Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jlozen
New Contributor

Created on ‎01-05-2015 03:39 PM

Multiple FGT initiate VPN to StrongSwan inside AWS

I found this thread (https://forum.fortinet.com/tm.aspx?m=115012) and it helped me get a little closer (I think) to getting a VPN working from multiple sites in a hub and spoke setup but I still can't seem to get there. I have multiple Fortigates with varous public IP addresses that I need to connect back to a static IP StrongSwan server hosted inside Amazon Web Services (AWS).

 

Here are a few other resources I found useful in case anyone else finds this post and is having similar VPN woes

http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html

https://wiki.strongswan.org/projects/strongswan/wiki/AwsVpc

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/TestandMonitor.129....

https://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand

http://socpuppet.blogspot.com/2014/05/openswan-to-fortigate-route-based-vpn.html

 

At this point I've tried all the combinations of public/private IP address I could think of, and have had so many different configs in place at one point or another I'm not sure if what's posted below really makes sense but it's the current state of the devices nonetheless.

 

I attached a txt file with the debug outputs for both the FGT and StrongSwan server, I couldn't attach multiple files so I tacked the FGT debug onto the very end of the file. I believe the lines of interest for the StrongSwan output are lines 9-26 but I included the full exchange just in case it helps.

 

 

StrongSwan config

conn %default
keyingtries=%forever
keyexchange=ikev2
conn dialup
left=10.1.1.50
leftid=VPNDOMAINNAME
leftsubnet=10.1.0.0/16
leftauth=psk
leftfirewall=yes
right=%any
rightauth=psk
rightsourceip=10.1.0.0/24
auto=start
ike=aes128-sha1-modp2048

FGT config

config vpn ipsec phase1-interface

 

edit "dialup-vpn01"
set interface "wan1"
set ike-version 2
set proposal aes128-sha1
set localid "PUBLIC-IP-B"
set dpd disable
set comments "towards strongswan"
set dhgrp 14
set remote-gw PUBLIC-IP-A
set psksecret ENC SECRET
next
end

config vpn ipsec phase2-interface

edit "dialup-vpn01"
 set phase1name "dialup-vpn01"
 set proposal aes128-sha1
 set pfs disable
 set replay disable
 set keepalive enable
 set auto-negotiate enable
 set dst-addr-type ip
 set keylifeseconds 3600
 set src-subnet 10.1.0.0 255.255.255.0
 set dst-start-ip 10.1.1.50
 next
end

 

 

edit: added image of network layout

Preview file
37 KB
Labels:
61920
0 Kudos
10 REPLIES 10
ede_pfau
SuperUser
SuperUser

Created on ‎01-08-2015 11:24 PM

@Ken:

You are right, I mixed the type of VPN up because it is named 'dialup' but the type is not. Then of course you can use the static public IPs to authenticate.


Ede


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
587
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.