Hi all,
I am able to connect to a Fortinet VPN server from Windows 10 using Fortinet Client v6.0.9.0277. My configuration is displayed in the following 2 pictures:
But, from linux mint, using strongswan I am unable to connect. Here is my configuration:
# ipsec.conf - strongSwan IPsec configuration file
conn FortinetVPN
keyexchange=ikev1
aggressive=yes
authby=secret
left=%defaultroute
leftauth=psk
leftid=My_User_name
right=VPN_IP_HERE
rightauth=psk
rightid=%any
rightsubnet=0.0.0.0/0
ike=aes256-sha256-modp1536,aes128-sha1-modp1536!
esp=aes256-sha1-modp1536,aes128-sha1-modp1536!
dpdaction=clear
dpddelay=30s
dpdtimeout=150s
ikelifetime=86400s
lifetime=43200s
keylife=43200s
rekeymargin=3m
keyingtries=1
auto=add
type=tunnel
replay_window=32
mobike=no
forceencaps=yes
#ipsec.secrets
My_User_name : PSK "My_Preshared_key"
My_User_name : XAUTH "My_Password"
The output I am getting is:
sudo ipsec up FortinetVPN
initiating Aggressive Mode IKE_SA FortinetVPN[1] to VPN_IP_HERE
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 10.0.2.15[500] to VPN_IP_HERE[500] (475 bytes)
received packet: from VPN_IP_HERE[500] to 10.0.2.15[500] (540 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
local host is behind NAT, sending keep alives
IKE_SA FortinetVPN[1] established between 10.0.2.15[My_User_name]...VPN_IP_HERE[VPN_IP_HERE]
scheduling reauthentication in 86166s
maximum IKE_SA lifetime 86346s
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (140 bytes)
generating QUICK_MODE request 1993355718 [ HASH SA No KE ID ID ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (428 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (92 bytes)
queueing TRANSACTION request as tasks still active
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (108 bytes)
parsed INFORMATIONAL_V1 request 1651800496 [ HASH D ]
received DELETE for IKE_SA FortinetVPN[1]
deleting IKE_SA FortinetVPN[1] between 10.0.2.15[My_User_name]...VPN_IP_HERE[VPN_IP_HERE]
establishing connection 'FortinetVPN' failed
I suppose that I am doing something wrong in the config file, but I am unable to figure out what.
Any help would be highly appreciated. Thank you very much!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Have you tried rightsubnet=172.28.2.0/24 or whatever the subnet mask is.
Hi
Try debug from FG side.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955
Add leftauth2=xauth to ipsec.conf.
@AEK, unfortunately I don't have access to the server side :(
@strongX509, thank you! I made some progress with your suggestion!
Now, Microsoft Authenticator is providing me a pop up to approve the connection. However, although I approve it, the connection fails (and blocks my account due to repeated logins). Here is the new log:
initiating Aggressive Mode IKE_SA FortinetVPN[1] to VPN_IP_HERE
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 10.0.2.15[500] to VPN_IP_HERE[500] (475 bytes)
received packet: from VPN_IP_HERE[500] to 10.0.2.15[500] (540 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (140 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (92 bytes)
parsed TRANSACTION request 3430233041 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 3430233041 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (108 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (92 bytes)
parsed TRANSACTION request 1880015101 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'My_User_name' (myself) successful
IKE_SA FortinetVPN[1] established between 10.0.2.15[My_User_name]...VPN_IP_HERE[VPN_IP_HERE]
scheduling reauthentication in 86049s
maximum IKE_SA lifetime 86229s
generating TRANSACTION response 1880015101 [ HASH CPA(X_STATUS) ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (92 bytes)
generating QUICK_MODE request 1374538424 [ HASH SA No KE ID ID ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (428 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (108 bytes)
parsed INFORMATIONAL_V1 request 1850655511 [ HASH D ]
received DELETE for IKE_SA FortinetVPN[1]
deleting IKE_SA FortinetVPN[1] between 10.0.2.15[My_User_name]...VPN_IP_HERE[VPN_IP_HERE]
initiating Aggressive Mode IKE_SA FortinetVPN[2] to VPN_IP_HERE
establishing connection 'FortinetVPN' failed
From now on I have no clue, I suppose it has to do with the 2 factor authentication. The Windows Fortinet client "knows how to wait" until I approve the connection.
I see that in your Windows 10 FortiClient configuration, "Mode Config" is enabled. Does the VPN client request a virtual IP address from the VPN server to be used within the tunnel. If yes, then in ipsec.conf add the line leftsourceip=%config in order to request an IP address via Mode Config.
Hello @strongX509 ,
Indeed, the Windows 10 VPN client requests a virtual IP address to be used in the tunnel.
Here it is how it looks:
C:\Users\User>ipconfig /all
Windows IP Configuration
...
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . : internal.company.com
Description . . . . . . . . . . . : Fortinet Virtual Ethernet Adapter (NDIS 6.30)
Physical Address. . . . . . . . . : 00-09-0F-FE-00-01
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::1665:5d42:d1c9:1f39%6(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.166.20(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, February 27, 2024 10:37:17
Lease Expires . . . . . . . . . . : Friday, April 4, 2160 17:10:18
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.166.21
DHCPv6 IAID . . . . . . . . . . . : 100665615
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-F8-AD-E6-48-9E-BD-32-6B-C0
DNS Servers . . . . . . . . . . . : 172.28.2.111
172.28.2.111
NetBIOS over Tcpip. . . . . . . . : Enabled
...
Ethernet adapter Ethernet 3:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Fortinet SSL VPN Virtual Ethernet Adapter
Physical Address. . . . . . . . . : 00-09-0F-AA-00-01
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Thank you so much! Adding that line solved the connection issue, now it gets established:
initiating Aggressive Mode IKE_SA FortinetVPN[2] to VPN_IP_HERE
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 10.0.2.15[500] to VPN_IP_HERE[500] (475 bytes)
received packet: from VPN_IP_HERE[500] to 10.0.2.15[500] (540 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (140 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (92 bytes)
parsed TRANSACTION request 2940994650 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 2940994650 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (108 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (92 bytes)
parsed TRANSACTION request 2519549645 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'My_User_name' (myself) successful
IKE_SA FortinetVPN[2] established between 10.0.2.15[My_User_name]...VPN_IP_HERE[VPN_IP_HERE]
scheduling reauthentication in 86049s
maximum IKE_SA lifetime 86229s
generating TRANSACTION response 2519549645 [ HASH CPA(X_STATUS) ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (92 bytes)
generating TRANSACTION request 4259852066 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (92 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (108 bytes)
parsed TRANSACTION response 4259852066 [ HASH CPRP(ADDR DNS DNS) ]
adding DNS server failed
adding DNS server failed
handling INTERNAL_IP4_DNS attribute failed
adding DNS server failed
handling INTERNAL_IP4_DNS attribute failed
installing new virtual IP 192.168.166.20
generating QUICK_MODE request 4081831805 [ HASH SA No KE ID ID ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (428 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (380 bytes)
parsed QUICK_MODE response 4081831805 [ HASH SA No KE ID ID ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
CHILD_SA FortinetVPN{2} established with SPIs c60494e6_i acf989b7_o and TS 192.168.166.20/32 === 0.0.0.0/0
generating QUICK_MODE request 4081831805 [ HASH ]
connection 'FortinetVPN' established successfully
user@Machine:~$ sudo ipsec status FortinetVPN
Security Associations (1 up, 0 connecting):
FortinetVPN[2]: ESTABLISHED 10 minutes ago, 10.0.2.15[My_User_name]...VPN_IP_HERE[VPN_IP_HERE]
FortinetVPN{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c60494e6_i acf989b7_o
FortinetVPN{2}: 192.168.166.20/32 === 0.0.0.0/0
My question/problem now: The internet no longer works on my Linux machine as long as I have the VPN up. I can ping only internal IPs (but not access them via DNS). Anything from the outside cannot be reached or pinged.
The DNS servers do not seem to be set on linux.
Check with the command ipsec statusall if the resolve plugin which is responsible for inserting the DNS servers received via Mode Config in /etc/resolv.conf is present in the list of loaded plugins:
loaded plugins: charon random ... resolve ...
With the ipsec.conf setting rightsubnet=0.0.0.0/0 you are tunneling all Internet traffic to the VPN server so the traffic might get stuck there somehow due to routing or NAT-ing.
@strongX509, you are right regarding the subnet. Thank you for your suggestion! Our VPN is used only for internal addresses. I removed the rightsubnet setting and now I can access external websites. However, it still fails to access internal DNS addresses, even the connect log says that. The resolve plugin seems to be loaded, I checked as you suggested. See the below log where I get messages such as:
adding DNS server failed
handling INTERNAL_IP4_DNS attribute failed
...
loaded plugins: charon ... resolve
user@Machine:~$ sudo ipsec up FortinetVPN
initiating Aggressive Mode IKE_SA FortinetVPN[1] to VPN_IP_HERE
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 10.0.2.15[500] to VPN_IP_HERE[500] (475 bytes)
received packet: from VPN_IP_HERE[500] to 10.0.2.15[500] (540 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (140 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (92 bytes)
parsed TRANSACTION request 2213304427 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 2213304427 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (108 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (92 bytes)
parsed TRANSACTION request 4119683017 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'My_User_name' (myself) successful
IKE_SA FortinetVPN[1] established between 10.0.2.15[My_User_name]...VPN_IP_HERE[VPN_IP_HERE]
scheduling reauthentication in 86123s
maximum IKE_SA lifetime 86303s
generating TRANSACTION response 4119683017 [ HASH CPA(X_STATUS) ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (92 bytes)
generating TRANSACTION request 1821253017 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (92 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (108 bytes)
parsed TRANSACTION response 1821253017 [ HASH CPRP(ADDR DNS DNS) ]
adding DNS server failed
adding DNS server failed
handling INTERNAL_IP4_DNS attribute failed
adding DNS server failed
handling INTERNAL_IP4_DNS attribute failed
installing new virtual IP 192.168.166.4
generating QUICK_MODE request 3418080153 [ HASH SA No KE ID ID ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (412 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (364 bytes)
parsed QUICK_MODE response 3418080153 [ HASH SA No KE ID ID ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
CHILD_SA FortinetVPN{1} established with SPIs c298834a_i acf98b43_o and TS 192.168.166.4/32 === VPN_IP_HERE/32
generating QUICK_MODE request 3418080153 [ HASH ]
connection 'FortinetVPN' established successfully
user@Machine:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-97-generic, x86_64):
uptime: 3 minutes, since Feb 27 15:28:42 2024
malloc: sbrk 3076096, mmap 0, used 1393184, free 1682912
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
10.0.2.15
Connections:
FortinetVPN: %any...VPN_IP_HERE IKEv1 Aggressive, dpddelay=30s
FortinetVPN: local: [My_User_name] uses pre-shared key authentication
FortinetVPN: local: [My_User_name] uses XAuth authentication: any
FortinetVPN: remote: uses pre-shared key authentication
FortinetVPN: child: dynamic === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
FortinetVPN[1]: ESTABLISHED 3 minutes ago, 10.0.2.15[My_User_name]...VPN_IP_HERE[VPN_IP_HERE]
FortinetVPN[1]: IKEv1 SPIs: 5cf2c9e9c58e5d5b_i* b083dddf32d19854_r, pre-shared key+XAuth reauthentication in 23 hours
FortinetVPN[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
FortinetVPN{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c298834a_i acf98b43_o
FortinetVPN{1}: AES_CBC_256/HMAC_SHA1_96/MODP_1536, 0 bytes_i, 0 bytes_o, rekeying in 11 hours
FortinetVPN{1}: 192.168.166.4/32 === VPN_IP_HERE/32
Update: it seems that I was not having the resolveconf package on my linux system. After installing it, I no longer have those warnings related to DNS in my connection log:
user@Machine:~$ sudo ipsec up FortinetVPN
initiating Aggressive Mode IKE_SA FortinetVPN[1] to VPN_IP_HERE
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 10.0.2.15[500] to VPN_IP_HERE[500] (475 bytes)
received packet: from VPN_IP_HERE[500] to 10.0.2.15[500] (540 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (140 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (92 bytes)
parsed TRANSACTION request 2243083556 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 2243083556 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (108 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (92 bytes)
parsed TRANSACTION request 2838158151 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'My_User_name' (myself) successful
IKE_SA FortinetVPN[1] established between 10.0.2.15[My_User_name]...VPN_IP_HERE[VPN_IP_HERE]
scheduling reauthentication in 86120s
maximum IKE_SA lifetime 86300s
generating TRANSACTION response 2838158151 [ HASH CPA(X_STATUS) ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (92 bytes)
generating TRANSACTION request 232585815 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (92 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (108 bytes)
parsed TRANSACTION response 232585815 [ HASH CPRP(ADDR DNS DNS) ]
installing DNS server 172.28.2.111 via resolvconf
DNS server 172.28.2.111 already installed, increasing refcount
installing new virtual IP 192.168.166.4
generating QUICK_MODE request 4210871032 [ HASH SA No KE ID ID ]
sending packet: from 10.0.2.15[4500] to VPN_IP_HERE[4500] (412 bytes)
received packet: from VPN_IP_HERE[4500] to 10.0.2.15[4500] (364 bytes)
parsed QUICK_MODE response 4210871032 [ HASH SA No KE ID ID ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
CHILD_SA FortinetVPN{1} established with SPIs cc656926_i acf98b6c_o and TS 192.168.166.4/32 === VPN_IP_HERE/32
connection 'FortinetVPN' established successfully
Now I also seem to have the DNS server installed, but pinging or accessing via browser internal addresses still does not work:
user@Machine:~$ ping something.internal.company.com
ping: something.internal.company.com: Name or service not known
resolv.conf:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
nameserver 172.28.2.111
nameserver 127.0.0.53
options edns0 trust-ad
I feel that I am getting very close to a final working vpn tunnel, but something little seems to be still missing.
Thank you very much for the help so far!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1663 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.