Hi all,
I am able to connect to a Fortinet VPN server from Windows 10 using Fortinet Client v6.0.9.0277. My configuration is displayed in the following 2 pictures:
But, from linux mint, using strongswan I am unable to connect. Here is my configuration:
# ipsec.conf - strongSwan IPsec configuration file
conn FortinetVPN
keyexchange=ikev1
aggressive=yes
authby=secret
left=%defaultroute
leftauth=psk
leftid=My_User_name
right=VPN_IP_HERE
rightauth=psk
rightid=%any
rightsubnet=0.0.0.0/0
ike=aes256-sha256-modp1536,aes128-sha1-modp1536!
esp=aes256-sha1-modp1536,aes128-sha1-modp1536!
dpdaction=clear
dpddelay=30s
dpdtimeout=150s
ikelifetime=86400s
lifetime=43200s
keylife=43200s
rekeymargin=3m
keyingtries=1
auto=add
type=tunnel
replay_window=32
mobike=no
forceencaps=yes
#ipsec.secrets
My_User_name : PSK "My_Preshared_key"
My_User_name : XAUTH "My_Password"
The output I am getting is:
sudo ipsec up FortinetVPN
initiating Aggressive Mode IKE_SA FortinetVPN[1] to VPN_IP_HERE
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 10.0.2.15[500] to VPN_IP_HERE[500] (475 bytes)
received packet: from VPN_IP_HERE[500] to 10.0.2.15[500] (540 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
local host is behind NAT, sending keep alives
IKE_SA FortinetVPN[1] established between 10.0.2.15[My_User_name]...VPN_IP_HERE[VPN_IP_HERE]
scheduling reauthentication in 86166s
maximum IKE_SA lifetime 86346s
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (140 bytes)
generating QUICK_MODE request 1993355718 [ HASH SA No KE ID ID ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (428 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (92 bytes)
queueing TRANSACTION request as tasks still active
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (108 bytes)
parsed INFORMATIONAL_V1 request 1651800496 [ HASH D ]
received DELETE for IKE_SA FortinetVPN[1]
deleting IKE_SA FortinetVPN[1] between 10.0.2.15[My_User_name]...VPN_IP_HERE[VPN_IP_HERE]
establishing connection 'FortinetVPN' failed
I suppose that I am doing something wrong in the config file, but I am unable to figure out what.
Any help would be highly appreciated. Thank you very much!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Have you tried rightsubnet=172.28.2.0/24 or whatever the subnet mask is.
If you confirm that 172.28.2.111 is the right DNS, what do you have when you type this command:
dig something.internal.company.com @172.28.2.111
In case it doesn't resolve, check the client routing table (should route 172.28.2.111 through the tunnel) and check if you have the right firewall policy allowing this DNS traffic trough tunnel.
Since you have removed rightsubnet=0.0.0.0/0 which tunneled all traffic, the default is now rightsubnet=VPN_IP_HERE/32: which tunnels only traffic going to the VPN Server but not to the internal network behind the VPN gateway:
CHILD_SA FortinetVPN{1} established with SPIs cc656926_i acf98b6c_o and TS 192.168.166.4/32 === VPN_IP_HERE/32
In order to reach any internal hosts you have to set rightsubnet to this internal network
This is strange as on Fortinet client from Win10 I am not setting any subnet anywhere, the client does everything. By looking at the virtual adapter it creates, I can see there:
IPv4 Address. . . . . . . . . . . : 192.168.166.4(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
...
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.166.46
I tried adding rightsubnet=192.168.166.0/24 to my ipsec.conf file, but it doesn't seem to have an effect. Connection log:
CHILD_SA FortinetVPN{1} established with SPIs c2268279_i acf9910a_o and TS 192.168.166.4/32 === 192.168.166.0/24
However, typing ip addr :
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
...
inet 192.168.166.4/32 scope global enp0s3
valid_lft forever preferred_lft forever
Am I setting it wrong in the config file?
Please remember that the internal websites that I want to access are like 172.28.2.123, DNS server is 172.28.2.111 etc (none of them are pingable). Maybe am I missing some DHCP plugin? I use IKEv1 as stated at the beginning.
Thank you very much for the help provided!
Have you tried rightsubnet=172.28.2.0/24 or whatever the subnet mask is.
@AEK, yes 172.28.2.111 is the DNS server, I checked on the Windows 10 machine.
user@Machine:~$ sudo ufw status
Status: inactive
user@Machine:~$ dig something.internal.company.com @172.28.2.111
;; communications error to 172.28.2.111#53: timed out
;; communications error to 172.28.2.111#53: timed out
It seems that it cannot access the DNS server on the 53 port, although the firewall is disabled (I ran sudo ufw disable previously). Any other thoughts? The OS is Linux Mint freshly installed in a Virtual Box machine. As I previously said, other external websites are being resolved properly, so it doesn't seem that port 53 would be blocked somehow.
user@Machine:~$ telnet 8.8.8.8 53
Trying 8.8.8.8...
Connected to 8.8.8.8.
Escape character is '^]'.
^CConnection closed by foreign host.
user@Machine:~$ telnet 172.28.2.111 53
Trying 172.28.2.111...
telnet: Unable to connect to remote host: Connection timed out
user@Machine:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 100 0 0 enp0s3
10.0.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s3
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s3
Created on 02-27-2024 07:34 AM Edited on 02-27-2024 08:38 AM
I mean you should check if you have the right firewall policy on the remote FortiGate.
That policy should allow DNS queries through the tunnel to local DNS server 172.28.2.111.
On the other hand I don't see any route through the tunnel on your "Machine". Without this route you can't access any resource through the tunnel.
@AEK, I don't have access on the remote FortiGate, but with the same credentials and using the FortiClient from Windows 10 it is properly working.
One difference between the 2 OS that I noticed is that in Windows 10 a new virtual adapter is created, which obtains a IPv4 address and a DHCP server (see my ipconfig /all command from the previous forum page).
In linux mint I don't have any other adapter created, even when the FortinetVPN connection is up (ifconfig command shows one wireless adapter and lo). Without a virtual interface I also don't have the routes set up, as you suggested (They are present in Windows 10, route print -4 command shows lots of entries with the fortinet virtual adapter)
So, going back to the ipsec.conf, maybe I am missing something there that prevents the creation of a virtual adapter? Or a linux package? Or is it strongswan in Linux somehow working differently than Fortinet Client in Windows 10?
Thank you all for the help provided so far!
strongSwan doesn´t install a separate virtual network interface but installs a source routing rule in table 220 which should look something like:
ip route list table 220
172.28.2.0/24 via 10.2.0.1 dev enp0s3 proto static src 192.168.166.4
dest. subnet nexthop interface assigned virtual IP
@AEK, thank you so much!
Setting, as you suggested
rightsubnet=172.28.2.0/24
proved to be the working solution! Now I can ping and access internal websites, also using dns names!
When I check the route as you suggested it looks like in your example:
user@Machine:~$ ip route list table 220
172.28.2.0/24 via MY_ROUTER_IP dev enp0s3 proto static src 192.168.166.4
It still remains a mystery for me how Fortinet Windows 10 client knows how to properly without specifying this network and mask, but now I have a working client on my linux machine!
THANK YOU ALL!
They reason that you don't have to specify a destination subnet with the Fortinet Windows client is that Fortinet by default uses interface-or route-based IPsec tunnels whereas strongSwan uses policy-based oned.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.