Hi all,
We want to use IPsec VPN, and we have some Debian users. We have tried to use the package "strongswan" but we haven't succeeded to connect it. We want to use verification with ldap to authenticate and accept it.
In our FortiGate we have this configuration:
For the 1st phase:â
â
For the 2nd phase:
â
In our Debian machine, we have tried this configuration:
In the ipsec.conf:
â
In the âIPSec.secrets:
â
In the updown.sh:â
Here, it's the test of our configuration:
â
Do you have any idea about it?
Ali
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Does this doc help: https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPsec-connection-between-FortiGate-and-Ubu...
Hey AliE,
one thing that confuses me a bit is the peertype/peerid setting on FortiGate; with that in place, FortiGate would only accept connections from a client that provides that particular peerid during the tunnel setup, and the snippets from your debian environment do not include anything like that ID, as far as I can see.
Maybe remove that, set peertype 'any', and try again?
Please note that peertype 'any' can cause conflict if you have other VPNs listening on the same interface, in that case, do NOT try this!
Cheers,
Debbie
Hi,
Thank you for your response. I have rewrite the file "ipsec.conf" and now it's working!
conn hq
keyexchange = ikev1
ike = aes256-sha256-modp3072
#esp = aes256-sha256-modp3072
esp = aes256-sha256
aggressive = yes
right = 85.158.*.*
rightsubnet = 10.*.5.0/24
rightauth = psk
left = %defaultroute
leftsourceip=%config
leftauth = psk
leftauth2 = xauth
xauth_identity = test.vpn
auto = add
leftupdown = /usr/lib/ipsec/updown.sh
But now I have another problem...
When I'm connected, the different routes don't propagate but in windows with fortclient, I can receive these routes. I have enabled ipv4 split tunnel and create a book of addresses for "accesible networks".
Do you have an idea?
Ali
afair strongswan/openswan do not support split tunneling in ike v1. You might have to either switch your ipsec to ike v2 or set your routes manually.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the âNominate to Knowledge Baseâ button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.