Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- OpenVPN and Fortigate SSL?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OpenVPN and Fortigate SSL?
Has anyone connected an OpenVPN client PC to a Fortigate SSL VPN?
I' m trying to connect a linux server (no GUI) to our network via the Fortigate (200B) SSL VPN. Any example configs would be appreciated.
Or, should I rather use IPSec?
Best
Nik
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
they are not compatible. If you have a client pc that needs vpn access, use a ipsec client or a sslclient ( forticlient ) .
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks emnoc. The problem is that I do not run a GUI at all on the client. Do you know if IPSec (command line) would work? I have created an IPSec VPN and connected successfully with my Mac and Windows PC via their built in IPSec clients (not fortigate software) so I assume IPSec via command line would work on Linux?
-Nik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' ve used the cisco vpnclient and strongswan from cli. Either one of these should be good for ipsec.
Fortigate has forticlient for macosx or linux ( iirc ). Maybe you can getting these working from a cli also.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That' s the direction I' m looking at now. I' ve also come across something called OpenConnect VPN which is supposed to connect to SSL VPN' s on Cisco devices. Have you looked at that setup too?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OpenConnectYes, it works but the cisco client is way much better in my opinion. It' s beta and use at your risk.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don' t have a cisco TAC account so I can' t download the cisco client. I' m attempting to use vpnc on ubuntu. So far it' s not working, I get a " no response from target. Looking at the logs on the FG it is saying;
ike 0: IKEv1 Aggressive, comes 23.2.143.80:54981->207.69.179.34 14, peer-id=L2TPClients .
ike 0: no IKEv1 phase1 configuration matching 23.2.143.80:54981->207.69.179.34 14
ike shrank heap by 118784 bytes
ike shrank heap by 8192 bytes
------------------
Looks like I need the handshaking parameters for IKE. Do you have an example config I can have a look at?
Thanks
Nick
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically for vpnc, it' s very simple. You will need to modify your vpnc.conf file and place the group, xauth information.
Now what that said, I never used it against a fortigate, but the setup should be the same. I would be suspected of what to apply for the group setting but I' m sure it would be remote-peer identify. You will have to play around with it.
I' m doing some FGT-3040 install next week, so maybe I might give it a try and see what happens on one of my VMs.
Here' s my vpnc.conf that I use to a ASA.
#
IKE Authmode hybrid
IKE DH group dh2
IPSec gateway vpn01.xxxx.net
IPSec ID RAWARRIOR
IPSec secret Ims0s3cur3d
IPSec target network 10.20.87.0/255.255.255.0
IKE Authmode PSK
Xauth username neteng-admin
Xauth password Temporary
#
note: LinuxOS = Debian Lenny with bigmem kernel support but I don' t think I had to do anything special within the kernel or recompile anything.
You might be better off using the shrewclient or the real cisco IPSCE client to test ALL parameters and then craft the same for vpnc setting on your LinuxOS. This way you can conduct better diagnostics and get better debug information, and less beating your head into the wall.
I did this when working on how to use my cisco IPSEC client against a fortigate and yes, I got it to worked :)
Same as with the vpnclient or vpnc, you can import a .pcf file extension for cisco into your env and conduct all on the CLI with no interaction. I did this when crafting some linux-fw-gateway devices and in the same fashion of what the cisco EzVPN does for client xauth access.
I don' t think Fortinet has ever came up with something similar ( a PCF file ) that would allow you to hand over all of the vpn-gw information, and just have one pre-configuration file to ease remote-access VPNs.
I think you will have to do some experimentation, no matter what path you go. But I pretty much try all of the above with 3des/AES128 and your choice of diffiehellman group 2 and with PSK or hybrid ( PSK +xauth ).
I never tried any of the above with pfs enabled btw. Like I suggested above, you have to play around with it. On my ASAs it was quite simple to craft a tunnel-group for iPhone/Androids and then one for other users and get it all working with little problems. Only my androids had problems and mainly withe sslvpn and OpenVPN connections.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks emnoc, but this config gives the exact same results as before " no IKEv1 phase1 configuration matching..."
I' ll try a couple more things.
N
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So how is your ike p1 proposals set on the vpn-gateway? If the key doesn' t match you will get that same error.
What you might want to do is try the -natt-mode force-natt if you think it' s NAT-T related.
vpnc --debug 100 --natt-mode natt or force-natt
Since your doing this from a command line, tcpdump your connection that gateway and look for any responses and the same for the fortigate. Make sure ike is getting thru and that you see trafic before the ESP proto.
Like I said, vpnc was hit or miss with working. I always use the shrewsoft client 1st to weed out any configuration parameters and then tackle it with the cli binaries.
I do agreed that fortigate should rethink their positions in the linux market and produce something simple and quick for CLI or crontab scripts with auto connections either ssl or ipsec VPNs.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Labels
-
FortiGate
10,515 -
FortiClient
2,136 -
FortiManager
886 -
5.2
687 -
FortiAnalyzer
674 -
5.4
638 -
FortiSwitch
579 -
FortiAP
558 -
FortiClient EMS
551 -
6.0
416 -
IPsec
411 -
SSL-VPN
373 -
FortiMail
371 -
5.6
362 -
FortiNAC
277 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
142 -
6.4
128 -
FortiGate-VM
126 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
73 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
FortiSandbox
53 -
fortilink
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiRecorder
11 -
Users
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2551 | |
| 1356 | |
| 795 | |
| 646 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.