Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AliE
New Contributor II

Created on ‎05-27-2024 07:16 AM

How to get an IPsec VPN Tunnel with a Debian laptop?

Hi all,

We want to use IPsec VPN, and we have some Debian users. We have tried to use the package "strongswan" but we haven't  succeeded to connect it. We want to use verification with ldap to authenticate and accept it.

In our FortiGate we have this configuration:

For the 1st phase: 

phase1_fortigate.png

 


For the 2nd phase:

phase2_fortigate.png

 
In our Debian machine, we have tried this configuration:
In the ipsec.conf:

ipsec.conf.png

 


In the â€ƒIPSec.secrets:

ipsec.secrets.png

 


In the updown.sh: 

updown.sh.png

Here, it's the test of our configuration:

test.png

 




Do you have any idea about it? 
Ali

Labels:
1001
0 Kudos
4 REPLIES 4
Debbie_FTNT
Staff
Staff

Created on ‎05-27-2024 07:52 AM

Hey AliE,

one thing that confuses me a bit is the peertype/peerid setting on FortiGate; with that in place, FortiGate would only accept connections from a client that provides that particular peerid during the tunnel setup, and the snippets from your debian environment do not include anything like that ID, as far as I can see.

Maybe remove that, set peertype 'any', and try again?

Please note that peertype 'any' can cause conflict if you have other VPNs listening on the same interface, in that case, do NOT try this!

 

Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
979
AliE
New Contributor II
In response to Debbie_FTNT

Created on ‎06-12-2024 05:20 AM

Hi,

Thank you for your response. I have rewrite the file "ipsec.conf" and now it's working! 

conn hq
        keyexchange = ikev1
        ike = aes256-sha256-modp3072
        #esp = aes256-sha256-modp3072

        esp = aes256-sha256


        aggressive = yes

        right = 85.158.*.*
        rightsubnet = 10.*.5.0/24
        rightauth = psk

        left = %defaultroute
        leftsourceip=%config
        leftauth = psk
        leftauth2 = xauth
        xauth_identity = test.vpn

        auto = add
        leftupdown = /usr/lib/ipsec/updown.sh


But now I have another problem...

 

When I'm connected, the different routes don't propagate but in windows with fortclient, I can receive these routes. I have enabled ipv4 split tunnel and create a book of addresses for "accesible networks".

Do you have an idea?

Ali

771
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎06-12-2024 05:23 AM

afair strongswan/openswan do not support split tunneling in ike v1. You might have to either switch your ipsec to ike v2 or set your routes manually.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
768
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.