Update : I was able to use shrewsoft VPN to make it work. At first I tried to match the config and guessing the config, but I found this tool recently, ike-scan, and it can scan an IP address and found most of the settings. You can also use openswan or strongswan, but you need the version that allow ikev1. Side note, I planned to "NAT" the VPN so I could share the route on my network, creating a sort of site-2-site. Since the protocol use IPsec the NAT rules I used with most SSL VPN didn't work. I was never able to make it work so I downloaded Virtualbox and used the NAT network interface in virtualbox and another interface in the lan network, activating routing on the VM and created a NAT. To my surprise it work incredible well for my needs. (Basically the mating is handle by a nested Linux VM and the VPN is connected on the host. The traffic enter by the nested VM, routed to nat network created by virtualbox and finally transferred on the VPN interface on the host.)

The shrewsoft client, the package is called "ike".

I really want to connect to a Fortigate IPsec VPN from Linux also.

 

I tried Shrewsoft first, but it wasn't compiling, and while I was searching for a fix, I heard that Shrewsoft VPN is moribund.

 

I've moved on to vpnc, but I'm not having much luck with that either.  My redacted config file is below, along with the error I'm getting.

It bothers me more than a little that ike-scan thinks my gateway isn't handshaking.  Also, my IT guy says there are no failed login attempts on the Fortigate side.

 

My vpnc config looks like:

IPSec gateway host.example.com IPSec ID redacted IPSec secret redacted #IKE Authmode hybrid IKE Authmode psk Xauth username redacted #Xauth password redacted

 

The error I get is:

 

$ vpnc-connect Enter password for user@host.example.com: vpnc-connect: no response from target

 

If I strace vpnc, I can see it timing out trying to reach udp/500 on host.example.com.

 

I see something similar if I try to ike-scan host.example.com:

 

 

Starting ike-scan 1.9.4 with 1 hosts ([link]http://www.nta-monitor.com/tools/ike-scan/)[/link]

Ending ike-scan 1.9.4: 1 hosts scanned in 3.311 seconds (0.30 hosts/sec). 0 returned handshake; 0 returned notify

 

It's like I have the wrong server or something, but the hostname does resolve, and I can see the UDP/500 port open|filtered in the output from:

nmap -P0 -sU -p 500 host.example.com

 

I've got some special characters in my PSK, including a comment character, but I don't think that's supposed to matter.

 

I'm on Debian 10.10. and I'm using vpnc 0.5.3r550-3 .

 

Any suggestions?

 

Thanks!

 

sounds like you have filters up maybe on the linux host. Are you running iptables or firewalld if yes can you temporary stop it or place rules to allow outbound traffic to that destination?

 

if you manage the remote-vpn gateway I would also do a capture on that end to ensure you are indeeded reaching the host.

 

e.g

 

diag sniffer packet any "host x.x.x.x and port 500 or 4500"

 

x.x.x.x would be your linuxhost public address which you can aquire thru 

 

  curl ifconfig/me

 

Ken Felix

 

Yeah shrewsoft is still good on windows but since the developement is shut down since 2014 it will not work in current linuxes. I managed to compile it on an ubuntu 20.04 with some cheating but it diddn't really work at all afterwards.

 

I however then used OpenSwan/StrongSwan to do it hence that's in the standard repos of allmost every distro. However there still is no suitable gui for it in linux. But it does work fine on cli. 

I only need to execute "ipsec up <connectionname>" to bring it up and it uses iptables instead of routing entries here. Just the only issue I have ist that it doesn't support multiple subnets when you use ikev1 but that one is to blame me for still not using ikev2 xD

This is a manager name "StrongMan" but i never used it , you typically do not need it but it interacts with strongswan for monitoring and i believe configurational.

 

Ken Felix

 

 

I've mostly given up on vpnc, and have been working instead on getting LibreSwan working with Fortigate.  If people could look at https://superuser.com/questions/1661309/libreswan-fortigate-ipsec-only-no-ssl-gives-60-second-timeou... that'd be fantastic.

 

It's mostly based on https://kb.fortinet.com/kb/documentLink.do?externalID=11835 - which might be a little out of date or something?  Anyway, I tried to follow the directions there, but no joy.

 

Thanks.