Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
alix
New Contributor

VPN IPSEC - StrongSwan with FortiGate

Hi,

 

I tried to use strongswan on Linux host to up a IPsec VPN with FortiGate. On the Windows FortiClient, no problem.

 

My FortiGate configuration is :

[ul]
  • FortiGate VPN : IKE v1, agressive, NAT-T[/ul]

     

    [ul]
  • Phase 1 :[/ul]

        edit "vpn-IPSEC"
            set type dynamic
            set interface "INET"
            set local-gw PublicIP
            set mode aggressive
            set peertype any
            set mode-cfg enable
            set ipv4-dns-server1 x.x.x.31
            set proposal aes256-sha512 aes256-sha384
            set dpd on-idle
            set dhgrp 14
            set xauthtype auto
            set authusrgrp "SI_admin"
            set ipv4-start-ip x.x.x.1
            set ipv4-end-ip x.x.x.10
            set ipv4-netmask x.x.x.0
            set ipv4-split-include "group-VPN"
            set psksecret ENC *****************************************==
            set dpd-retryinterval 60
        next

    [ul]
  • Phase 2 :[/ul]

        edit "vpn-IPSEC"
            set phase1name "vpn-IPSEC"
            set proposal aes256-sha512 aes256-sha384
            set dhgrp 14
        next

     

    My Strongswan configuration is :

    #/etc/ipsec.d/forti.conf
    config setup
     charondebug = "dmn 1, mgr 1, ike 1, ike 2, chd 1, job 1, cfg 3, knl 2, net 2, lib 1"
     nat_traversal = yes

    conn fortinet
     type = tunnel
     reauth = yes
     authby = xauthpsk
     left = %defaultroute
     leftsourceip = %config
     leftsubnet = %dynamic,192.168.1.0/24
     leftauth = psk
     leftauth2 = xauth
     right = PeerIP
     rightaddresspool = x.x.x.1-x.x.x.10
     rightauth = psk
     rightmodecfgserver = yes
     keyexchange = ikev1
     aggressive = yes
     ikelifetime = 86400s
     pfs = yes
     ike = aes256-sha512;modp2048
     phase2 = esp
     phase2alg = aes256-sha512;modp2048
     keylife = 43200s
     xauth_identity = USERNAME
     auto=add

    #/etc/ipsec.secrets
    PeerIP : PSK "PSK"
    @USERNAME : XAUTH "PASSWORD"

     

    Could someone help me?

     

    Thanks

    Alix

  • 1 REPLY 1
    emnoc
    Esteemed Contributor III

    You need to do some diagnostics but I would read the following post sinc 99% of what your doing is covered in this previous post

     

    https://forum.fortinet.com/tm.aspx?m=179755

     

    Also, i would get ipsec log and diag debug application ike -1 from the linux client and fortigate respectively.

     

    Lastly, you need to do some packet captures on linux  ( e.g tcpdump -nnvvv -i eth0 host x.x.x.x and port 500 or 4500 )  or ( fgt.   cli.  diag sniffer packet any "host y.y.y.y"   )

     

    In your cfg I would also simplify the following lines and ensure you have this 

    e.g 

     

    conn vpn-dialup1

       left=%any

       leftsourceip=%config

       leftid=@user1.example.com

       right=vpnserverfgt100D.example.com.  # the dns or ipv4 address of fortigate interfaces that matches the address in phase1-interface interface 

       rightsubnet=0.0.0.0/0 # optional probably not needed

       leftsubnet=0.0.0.0/0

       rightid=@vpn.my.net.  # I would set a matching IKE-ID on the fortigate and then populate that here in your cfg

       auto=add

     

     

    ipsec up your "fortinet"  profile , grab your logs, grab a packet capture at the linux host and|or fortigate and then do the proper analysis based on your findings.

     

    tip, if you have iptables or firewalld, you need proper rules to allow traffic.

     

    YMMV but the above examples , link and tips should get you pointed in the right direction.

     

    Ken Felix

    PCNSE 

    NSE 

    StrongSwan