Ipsec connection in linux mint with strongswan

actunderdc · ‎02-25-2024

Hi all,

I am able to connect to a Fortinet VPN server from Windows 10 using Fortinet Client v6.0.9.0277. My configuration is displayed in the following 2 pictures:

But, from linux mint, using strongswan I am unable to connect. Here is my configuration:

# ipsec.conf - strongSwan IPsec configuration file
conn FortinetVPN
    keyexchange=ikev1
    aggressive=yes
    authby=secret
    left=%defaultroute
    leftauth=psk
    leftid=My_User_name
    right=VPN_IP_HERE
    rightauth=psk
    rightid=%any
    rightsubnet=0.0.0.0/0
    ike=aes256-sha256-modp1536,aes128-sha1-modp1536!
    esp=aes256-sha1-modp1536,aes128-sha1-modp1536!
    dpdaction=clear
    dpddelay=30s
    dpdtimeout=150s
    ikelifetime=86400s
    lifetime=43200s
    keylife=43200s
    rekeymargin=3m
    keyingtries=1
    auto=add
    type=tunnel
    replay_window=32
    mobike=no
    forceencaps=yes

#ipsec.secrets

My_User_name : PSK "My_Preshared_key"
My_User_name : XAUTH "My_Password"

The output I am getting is:

sudo ipsec up FortinetVPN 
initiating Aggressive Mode IKE_SA FortinetVPN[1] to VPN_IP_HERE
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 10.0.2.15[500] to VPN_IP_HERE[500] (475 bytes)
received packet: from VPN_IP_HERE[500] to 10.0.2.15[500] (540 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
local host is behind NAT, sending keep alives
IKE_SA FortinetVPN[1] established between 10.0.2.15[My_User_name]...VPN_IP_HERE[VPN_IP_HERE]
scheduling reauthentication in 86166s
maximum IKE_SA lifetime 86346s
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (140 bytes)
generating QUICK_MODE request 1993355718 [ HASH SA No KE ID ID ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (428 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (92 bytes)
queueing TRANSACTION request as tasks still active
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (108 bytes)
parsed INFORMATIONAL_V1 request 1651800496 [ HASH D ]
received DELETE for IKE_SA FortinetVPN[1]
deleting IKE_SA FortinetVPN[1] between 10.0.2.15[My_User_name]...VPN_IP_HERE[VPN_IP_HERE]
establishing connection 'FortinetVPN' failed

I suppose that I am doing something wrong in the config file, but I am unable to figure out what.

Any help would be highly appreciated. Thank you very much!

strongX509 · ‎02-28-2024

Have you tried rightsubnet=172.28.2.0/24 or whatever the subnet mask is.

View solution in original post

AEK · ‎02-27-2024

If you confirm that 172.28.2.111 is the right DNS, what do you have when you type this command:

dig  something.internal.company.com  @172.28.2.111

In case it doesn't resolve, check the client routing table (should route 172.28.2.111 through the tunnel) and check if you have the right firewall policy allowing this DNS traffic trough tunnel.

AEK

strongX509 · ‎02-27-2024

Since you have removed rightsubnet=0.0.0.0/0 which tunneled all traffic, the default is now rightsubnet=VPN_IP_HERE/32: which tunnels only traffic going to the VPN Server but not to the internal network behind the VPN gateway:

CHILD_SA FortinetVPN{1} established with SPIs cc656926_i acf98b6c_o and TS 192.168.166.4/32 === VPN_IP_HERE/32

In order to reach any internal hosts you have to set rightsubnet to this internal network

actunderdc · ‎02-28-2024

This is strange as on Fortinet client from Win10 I am not setting any subnet anywhere, the client does everything. By looking at the virtual adapter it creates, I can see there:

IPv4 Address. . . . . . . . . . . : 192.168.166.4(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
...
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.166.46

I tried adding rightsubnet=192.168.166.0/24 to my ipsec.conf file, but it doesn't seem to have an effect. Connection log:

CHILD_SA FortinetVPN{1} established with SPIs c2268279_i acf9910a_o and TS 192.168.166.4/32 === 192.168.166.0/24

However, typing ip addr :

2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
...
inet 192.168.166.4/32 scope global enp0s3
   valid_lft forever preferred_lft forever

Am I setting it wrong in the config file?

Please remember that the internal websites that I want to access are like 172.28.2.123, DNS server is 172.28.2.111 etc (none of them are pingable). Maybe am I missing some DHCP plugin? I use IKEv1 as stated at the beginning.

Thank you very much for the help provided!

strongX509 · ‎02-28-2024

Have you tried rightsubnet=172.28.2.0/24 or whatever the subnet mask is.

actunderdc · ‎02-27-2024

@AEK, yes 172.28.2.111 is the DNS server, I checked on the Windows 10 machine.

user@Machine:~$ sudo ufw status
Status: inactive
user@Machine:~$ dig something.internal.company.com @172.28.2.111
;; communications error to 172.28.2.111#53: timed out
;; communications error to 172.28.2.111#53: timed out

It seems that it cannot access the DNS server on the 53 port, although the firewall is disabled (I ran sudo ufw disable previously). Any other thoughts? The OS is Linux Mint freshly installed in a Virtual Box machine. As I previously said, other external websites are being resolved properly, so it doesn't seem that port 53 would be blocked somehow.

user@Machine:~$ telnet 8.8.8.8 53
Trying 8.8.8.8...
Connected to 8.8.8.8.
Escape character is '^]'.
^CConnection closed by foreign host.
user@Machine:~$ telnet 172.28.2.111 53
Trying 172.28.2.111...
telnet: Unable to connect to remote host: Connection timed out

user@Machine:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    100    0        0 enp0s3
10.0.2.0        0.0.0.0         255.255.255.0   U     100    0        0 enp0s3
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 enp0s3

AEK · ‎02-27-2024

I mean you should check if you have the right firewall policy on the remote FortiGate.

That policy should allow DNS queries through the tunnel to local DNS server 172.28.2.111.

On the other hand I don't see any route through the tunnel on your "Machine". Without this route you can't access any resource through the tunnel.

AEK

actunderdc · ‎02-27-2024

@AEK, I don't have access on the remote FortiGate, but with the same credentials and using the FortiClient from Windows 10 it is properly working.

One difference between the 2 OS that I noticed is that in Windows 10 a new virtual adapter is created, which obtains a IPv4 address and a DHCP server (see my ipconfig /all command from the previous forum page).

In linux mint I don't have any other adapter created, even when the FortinetVPN connection is up (ifconfig command shows one wireless adapter and lo). Without a virtual interface I also don't have the routes set up, as you suggested (They are present in Windows 10, route print -4 command shows lots of entries with the fortinet virtual adapter)

So, going back to the ipsec.conf, maybe I am missing something there that prevents the creation of a virtual adapter? Or a linux package? Or is it strongswan in Linux somehow working differently than Fortinet Client in Windows 10?

Thank you all for the help provided so far!

strongX509 · ‎02-28-2024

strongSwan doesn´t install a separate virtual network interface but installs a source routing rule in table 220 which should look something like:

ip route list table 220
172.28.2.0/24 via 10.2.0.1 dev enp0s3 proto static src 192.168.166.4

dest. subnet nexthop interface assigned virtual IP

actunderdc · ‎02-28-2024

@AEK, thank you so much!

Setting, as you suggested

rightsubnet=172.28.2.0/24

proved to be the working solution! Now I can ping and access internal websites, also using dns names!

When I check the route as you suggested it looks like in your example:

user@Machine:~$ ip route list table 220
172.28.2.0/24 via MY_ROUTER_IP dev enp0s3 proto static src 192.168.166.4

It still remains a mystery for me how Fortinet Windows 10 client knows how to properly without specifying this network and mask, but now I have a working client on my linux machine!

THANK YOU ALL!

strongX509 · ‎02-29-2024

They reason that you don't have to specify a destination subnet with the Fortinet Windows client is that Fortinet by default uses interface-or route-based IPsec tunnels whereas strongSwan uses policy-based oned.