I found this thread (https://forum.fortinet.com/tm.aspx?m=115012) and it helped me get a little closer (I think) to getting a VPN working from multiple sites in a hub and spoke setup but I still can't seem to get there. I have multiple Fortigates with varous public IP addresses that I need to connect back to a static IP StrongSwan server hosted inside Amazon Web Services (AWS).
Here are a few other resources I found useful in case anyone else finds this post and is having similar VPN woes
http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html
https://wiki.strongswan.org/projects/strongswan/wiki/AwsVpc
https://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand
http://socpuppet.blogspot.com/2014/05/openswan-to-fortigate-route-based-vpn.html
At this point I've tried all the combinations of public/private IP address I could think of, and have had so many different configs in place at one point or another I'm not sure if what's posted below really makes sense but it's the current state of the devices nonetheless.
I attached a txt file with the debug outputs for both the FGT and StrongSwan server, I couldn't attach multiple files so I tacked the FGT debug onto the very end of the file. I believe the lines of interest for the StrongSwan output are lines 9-26 but I included the full exchange just in case it helps.
StrongSwan config
conn %default
keyingtries=%forever
keyexchange=ikev2
conn dialup
left=10.1.1.50
leftid=VPNDOMAINNAME
leftsubnet=10.1.0.0/16
leftauth=psk
leftfirewall=yes
right=%any
rightauth=psk
rightsourceip=10.1.0.0/24
auto=start
ike=aes128-sha1-modp2048
FGT config
config vpn ipsec phase1-interface
edit "dialup-vpn01"
set interface "wan1"
set ike-version 2
set proposal aes128-sha1
set localid "PUBLIC-IP-B"
set dpd disable
set comments "towards strongswan"
set dhgrp 14
set remote-gw PUBLIC-IP-A
set psksecret ENC SECRET
next
end
config vpn ipsec phase2-interface
edit "dialup-vpn01"
set phase1name "dialup-vpn01"
set proposal aes128-sha1
set pfs disable
set replay disable
set keepalive enable
set auto-negotiate enable
set dst-addr-type ip
set keylifeseconds 3600
set src-subnet 10.1.0.0 255.255.255.0
set dst-start-ip 10.1.1.50
next
end
edit: added image of network layout
@Ken:
You are right, I mixed the type of VPN up because it is named 'dialup' but the type is not. Then of course you can use the static public IPs to authenticate.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.