Skip to main content
lucasomoura
New Member
December 5, 2022
Question

Fortclient VPN Client Linux - IPSEC

  • December 5, 2022
  • 4 replies
  • 45533 views

Hello,

In Forticlient VPN for Linux (Ubuntu 22.04), the IPsec VPN tab does not appear.

How can I connect Forticlient VPN IPSEC on Linux?

4 replies

distillednetwork
Explorer II
December 5, 2022

Currently, the FortiClient for Linux does not support IPSEC in the client, you would need to set it up natively on the Linux computer.  Here is a tech article that talks about this:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPsec-connection-between-FortiGate-and-Ubuntu-via/ta-p/207149

syulv
Explorer
April 5, 2024

It's a shocker to me that this is the case (is it still a case in April 2024?).

 

Juat is trying to configure FortiClient Version 7.2.4.0809 on Ubuntu 22, and it seems that the only option is SSL VPN if you want to use the CLI.

 

Is there a reason as to why this functionality is not available?

 

Why would I need to use strongswan for that (I was so sure that it would be a slick experience from Fortinet and then I bumped into this....)?

dorianhernandez
New Member
September 10, 2024

Yeah, I also learned about this the hard way.  I am thinking of setting a PFSense VM or appliance and configure a gateway-to-gateway IPSec tunnel and then I can use whatever OS I want; PFSense to the rescue once again.

selfs
New Member
April 7, 2025

What command line are you talking about? Could you help me?
Thanks!

toto_tata
New Member
October 22, 2025

After a bit of research I managed to find a way to connect to my IPSEC fortigate with fortitoken, this is how I do it:
First, install libreswan

then edit /etc/ipsec.conf and adapt this config with your info:

config setup     uniqueids=no     ikev1-policy=accept  conn fortigate     ikev2=no     ike=aes256-sha256;modp1536     esp=aes256-sha1;modp1536     authby=secret     pfs=yes     auto=add     left=%defaultroute     leftid=LOCAL_REMOTE_IP     leftxauthusername=FORTINET_USERNAME     rightsubnet=0.0.0.0/0     right=FORTIGATE_PUBLIC_IP     rightid=FORTIGATE_LOCAL_IP     rightxauthserver=yes     leftxauthclient=yes     rightmodecfgserver=yes     leftmodecfgclient=yes     modecfgpull=yes     nm-configured=yes     aggrmode=yes     ikelifetime=86400s     salifetime=43200s     dpddelay=20s     dpdtimeout=60s     nat-ikev1-method=rfc     esn=either     nopmtudisc=yes     remote-peer-type=cisco     nat-keepalive=no


If you don't know your FORTIGATE_LOCAL_IP, comment out the line, the ip will be shown in the log (the rightid has to be the same on both sides).
If you don't know your LOCAL_REMOTE_IP, don't specify it and then use `ip xfrm state` to find it.


Then you have to edit the /etc/ipsec.secrets file like this :

%any : PSK "YOUR_PSK" @VPN_USERNAME : XAUTH "YOUR_PASSWORD_FORTITOKEN"


So if your password is toto_123 and the fortitoken is currently 234789, then the password is toto_123234789
You will have to modify it each time you want to connect to your VPN since the fortitoken is dynamic.

Then run `sudo systemctl restart ipsec`
if there are errors, check journalctl -xeu ipsec.service, logs are pretty clear.

then run `sudo ipsec up fortigate` since the conn is named as fortigate in our conf.

heisenbug
New Member
November 18, 2025

It seems that Fortinet--currently--does NOT support any way of using Multi-Factor Authentication (MFA or 2FA) to establish an IPsec VPN connection between a Linux client and FortiGate firewall.


On Windows, Fortinet does support this, via the IPsec tab in FortiClient VPN. This tab however, is NOT shown on Linux clients.

 

Though one can use strongSwan to establish a VPN connection with FortiGate firewall, it's more difficult if one wishes to use SAML. To sidestep that issue, one might use other forms of authentication for network administrators which use Linux, like using a certificate. But if one has strict MFA/2FA security requirements (which might be provided via SAML), it's more difficult to satisfy this requirement for network administrators who use strongSwan on Linux to establish the VPN connection.

 

Possible solution to use MFA/2FA with IPsec VPN on Linux:


One could use a hardware authentication device (like YubiKey) to store a certificate, and use it to supply the client certificate during VPN authentication, for example using strongSwan with the pkcs11 plugin.

 

But strictly speaking, it's not MFA/2FA, as it's still just one factor (a certificate on the hardware device).

 

But this can be solved:

 

To make this strict MFA/2FA, we can protect the certificate with a passphrase. You can set the passphrase in FortiGate when adding a PKI user. Also, when using strongSwan on Linux, you can configure the daemon to prompt for a passphrase. This passphrase is used by strongSwan to decrypt the RSA private key from the hardware device (like YubiKey). The RSA private key is then used to establish the VPN connection. (This also works for ECDSA private keys.)

 

Then we can truly say that we are adhering to strict MFA/2FA requirements, meaning we authenticate using both 'something we know' (password) and 'something we have' (client certificate on the hardware security device).

 

Screenshot:

 

Here's where we can enable 2FA (two-factor authentication) for a PKI user (which authenticates using a client certificate that was signed by the chosen CA certificate).

 

IPsec-VPN-MFA-via-PKI-passphrase-20251119.png