Technical Tip: IPsec connection between FortiGate and Ubuntu via Dialup

Description

This article describes how to connect Ubuntu PC to FortiGate via IPsec dialup connection.

Scope

Forticlient Linux version does not support Dialup IPsec, In this case, IPsec connection can be configured using strongswan package on Linux.

The below reference document shows the configuration on Ubuntu 20.04

Solution

Configuration on Fortigate:

To configure VPN on FortiGate, go to GUI IPsec Wizard -> Template Type: Remote Access -> Remote Device Type: Client-Based, Cisco.

Select the incoming interface, Preshared key, and User group.

Select the appropriate LAN interface, Subnet, and IP range for VPN.

Forticlient Linux does not support IPsec Dialup connection at the moment.

To connect VPN from Ubuntu using IPsec Protocol a native VPN package 'strongswan' can be installed.

Configuration on Ubuntu 20.04:

Install Strongswan on Ubuntu using apt package manager.

$ sudo apt install strongswan

Also, install the below package.

$ sudo apt install charon-systemd

To Enable the kernel to do packet forwarding edit the /etc/sysctl.conf and uncomment the below lines.

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

To check the status of strongswan service run the below command.

# systemctl status strongswan.service

The below message will appear if the process is running.

● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2022-03-19 08:19:10 CET; 46s ago
Process: 6903 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS)
Main PID: 6886 (charon-systemd)
Status: "charon-systemd running, strongSwan 5.8.2, Linux 5.4.0-104-generic, x86_64"
Tasks: 17 (limit: 2268)
Memory: 2.5M
CGroup: /system.slice/strongswan.service
└─6886 /usr/sbin/charon-systemd

Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded IKE secret for 10.5.21.252
Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded EAP secret for ubuntu_VPN
Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded plugins: charon-systemd aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 p>
Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: dropped capabilities, running as uid 0, gid 0
Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: spawning 16 worker threads
Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no files found matching '/etc/swanctl/conf.d/*.conf'
Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no authorities found, 0 unloaded
Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no pools found, 0 unloaded
Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no connections found, 0 unloaded
Mar 19 08:19:10 xenon-kvm33 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
...skipping...
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2022-03-19 08:19:10 CET; 46s ago
Process: 6903 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS)
Main PID: 6886 (charon-systemd)
Status: "charon-systemd running, strongSwan 5.8.2, Linux 5.4.0-104-generic, x86_64"
Tasks: 17 (limit: 2268)
Memory: 2.5M
CGroup: /system.slice/strongswan.service
└─6886 /usr/sbin/charon-systemd

Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded IKE secret for 10.5.21.252
Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded EAP secret for ubuntu_VPN
Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: loaded plugins: charon-systemd aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 p>
Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: dropped capabilities, running as uid 0, gid 0
Mar 19 08:19:10 xenon-kvm33 charon-systemd[6886]: spawning 16 worker threads
Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no files found matching '/etc/swanctl/conf.d/*.conf'
Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no authorities found, 0 unloaded
Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no pools found, 0 unloaded
Mar 19 08:19:10 xenon-kvm33 swanctl[6903]: no connections found, 0 unloaded
Mar 19 08:19:10 xenon-kvm33 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.

Further strongswan has two files that can be edited to configure VPN.

In this case, we have to configure the below settings:

Fortigate Gateway IP: 10.5.21.252

Tunnel Type Ikev1 Main Mode

Fortigate LAN IP: 10.140.0.0/20

Authentication Type: Preshared Key & Xauth

Preshared Key: abcd1234

Xauth Username: ubuntu_VPN

Xauth Password: ubuntu

The first file that has to be edited is /etc/ipsec.conf.

It can be edited via vi text editor, Paste the below lines for the connection.

conn "FGT"                                                                                   
keyexchange=ikev1
ikelifetime=1440m
keylife=60m
aggressive=no
ike=aes256-sha256-modp1024
esp=aes256-sha256
xauth=client
left=%defaultroute
leftsourceip=%config
leftauth=psk
rightauth=psk
leftauth2=xauth
right=10.5.21.252
rightsubnet=10.140.0.0/20
xauth_identity= ubuntu_VPN
auto=add

Adding "rightsubnet=0.0.0.0/0" results in the full tunnel, Hence policy for VPN to WAN interface is needed and should be configured.
Another option is to set "auto=start" which starts the tunnel automatically everytime the Ubuntu client is restarted.

Another file that has to be edited is /etc/ipsec.secrets with below lines.

10.5.21.252 : PSK "abcd1234"
ubuntu_VPN : XAUTH "ubuntu"

Once completed, it is necessary to restart the strongswan service with the below commands as root.

#  systemctl restart strongswan

# ipsec update

# ipsec reload

To connect the tunnel run the below command as root.

#ipsec up FGT

Here FGT is the tunnel name configured in /etc/ipsec.conf.

Bringing up the tunnel will show below information.

# ipsec up FGT
initiating Main Mode IKE_SA FGT[1] to 10.5.21.252
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.5.21.133[500] to 10.5.21.252[500] (252 bytes)
received packet: from 10.5.21.252[500] to 10.5.21.133[500] (204 bytes)
parsed ID_PROT response 0 [ SA V V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.5.21.133[500] to 10.5.21.252[500] (268 bytes)
received packet: from 10.5.21.252[500] to 10.5.21.133[500] (252 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.5.21.133[500] to 10.5.21.252[500] (108 bytes)
received packet: from 10.5.21.252[500] to 10.5.21.133[500] (92 bytes)
queueing TRANSACTION request as tasks still active
received packet: from 10.5.21.252[500] to 10.5.21.133[500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH ]
parsed TRANSACTION request 3840560674 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 3840560674 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 10.5.21.133[500] to 10.5.21.252[500] (108 bytes)
received packet: from 10.5.21.252[500] to 10.5.21.133[500] (92 bytes)
parsed TRANSACTION request 21457498 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'ubuntu_VPN' (myself) successful
IKE_SA FGT[1] established between 10.5.21.133[10.5.21.133]...10.5.21.252[10.5.21.252]
scheduling reauthentication in 85803s
maximum IKE_SA lifetime 86343s
generating TRANSACTION response 21457498 [ HASH CPA(X_STATUS) ]
sending packet: from 10.5.21.133[500] to 10.5.21.252[500] (92 bytes)
generating TRANSACTION request 2585688889 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 10.5.21.133[500] to 10.5.21.252[500] (92 bytes)
received packet: from 10.5.21.252[500] to 10.5.21.133[500] (108 bytes)
parsed TRANSACTION response 2585688889 [ HASH CPRP(ADDR DNS DNS) ]
installing DNS server 10.5.31.253 to /etc/resolv.conf
installing DNS server 96.45.46.46 to /etc/resolv.conf
installing new virtual IP 192.168.50.10
generating QUICK_MODE request 3030603905 [ HASH SA No ID ID ]
sending packet: from 10.5.21.133[500] to 10.5.21.252[500] (220 bytes)
received packet: from 10.5.21.252[500] to 10.5.21.133[500] (172 bytes)
parsed QUICK_MODE response 3030603905 [ HASH SA No ID ID ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
CHILD_SA FGT{1} established with SPIs c72cb7eb_i 32618946_o and TS 192.168.50.10/32 === 10.140.0.0/20
generating QUICK_MODE request 3030603905 [ HASH ]
connection 'FGT' established successfully

Here the Ubuntu PC has received an IP address of 192.168.50.10 from the range defined on FortiGate.

It is possible to check the status of the tunnel using the below command.

# ipsec status
Security Associations (1 up, 0 connecting):
FGT[1]: ESTABLISHED 10 minutes ago, 10.5.21.133[10.5.21.133]...10.5.21.252[10.5.21.252]
FGT{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c72cb7eb_i 32618946_o
FGT{1}: 192.168.50.10/32 === 10.140.0.0/20

Testing connectivity using ping from Ubuntu CLI.

#ping 10.140.5.252
PING 10.140.5.252 (10.140.5.252) 56(84) bytes of data.
64 bytes from 10.140.5.252: icmp_seq=1 ttl=255 time=0.839 ms
64 bytes from 10.140.5.252: icmp_seq=2 ttl=255 time=0.432 ms
64 bytes from 10.140.5.252: icmp_seq=3 ttl=255 time=0.493 ms

To bring down the tunnel use the command.

# ipsec down FGT

To see more options for ipsec.conf and ipsec.secrets refer to the man pages in Ubuntu.

# man ipsec.conf

# man ipsec.secrets

Note.
For issues related to strongswan installation and configuration or any other issue post them in strongswan / ubuntu forums.

For more information on strongswan, the docs can be found at the below link
https://docs.strongswan.org/strongswan-docs/