I tried to use strongswan on Linux host to up a IPsec VPN with FortiGate.
On the Windows FortiClient, no problem.
My FortiGate configuration is :
FortiGate VPN : IKE v1, agressive, NAT-T[/ul]
Phase 1 :[/ul]
edit "vpn-IPSEC" set type dynamic set interface "INET" set local-gw PublicIP set mode aggressive set peertype any set mode-cfg enable set ipv4-dns-server1 x.x.x.31 set proposal aes256-sha512 aes256-sha384 set dpd on-idle set dhgrp 14 set xauthtype auto set authusrgrp "SI_admin" set ipv4-start-ip x.x.x.1 set ipv4-end-ip x.x.x.10 set ipv4-netmask x.x.x.0 set ipv4-split-include "group-VPN" set psksecret ENC *****************************************== set dpd-retryinterval 60 next
Phase 2 :[/ul]
edit "vpn-IPSEC" set phase1name "vpn-IPSEC" set proposal aes256-sha512 aes256-sha384 set dhgrp 14 next
My Strongswan configuration is :
#/etc/ipsec.d/forti.conf config setup charondebug = "dmn 1, mgr 1, ike 1, ike 2, chd 1, job 1, cfg 3, knl 2, net 2, lib 1" nat_traversal = yes
Also, i would get ipsec log and diag debug application ike -1 from the linux client and fortigate respectively.
Lastly, you need to do some packet captures on linux ( e.g tcpdump -nnvvv -i eth0 host x.x.x.x and port 500 or 4500 ) or ( fgt. cli. diag sniffer packet any "host y.y.y.y" )
In your cfg I would also simplify the following lines and ensure you have this
conn vpn-dialup1 left=%any leftsourceip=%config email@example.com right=vpnserverfgt100D.example.com. # the dns or ipv4 address of fortigate interfaces that matches the address in phase1-interface interface rightsubnet=0.0.0.0/0 # optional probably not needed leftsubnet=0.0.0.0/0 firstname.lastname@example.org. # I would set a matching IKE-ID on the fortigate and then populate that here in your cfg auto=add ipsec up your "fortinet" profile , grab your logs, grab a packet capture at the linux host and|or fortigate and then do the proper analysis based on your findings. tip, if you have iptables or firewalld, you need proper rules to allow traffic. YMMV but the above examples , link and tips should get you pointed in the right direction. Ken Felix