Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Palamar
New Contributor

fortiwifi 80c connect to strongswan server

hi,

i need connect to strongswan server from my fortigate.

help me please.I did not work in cli

 

my ipsec.conf

 

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup # strictcrlpolicy=yes uniqueids = yes

include /var/lib/strongswan/ipsec.conf.inc

conn %default dpdaction=clear dpddelay=35s dpdtimeout=300s

fragmentation=yes rekey=no

ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!

esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!

# left - local (server) side left=%any leftauth=pubkey leftcert=194.87.147.234.crt leftsendcert=always leftsubnet=0.0.0.0/0 # right - remote (client) side right=%any rightauth=pubkey rightsourceip=192.168.103.0/24 rightdns=8.8.8.8

conn ikev2-pubkey keyexchange=ikev2 auto=add

conn ikev2-pubkey-osx also="ikev2-pubkey" leftid=194.87.147.234

conn ikev1-fakexauth keyexchange=ikev1 rightauth2=xauth-noauth auto=add

conn ikev2-eap-tls also="ikev2-pubkey" rightauth=eap-tls eap_identity=%identity

3 REPLIES 3
Palamar
New Contributor

I want traffic from my local network to redirect through VPN strongswan

emnoc
Esteemed Contributor III

Okay do a search but numerous examples  exist for strong/openswan.

 

http://socpuppet.blogspot.com/2015/07/openswan-cmds-you-should-get-use-to.html

https://forum.fortinet.com/tm.aspx?m=152615

 

Your config does not look too bad but here's some quick suggestions;

 

1: I would drop all of those  Enc-Algo and just pick one e.g

 

 

 ( example of a basic  ipsec.conf )

rightauth=pubkey-sha1

ike=aes128-sha1-modp1024  (  aes128 enc-algo  sha1 auth-algo DiffieHellMan group1 )

esp=aes128-sha1-modp1024

keyingtries=%forever

leftsubnet=10.10.10.0/24

rightsubnet=10.10.11.0/24

 

2:  defined the left/right-subnets with anything that's not a  0.0.0.0/0:0 if your goal is to send ALL traffic thru the  tunnel than you can change that later but on the FGT and Strongswan-linux , just set a src/dst-subnet  for encrypted data

 

3: ensure the ipsec key is correct inyour ipsec.secrets key file and don't use  certificate for the 1st trial run ( and yes certifcate does work , and works very good  betweeen FGT and StrongSwan ) :)

 

ken

 

 

 

 

PCNSE 

NSE 

StrongSwan  

Palamar
New Contributor

on the StrongSwan only the public address(93.95.97.67), how to configure the Fortigate?