Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sjoshi
Staff
Staff

Created on ‎05-11-2025 11:43 PM Edited on ‎05-15-2025 06:26 AM By Moderator

Article Id 391268

Troubleshooting Tip: Troubleshooting IKEv2 Site-to-Site VPN Between FortiGate and StrongSwan on Ubuntu

Description

 

This article describes how to set up and maintain an IKEv2 Site-to-Site IPsec VPN between a FortiGate and StrongSwan on Ubuntu Linux.

 

Scope

 

FortiGate.

 

Solution

 

Once the configuration is complete, the VPN tunnel may not establish as expected due to various underlying issues. Effective troubleshooting is essential to identify the root cause and ensure stable VPN connectivity.

 

Topology:

  • FortiGate WAN IP: 172.16.24.16.
  • Linux WAN IP: 172.16.24.133.

 

Troubleshooting on FortiGate:

Verify whether the StrongSwan VPN peer IP (e.g., 172.16.24.133) is reachable by sending ICMP echo requests (ping). This helps confirm basic network connectivity between the VPN endpoints before further IPsec negotiation is attempted.

Verify that routes are present on the FortiGate.

 

  • Verify if phase1 is up or not:

 

erbium-kvm56 # diagnose vpn ike gateway list

vd: root/0
name: FGT_to-strong
version: 2
interface: port3 5
addr: 172.16.24.16:500 -> 172.16.24.133:500
tun_id: 172.16.24.133/::172.16.24.133
remote_location: 0.0.0.0
network-id: 0
transport: UDP
created: 4s ago
pending-queue: 0
PPK: no
IKE SA: created 1/1
IPsec SA: created 1/1

id/spi: 36 b5d29ca1204e948b/0000000000000000
direction: initiator
status: connecting, state 3, started 4s ago --> phase1 itself is down.

 

  • Since phase1 itself is down, even phase2 will show as down:

 

erbium-kvm56 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=FGT_to-strong ver=2 serial=3 172.16.24.16:0->172.16.24.133:0 nexthop=0.0.0.0 tun_id=172.16.24.133 tun_id6=::172.16.24.133 status=down dst_mtu=0 weight=1
bound_if=5 real_if=5 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=3 ilast=42950434 olast=42950434 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 status=fail idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=FGT_to-strong proto=0 sa=0 ref=2 serial=1 auto-negotiate
src: 0:10.2.0.0-10.2.255.255:0
dst: 0:10.1.0.0-10.1.255.255:0

 

  • Debug flow can be run on the FortiGate:

 

erbium-kvm56 # diagnose debug application ike -1

erbium-kvm56 # diagnose debug enable

 

erbium-kvm56 # ike 0:FGT_to-strong:39: out ED9CB672C5B34F4C00000000000000002120220800000000000001B8220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C000000080400000E28000108000E00006BD47390E87744C4C2895EB5BA904FD0239BA3BBF39CD9362C6E72F50E3EFE1933B6CBD206FD4EB9204AAA197B166F7F4DD02EAFBA0D268435A89397F4D3548B2EA6D5B04193ABF49468FC7A34222FC743D649F3B2ACBEDB91B3FD8AB47AE80D98083393146CC57D88456401876D7ACDE211ACE8C77A042781AA333B60450F7F52B0F6338E5E7BF2B4CBB32A9CFD9CE337E1ADFBF8BA030F8C3DE743B6EA31D1D31AF5109F3A04D638B8FE981EE291C0E82D6EB9F76A7C487D820B83C578C932F9F098B4E73284FEF211F0D54A34B569C1C87BC42ACD45ED82B53681B85D6936DAF382E35F73C370222AFFAABEF02E4FB02A3E0C8FD91884B97CC25324D80F4929000024E7B0F679BF8BC3E3D183078DC91CC34F26B637DF4BE6DF742A6DBF3A8C8CEA0D2900001C00004004C8AB8AC58F97DACE9E041A349EDAC96ACBA3105C2900001C00004005C5C7DBB2350EF623E76CC3637EBACE7F6DC9D3F1000000080000402E
ike V=root:0:FGT_to-strong:39: sent IKE msg (RETRANSMIT_SA_INIT): 172.16.24.16:500->172.16.24.133:500, len=440, vrf=0, id=ed9cb672c5b34f4c/0000000000000000, oif=5
ike V=root:0:FGT_to-strong:FGT_to-strong: IPsec SA connect 5 172.16.24.16->172.16.24.133:0
ike V=root:0:FGT_to-strong:FGT_to-strong: using existing connection
ike V=root:0:FGT_to-strong:FGT_to-strong: config found
ike V=root:0:FGT_to-strong: request is on the queue
ike V=root:0:FGT_to-strong:FGT_to-strong: IPsec SA connect 5 172.16.24.16->172.16.24.133:0
ike V=root:0:FGT_to-strong:FGT_to-strong: using existing connection
ike V=root:0:FGT_to-strong:FGT_to-strong: config found
ike V=root:0:FGT_to-strong: request is on the queue
ike :shrank heap by 159744 bytes
ike V=root:0:FGT_to-strong:FGT_to-strong: IPsec SA connect 5 172.16.24.16->172.16.24.133:0
ike V=root:0:FGT_to-strong:FGT_to-strong: using existing connection
ike V=root:0:FGT_to-strong:FGT_to-strong: config found
ike V=root:0:FGT_to-strong: request is on the queue

 

Here, the SA_INIT packet is being sent out.

 

To stop debugging:

 

diagnose debug disable

 

  • Take a packet capture on FortiGate:

 

2025-05-11 12:48:11.317402 port3 out 172.16.24.16.500 -> 172.16.24.133.500: udp 440

2025-05-11 12:48:11.322456 port3 out 172.16.24.16.500 -> 172.16.24.133.500: udp 440

 

Here it can be seen that FortiGate is sending a UDP 500 packet out but does not get any response.

 

Note:

Verify if the UDP in and out packet is allowed on the Linux machine and no blockage from the ISP side. Post allowing proper protocol, the tunnel will show up.

 

On a Linux machine:

 

  • Check if the StrongSwan service is running:

 

fortinet@tau-kvm168:~$ systemctl status strongswan-starter.service

strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.>
Loaded: loaded (/usr/lib/systemd/system/strongswan-starter.service; enable>
Active: active (running) since Sun 2025-05-11 09:19:07 CEST; 7min ago
Main PID: 2889 (starter)
Tasks: 18 (limit: 2270)
Memory: 5.1M (peak: 7.3M)
CPU: 87ms
CGroup: /system.slice/strongswan-starter.service
\u251c\u25002889 /usr/lib/ipsec/starter --daemon charon --nofork
\u2514\u25002896 /usr/lib/ipsec/charon

 

  • Check the IPsec Status:

 

root@tau-kvm168:/home/fortinet# ipsec status
Security Associations (1 up, 0 connecting):
strongswan-to-fortigate[2]: ESTABLISHED 8 minutes ago, 172.16.24.133[172.16.24.133]...172.16.24.16[172.16.24.16]
strongswan-to-fortigate{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ca4cffbb_i d2456641_o
strongswan-to-fortigate{2}: 10.1.0.0/16 === 10.2.0.0/16

 

  • Packet Captures on Linux:

 

sudo tcpdump -nnvvv -i enp4s0 host 172.16.24.16 and port 500 or 4500 -w ikev2-capture.pcap

 

Run Wireshark ikev2-capture.pcap in the terminal:

 

wireshark.PNG

 

  • Check the loaded IPSEC config:

 

sudo ipsec statusall

 

1.PNG

 

  • Manually bring up the tunnel:

 

sudo ipsec up <connection-name>

 

To view a list of connections:

 

swanctl --list-connections

 

For the configuration, the KB article below can be followed: Technical Tip: FortiGate Site-to-Site VPN with Strongswan on Ubuntu.

369
Suggest New Article
Article Feedback
Comments
kaman
Staff
Staff
‎05-30-2025 09:58 AM

Great article

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.