Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
amalsky
Staff
Staff

Created on ‎06-25-2025 11:39 PM

Article Id 397656

Technical Tip: How to configure and troubleshoot a IPsec client to site VPN using an opensource client

Description

This article describes how to configure a remote user IPsec VPN using IKEv2 with StrongSwan on a Linux system (Ubuntu 24.04). It also outlines the necessary steps to troubleshoot standard connectivity and traffic flow issues that may arise during the setup.
Scope FortiGate v7.4.x.
Solution

Here is a sample of a standard configuration on the FortiGate :

 

config vpn ipsec phase1-interface
    edit "strongSwan"
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-start-ip 10.10.10.10
        set ipv4-end-ip 10.10.10.100
        set ipv4-netmask 255.255.255.0
        set ipv4-split-include "strongSwan_split"
        set proposal aes256-sha256
        set psksecret "YourPresharedKeyHere"
    next
end

config vpn ipsec phase2-interface
    edit "strongSwan"
        set phase1name "strongSwan"
        set src-subnet 10.10.10.0 255.255.255.0
        set dst-subnet 192.168.2.0 255.255.255.0
        set proposal aes256-sha256
        set auto-negotiate enable
    next
end

config firewall address
    edit "strongSwan_split"
        set subnet 192.168.2.0 255.255.255.0
    next
end

config firewall policy
    edit 0
        set name "VPN_to_LAN"
        set srcintf "strongSwan"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat disable
        set logtraffic all
    next
end

 

Install StrongSwan:

 

sudo apt update
sudo apt install strongswan

 

Configure the StrongSwan client (Linux)

 

Here is a sample of a standard configuration of the Linux IPsec client:

 

/etc/ipsec.conf

config setup
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2"

conn fortigate-vpn
    keyexchange=ikev2
    auto=start
    type=tunnel
    ikelifetime=28800s
    lifetime=3600s
    dpdaction=restart
    dpddelay=30s
    dpdtimeout=120s

    authby=secret
    ike=aes256-sha256-modp2048!
    esp=aes256-sha256!

    leftsourceip=%config
    leftauth=psk
    leftsubnet=10.10.10.0/24
    right=YourFortiGatePublicIP
    rightsubnet=192.168.2.0/24
    rightauth=psk

/etc/ipsec.secrets

: PSK "YourPresharedKeyHere"

 

Diagnosis could be performed on both sides.

 

Linux side.

Ensure the tunnel is up:

 

sudo ipsec statusall

 

Check routing:

 

ip route

 

Verify that traffic is routed over IPsec.

 

On FortiGate, ensure Phase 2 proxy IDs are installed:

 

diagnose vpn tunnel list name strongSwan

 

Expected:

 

proxyid_num=1
  local: 10.10.10.0/255.255.255.0
  remote: 192.168.2.0/255.255.255.0

 

Use debug flow to confirm packet path:

 

diagnose debug reset
diagnose debug flow filter addr 10.10.10.10
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug flow trace start 20

 

Then, a ping from the client:

 

ping 192.168.2.1

 

Expected: Allowed by Policy and return traffic via the VPN.

 

Diagnose missing routes or dropped responses on Linux:

Use tcpdump to check if replies are arriving:

 

sudo tcpdump -i any icmp

 

Check Linux firewall (for example, ufw, iptables) is not dropping responses.

 

Conclusion.

This article describes how to configure a remote user IPsec VPN tunnel using IKEv2 between a FortiGate firewall and a Linux client running StrongSwan. It covers both configuration steps and troubleshooting techniques to ensure successful connectivity and traffic flow. Ensure Phase 2 selectors are defined, NAT is disabled, routes are clean, IPsec policies are installed, and firewall policies allow traffic from the VPN to internal networks.
886
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.