder
status: established 1400-1400s ago = 10ms
proposal: aes256-sha256
key: 1e033f2ce9730933-ce1d15199a7b5336-2f1023ed50db2467-b856267a19b7574c
QKD: no
lifetime/rekey: 28800/27129
DPD sent/recv: 00000000/7ca56d8a
peer-id: 172.16.24.133
Troubleshooting:
Related articles:
Technical Tip: IPsec connection between FortiGate and Ubuntu via Dialup
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.