Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

IPSec Fortigate <> Strongswan

Hello Guys, i am facing a challenge that i can only solve with your help. Please support me. I want to establish a VPN connection between my Fortigate 50E and a (Linux) Hosted root server. I've tested it with several instructions but can't get any further. In Fortigate the connection is UP but in the logs it says " negotiate failure progress IPsec phase 2". Strongswan displays the following message: Routed Connections:    FortiGate{1}: ROUTED, TUNNEL, reqid 1    FortiGate{1}: 85.XXX.XX.XXX/32 === Security Associations (1 up, 0 connecting):    FortiGate[1]: ESTABLISHED 9 minutes ago, 85.XXX.XX.XXX[85.XXX.XX.XXX]...88.XX.XXX.XX[88.XX.XXX.XX] The hosted root server has no subnet but only a public IP address. The ipsec.conf looks like this: config setup         # strictcrlpolicy=yes         # uniqueids = no conn FortiGate   authby=secret   type=tunnel   auto=route   compress=no   left=85.XXX.XX.XXX   leftsubnet=85.XXX.XX.XXX/32   right=88.XXX.XXX.XX   rightsubnet=   leftfirewall=no   keyexchange=ikev1   ike=aes256-sha256-ecp521   esp=aes256-sha256-ecp521 The /etc/sysctl.conf looks like this: net.ipv4.ip_forward=1 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 If you need more data, just write ;-) Thanks for your help!

Esteemed Contributor III



I seen you Pm here's my  200B and what I have 



conn FGT200B type=tunnel keyexchange=ikev1 auto=start ike=aes128-sha1;modp1024 # left = local left="x.x.x.x" leftsubnet= # right = remote right=y.y.y.y. rightsubnet= esp=aes128-sha1 keyingtries=%forever



The fortigate configurations looks like this;


config vpn ipsec phase1-interface edit strongvpn set interface " wan1" set dhgrp 2 set proposal aes128-sha1 set dpd disable set remote-gw x.x.x.x set psksecret m@ster0lock next end config vpn ipsec phase2-interface edit " strongvpn-p2-1" set auto-negotiate enable set keepalive enable set pfs disable set phase1name strongvpn set proposal aes128-sha1 set replay disable set dst-subnet set src-subnet set keylifeseconds 3600 next end


I have not done a ECP tunnel so that could be a issue. I would also use DHGRP 14 or higher btw


Ken Felix