I' ve used the cisco vpnclient and strongswan from cli. Either one of these should be good for ipsec. Fortigate has forticlient for macosx or linux ( iirc ). Maybe you can getting these working from a cli also.

OpenConnect

Yes, it works but the cisco client is way much better in my opinion. It' s beta and use at your risk.

Basically for vpnc, it' s very simple. You will need to modify your vpnc.conf file and place the group, xauth information. Now what that said, I never used it against a fortigate, but the setup should be the same. I would be suspected of what to apply for the group setting but I' m sure it would be remote-peer identify. You will have to play around with it. I' m doing some FGT-3040 install next week, so maybe I might give it a try and see what happens on one of my VMs. Here' s my vpnc.conf that I use to a ASA. # IKE Authmode hybrid IKE DH group dh2 IPSec gateway vpn01.xxxx.net IPSec ID RAWARRIOR IPSec secret Ims0s3cur3d IPSec target network 10.20.87.0/255.255.255.0 IKE Authmode PSK Xauth username neteng-admin Xauth password Temporary # note: LinuxOS = Debian Lenny with bigmem kernel support but I don' t think I had to do anything special within the kernel or recompile anything. You might be better off using the shrewclient or the real cisco IPSCE client to test ALL parameters and then craft the same for vpnc setting on your LinuxOS. This way you can conduct better diagnostics and get better debug information, and less beating your head into the wall. I did this when working on how to use my cisco IPSEC client against a fortigate and yes, I got it to worked :) Same as with the vpnclient or vpnc, you can import a .pcf file extension for cisco into your env and conduct all on the CLI with no interaction. I did this when crafting some linux-fw-gateway devices and in the same fashion of what the cisco EzVPN does for client xauth access. I don' t think Fortinet has ever came up with something similar ( a PCF file ) that would allow you to hand over all of the vpn-gw information, and just have one pre-configuration file to ease remote-access VPNs. I think you will have to do some experimentation, no matter what path you go. But I pretty much try all of the above with 3des/AES128 and your choice of diffiehellman group 2 and with PSK or hybrid ( PSK +xauth ). I never tried any of the above with pfs enabled btw. Like I suggested above, you have to play around with it. On my ASAs it was quite simple to craft a tunnel-group for iPhone/Androids and then one for other users and get it all working with little problems. Only my androids had problems and mainly withe sslvpn and OpenVPN connections.

So how is your ike p1 proposals set on the vpn-gateway? If the key doesn' t match you will get that same error. What you might want to do is try the -natt-mode force-natt if you think it' s NAT-T related. vpnc --debug 100 --natt-mode natt or force-natt Since your doing this from a command line, tcpdump your connection that gateway and look for any responses and the same for the fortigate. Make sure ike is getting thru and that you see trafic before the ESP proto. Like I said, vpnc was hit or miss with working. I always use the shrewsoft client 1st to weed out any configuration parameters and then tackle it with the cli binaries. I do agreed that fortigate should rethink their positions in the linux market and produce something simple and quick for CLI or crontab scripts with auto connections either ssl or ipsec VPNs.