It looks like 'set dst-subnet' isn't a valid command in firmware 5.2 it's apparently changed to 'set dst-start-ip' I've changed the environment to simplify things but am still having issues :(

I changed the AWS side to only involve the 10.1.0.0/16 network and changed the FGT side lan to be 192.158.5.0/24 but am still having issues getting a tunnel to come up. I posted the configs and strongswan debug logs. I'm still getting the same 'failed cp_required' errors on strongswan

FGT config

fgt (phase2-interface) # show

config vpn ipsec phase2-interface
edit "dialupvpn-p2"
set phase1name "dialupvpn"
set dhgrp 5
set dst-addr-type ip
set keylifeseconds 3600
set src-subnet 192.168.5.0 255.255.255.0
set dst-start-ip 10.1.1.50
next
end

StrongSwan config

conn dialup

left=10.1.1.50
leftid=VPNDOMAINNAME
leftsubnet=10.1.0.0/16
leftauth=psk
leftfirewall=yes
right=%any
rightauth=psk
rightsourceip=192.168.5.0/24
auto=start
ike=aes128-sha1-modp2048
keyingtries=%forever
keyexchange=ikev2

StrongSwan debug log

Jan 8 04:39:21 05[IKE] <dialup|5599> IKE_SA dialup[5599] state change: CONNECTING => ESTABLISHED

Jan 8 04:39:21 07[JOB] next event in 99ms, waiting
Jan 8 04:39:21 05[IKE] <dialup|5599> scheduling reauthentication in 10113s
Jan 8 04:39:21 07[JOB] next event in 99ms, waiting
Jan 8 04:39:21 05[IKE] <dialup|5599> maximum IKE_SA lifetime 10653s
Jan 8 04:39:21 05[IKE] <dialup|5599> expected a virtual IP request, sending FAILED_CP_REQUIRED
Jan 8 04:39:21 05[ENC] <dialup|5599> added payload of type NOTIFY to message
Jan 8 04:39:21 05[CFG] <dialup|5599> looking for a child config for 10.1.0.0/16 === 192.168.5.0/24
Jan 8 04:39:21 05[CFG] <dialup|5599> proposing traffic selectors for us:
Jan 8 04:39:21 05[CFG] <dialup|5599> 10.1.0.0/16
Jan 8 04:39:21 05[CFG] <dialup|5599> proposing traffic selectors for other:
Jan 8 04:39:21 05[CFG] <dialup|5599> dynamic
Jan 8 04:39:21 05[IKE] <dialup|5599> traffic selectors 10.1.0.0/16 === 192.168.5.0/24 inacceptable
Jan 8 04:39:21 05[ENC] <dialup|5599> added payload of type NOTIFY to message
Jan 8 04:39:21 05[IKE] <dialup|5599> failed to establish CHILD_SA, keeping IKE_SA
Jan 8 04:39:21 05[ENC] <dialup|5599> added payload of type NOTIFY to message
Jan 8 04:39:21 05[ENC] <dialup|5599> order payloads in message
Jan 8 04:39:21 05[ENC] <dialup|5599> added payload of type ID_RESPONDER to message
Jan 8 04:39:21 05[ENC] <dialup|5599> added payload of type AUTH to message
Jan 8 04:39:21 05[ENC] <dialup|5599> added payload of type NOTIFY to message
Jan 8 04:39:21 05[ENC] <dialup|5599> added payload of type NOTIFY to message
Jan 8 04:39:21 05[ENC] <dialup|5599> added payload of type NOTIFY to message
Jan 8 04:39:21 05[ENC] <dialup|5599> generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
Jan 8 04:39:21 05[ENC] <dialup|5599> insert payload ID_RESPONDER into encrypted payload
Jan 8 04:39:21 05[ENC] <dialup|5599> insert payload AUTH into encrypted payload
Jan 8 04:39:21 05[ENC] <dialup|5599> insert payload NOTIFY into encrypted payload
Jan 8 04:39:21 05[ENC] <dialup|5599> insert payload NOTIFY into encrypted payload
Jan 8 04:39:21 05[ENC] <dialup|5599> insert payload NOTIFY into encrypted payload
Jan 8 04:39:21 05[ENC] <dialup|5599> generating payload of type HEADER

I wanted to address this;

It looks like 'set dst-subnet' isn't a valid command in firmware 5.2 it's apparently changed to 'set dst-start-ip' I've changed the environment to simplify things but am still having issues :(  

You need to change the dst addr type to subnet in your phase2 cfg;

set dst-addr-type subnet     IPv4 subnet. range      IPv4 range. ip         IPv4 IP. name       IPv4 firewall address or group name. subnet6    IPv6 subnet. range6     IPv6 range. ip6        IPv6 IP. name6      IPv6 firewall address or group name.

Change it and then apply the dst-subnet and it should come up.

Ken

May I point out that the peerIDs do not match. If using a dialup VPN the remote IP address cannot be used for authentication. Thus, you need to provide peer IDs.

You do but they don't match.

Agreed on the dest subnet Quick Mode selector. The FGT debug messages point to this as well.

And finally, check the DH group. Group 5 is 1536 bits whereas 2048 bits is group 14. You have it either way in your 2 posts.

Good catch , but his earlier  original-posted config has  set pfs disable in ph2 and he was using dhgrp 14  on ph1. So if he enable pfs than we would have a 2nd key change based on the proposal enabled.

phase1

set dhgrp 14

He should clean  up the cfg.

Do you agree on the peerID topic?

This is a l2l type ipsec, so there's no need for peerId nor have I ever used one in a static l2l ipsec vpn.

Ken

THANK YOU to everyone with your help! I have tunnels up!

Now I can start the process of getting traffic routed properly. After spending so much time on this I figured the solution would be something stupid, after changing 'rightsourceip' to 'rightsubnet' in the strongswan config the tunnels came up right away.

I have firewall rules in place to allow traffic in/out of the vpn but they aren't catching any packets and I can't seem to communicate across the VPN so I'm going to start troubleshooting the routing issues and i will update on that as issues arise.

Here are the working configs I have currently running with tunnels showing up on both the strongswan and FGT.

StrongSwan

conn dialup

left=10.1.1.50
leftsubnet=10.1.0.0/16
leftauth=psk
leftfirewall=yes
right=%any
rightauth=psk
rightsubnet=192.168.5.0/24
auto=start
ike=aes128-sha1-modp2048
keyingtries=%forever
keyexchange=ikev2

FGT

config vpn ipsec phase1-interface

edit "vpn20c"
set interface "wan"
set ike-version 2
set keylife 3600
set dhgrp 14
set remote-gw PUBLIC-IP-A

next

config vpn ipsec phase2-interface
edit "vpn20c-p2"
set phase1name "vpn20c"
set dhgrp 14
set src-subnet 192.168.5.0 255.255.255.0
set dst-subnet 10.1.0.0 255.255.0.0
next
end

Ok good job, now to further trouble-shoot this you need to do a few work

One you need to compare the  ispec sa status and details ( look for match SPI from>>>>to   to>>>> from )

FGT

diag vpn tunnel list name < fgt  phase1 name >

You need get a packet sniffer on the tunnel interface ( you have a route-based vpn  so you have a interface)

diag sniffer paccket < name> "any"

Diag debg flow will come in handy and tell you 9 out of 10 times what the problem is or direct you to the problem

diag debug reset

diag debug flow filter < insert a host that's carried over the vpn>

diag debug show console enable

diag debug en

diag debug flow trace start 100

Things that's bit me in the past,

1: fail to have a static route

config router static

   edit xxxx ( pick a unused number )

        set dev "phase#1 name "

        set dst  x.x.x.x/24

    end

2: bad or incorrect policies, the diag debug flow will shed light on that

On linux you need the following

ipsec status

ipsec statusall

ip xfrm state

ip xfrm policy

Like FGT tcpdump/tshark will come in handy

tcpdump -i eth0 -nnnnvvvv proto 50 host a.a.a.a. or b.b.b.b

And finally just review iptables  ( fwpolicies)

I've been working with openswan like for  over 7 years and not so much with strongswan.

http://socpuppet.blogspot.com/2014/05/openswan-to-fortigate-route-based-vpn.html

Good luck