Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- IPSec VPN to Linux StrongSwan
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSec VPN to Linux StrongSwan
I'm beating my head against a brick wall with an IPSec VPN configuration. Here's the basic topology:
192.168.x.x (my lan) --> [FortiGate 20c] --> 10.1.10.x (wan) --> [Cisco/Comcast Router] --> 50.1.1.1 (my public IP) --> [*Internet*] --> 50.2.2.2 (peer's public IP) --> [Linux StrongSwan] --> 172.16.x.x (peer's lan)
I have put my FG (10.1.10.10) in the DMZ on the Comcast router to try and eliminate problems there.
My FG has a functioning tunnel-mode VPN already configured and working. I'm adding a second, but interface mode.
So, I've read a LOT of the manuals and forum posts, etc, but can't seem to make this go.
I have:
ThisVPN Phase 1
IP Address: 50.2.2.2 (peer's public IP)
Local Interface: wan
Authentication method: Preshared Key
Pre-shared Key: xxxxxxxxxxxx (matches with peer)
Enable IPsec Interface Mode: enabled
IKE Version: 1
Local Gateway IP: Main Interface IP (can I / should I put my public Internet IP here instead?)
P1 Proposal: AES128 / SHA512 (matches peer)
DH Group: 2, 5 (unknown if matches peer)
Keylife 86400 seconds (matches peer)
Local ID: 50.1.1.1 (my public IP, seems to be what peer expects)
XAuth: Disabled
Nat Traversal: Enabled
DPD: Enabled
ThisVPN_P2 Phase 2
P2 Proposal: AES128 / SHA512 (matches peer)
Replay detection: enabled
PFS: disabled (matches peer)
Keylife: 86400 seconds (matches peer)
Keep alive: enabled
Auto-negotiate: enabled
Selectors: all zeroes (allow everything)
Static route:
172.16.x.x --> ThisVPN
Policies:
lan --> ThisVPN
Source: MySubnet
Dest: PeerSubnet
Sched: always
Service: all
Action: allow
ThisVPN --> lan
Source: PeerSubnet
Dest: MySubnet
Sched: always
Service: all
Action: allow
When I look at some of the debug output from the CLI, I see:
IPsec SA connect 4 10.1.10.10 -> 50.2.2.2:500
If the peer has NAT-T as I do, they will be getting an IKE request from 10.1.10.10, no? How do I fix this?
Thanks in advance for any and all help!
-Terry
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Terry,
Your IKE traffic should be source natted with 50.1.1.1 (your public IP)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a vpn t-shoot guide
http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html
Here's swan guide
http://socpuppet.blogspot.com/2015/07/openswan-cmds-you-should-get-use-to.html
Quick observation:
qaud 0s is probably not going to work ( aka 0.0.0.0:0 ) for phase2 and a open/strongswan
the linux host has tcpdump, run it from the bash shell on the FGT_peer-ID
dun the diagnostic commands for ike/ipsec on the fortigate
That should lead you in the right direction.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One of the docs I read said quad 0's was the way to allow everything. Not so?
I'll try it with my Public IP and his Private Subnet as the selectors.
-T
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Again here's working openswan example
http://socpuppet.blogspot.com/2014/05/openswan-to-fortigate-route-based-vpn.html
Follow that above reference and change the lef/right to match your networks and define the PSK and enable NAT-T on the fortigate . Ensure porks 500/4500 is open on the linux side of things and ESP protocols.
1 > tcpdump on the linux side, 2> run diag cmd 3> review logs
e.g
tcpdump -i em0 "udp port 500 or 4500"
tcpdump -i em0 "proto 50"
It's really that easy.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks everyone for your help!
What ended up being the critical issues were these:
- On the Strongswan side, he had to set "rightid=%any" in ipsec.conf
- On my FG side, I had to set the P2 Quick Mode Selector Source address to my internal subnet, rather than my public IP, and the Destination address to the peer's internal subnet.
Working like a charm now!
-Terry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Terry C wrote:Hi Terry, Could you share your complete config file along with FG configuration? I'm having currently same issue and can't force it to work :( ThanksThanks everyone for your help!
What ended up being the critical issues were these:
- On the Strongswan side, he had to set "rightid=%any" in ipsec.conf
- On my FG side, I had to set the P2 Quick Mode Selector Source address to my internal subnet, rather than my public IP, and the Destination address to the peer's internal subnet.
Working like a charm now!
-Terry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shouldn't the "Local Gateway IP" setting take care of this? It's currently set to the WAN IP, but I could set it to the Public IP instead.
The reasons I wonder about this are two:
1 There is a functioning IPsec tunnel-mode VPN on this FortiGate already, to a different vendor, with no special natting.
2 Per ALL the docs and examples, I have my Phase 1 set with NAT-T enabled. Wouldn't that defeat this?
Thanks!
-Terry
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,718 -
FortiClient
1,767 -
5.2
801 -
FortiManager
732 -
5.4
639 -
FortiAnalyzer
560 -
FortiSwitch
476 -
FortiAP
473 -
FortiClient EMS
435 -
6.0
416 -
5.6
362 -
FortiMail
319 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
83 -
Customer Service
80 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiGate-VM
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1714 | |
| 1093 | |
| 752 | |
| 447 | |
| 232 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.