Technical Tip: FortiGate Site-to-Site VPN with Strongswan on Ubuntu

Logical Topology for Site-to-Site VPN between FortiGate and Strongswan in Ubuntu Server 20.04:

Ubuntu 20.04

Public IP ens9: 10.191.20.247/20
Private IP ens10: 192.168.100.1/24

After installing an Ubuntu server, it is necessary to set up IP addresses

Setup an IP address on Ubuntu Server

This setup will depend on the Ubuntu version and account level. This article assumes root access is available.

For any changes using the 'nano' editor, save the config with Ctrl+O and exit with Ctrl+X:

nano /etc/netplan/00-installer-config.yaml

Set up configuration as below:

This is the network config written by 'subiquity':

network:
  ethernets:
# Internet-facing Interface configuration
    enp9:
      dhcp4: false
      addresses: [10.191.20.247/20]
      gateway4: 10.191.31.254
      nameservers:
         addresses: [8.8.8.8, 8.8.4.4]
# LAN-facing Interface configuration
    ens10:
      dhcp4: false
      addresses: [192.168.100.1/24]
  version: 2
  renderer: NetworkManager
#########################################

After, save the config with Ctrl+O and exit with Ctrl+X.

Apply network changes using the following:

netplan apply

In order for Ubuntu to serve as a router in the setup, it is necessary to enable Kernel Packet Forwarding:

nano /etc/sysctl.conf

Uncomment these 4 lines:

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Next, apply this change with the following:

sysctl -p

Note that this guide does not focus on how to harden Ubuntu Linux, so all firewall settings have been disabled on this machine and we are working with root account which is not recommended in production environments.

ufw status
Status: inactive

After completing Ubuntu preparation, install Strongswan:

apt update
apt install strongswan -y

Enable Strongswan service:

systemctl is-enabled strongswan-starter.service

Check Strongswan service where the status should be active and running:

systemctl status strongswan-starter.service

Now, create an IPsec VPN:

Create a backup of the config file with the following:

cp /etc/ipsec.conf /etc/ipsec.conf.bakfile

Then edit the original file with the desired settings:

nano /etc/ipsec.conf

###################################################
# ipsec.conf - strongSwan IPsec configuration file

config setup
   charondebug = "all"
   uniqueids = yes
conn strongswan-to-fortigate
    type = tunnel
    auto = start
    keyexchange = ikev2
    authby = secret
    left = 10.191.20.247
    leftsubnet = 192.168.100.1/24
    right = 10.191.21.15
    rightsubnet = 172.16.1.1/24
    ike = aes256-sha256-modp2048
    esp = aes256-sha256
    aggressive = no
    keyingtries = %forever
    ikelifetime = 28800s
    lifetime = 3600s
    dpddelay = 20s
    dpdtimeout = 120s
    dpdaction = restart
###########################################

Note: multiples subnets are on the remote end (FortiGate), specify them as follows:

########################################### 

conn net-192.168.198.0
also=strongswan-to-fortigate
rightsubnet=192.168.198.0/23
auto=start

conn net-192.168.208.0
also=strongswan-to-fortigate
rightsubnet=192.168.208.0/23
auto=start

conn net-192.168.170.0
also=strongswan-to-fortigate
rightsubnet=192.168.170.0/23
auto=start

conn net-192.168.234.0
also=strongswan-to-fortigate
rightsubnet=192.168.234.0/23
auto=start

conn net-192.168.69.0
also=strongswan-to-fortigate
rightsubnet=192.168.69.0/24
auto=start

###########################################

Now, it is necessary to specify the secret key. There are multiple methods from automatically generating them to setting them manually.

This guide will demonstrate with a simple key, Str0ntsW@n-F0rt1gAt3 <- Use the strong key here.

nano /etc/ipsec.secrets

Restart Strongswan and check its status:

ipsec restart
ipsec status

Strongswan will try to connect but will not succeed because the FortiGate has not been configured yet.

1. Start IPsec Wizard and create a Custom VPN:

2. Configure Remote Peer, Interface, and DPD Settings:

3. Setup Preshared Key and IKE Version:

4. Setup Phase1 settings:

5. Setup Phase2 settings:

The same results can be accomplished using the CLI:

config vpn ipsec phase1-interface

    edit "FGT-to-STRWAN"

        set interface "port1"

        set ike-version 2

        set keylife 28800

        set peertype any

        set net-device disable

        set proposal aes256-sha256

        set remote-gw 10.191.20.247

        set psksecret ENC *********

    next

end

config vpn ipsec phase2-interface

    edit "FGT-to-STRWAN"

        set phase1name "FGT-to-STRWAN"

        set proposal aes256-sha256

        set keylifeseconds 3600

        set src-subnet 172.16.1.0 255.255.255.0

        set dst-subnet 192.168.100.0 255.255.255.0

    next

end

When creating a normal VPN using Wizard, Static route and firewall policies are automatically created. Since CUSTOM is selected in this case, it is necessary to create them manually.

Create Firewall policies for both directions:

config firewall policy

edit 1
        set name "FromStrongsWan"
        set srcintf "FGT-to-STRWAN"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set comments " (Reverse of To-StrongsWAN)"
next

edit 2
        set name "To-StrongsWAN"
        set srcintf "port2"
        set dstintf "FGT-to-STRWAN"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"

next

end

The policies should look similar to the following in the GUI:

Create a Static Route to reach to 192.168.100.0/24:

Do not forget a blackhole route with a high Administrative Distance:

The tunnel will be visible as 'up' on both ends:

From FortiGate:

diag vpn tunnel list name FGT-to-STRWAN

list ipsec tunnel by names in vd 0

------------------------------------------------------

name=FGT-to-STRWAN ver=2 serial=2 10.191.21.15:0->10.191.20.247:4500 tun_id=10.191.20.247 tun_id6=::10.191.20.247 dst_mtu=1500 dpd-link=on weight=1

bound_if=3 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=5 ilast=42951483 olast=42951483 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

fec: egress=0 ingress=0

proxyid=FGT-to-STRWAN proto=0 sa=1 ref=2 serial=2

  src: 0:172.16.1.0-172.16.1.255:0

  dst: 0:192.168.100.0-192.168.100.255:0

  SA:  ref=3 options=30202 type=00 soft=0 mtu=1438 expire=2259/0B replaywin=2048

       seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1

  life: type=01 bytes=0/0 timeout=3330/3600

  dec: spi=3c05a919 esp=aes key=32 580ee95869af3bcee5edf6d015b1b6518be45daf7a357839a25c79283cd92e8c

       ah=sha256 key=32 d66fa3a2cfaf82a4c77e5b03b44a9dd63231d2dc4e55cdc5778cdfcb1d589613

  enc: spi=c4597b72 esp=aes key=32 a6da7ccce70f1813edc0c60b122cc982a8328edab3fd9f7f1921d10e398e8f4d

       ah=sha256 key=32 6486ffaef4e0ecad33bb0f93001643bd182846ed04cff885a3cd5aabd0c061df

  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

  npu_flag=00 npu_rgwy=10.191.20.247 npu_lgwy=10.191.21.15 npu_selid=2 dec_npuid=0 enc_npuid=0

run_tally=0

From Ubuntu:

ipsec status

Security Associations (1 up, 0 connecting):

strongswan-to-fortigate[1]: ESTABLISHED 18 minutes ago, 10.191.20.247[10.191.20.247]...10.191.21.15[10.191.21.15]

strongswan-to-fortigate{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4597b72_i 3c05a919_o

strongswan-to-fortigate{1}:   192.168.100.0/24 === 172.16.1.0/24