Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiTester
- FortiSwitch
- FortiToken
- FortiVoice
- FortiWAN
- FortiAppSec Cloud
- FortiWeb
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- OpenVPN and Fortigate SSL?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OpenVPN and Fortigate SSL?
Has anyone connected an OpenVPN client PC to a Fortigate SSL VPN?
I' m trying to connect a linux server (no GUI) to our network via the Fortigate (200B) SSL VPN. Any example configs would be appreciated.
Or, should I rather use IPSec?
Best
Nik
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
they are not compatible. If you have a client pc that needs vpn access, use a ipsec client or a sslclient ( forticlient ) .
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks emnoc. The problem is that I do not run a GUI at all on the client. Do you know if IPSec (command line) would work? I have created an IPSec VPN and connected successfully with my Mac and Windows PC via their built in IPSec clients (not fortigate software) so I assume IPSec via command line would work on Linux?
-Nik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' ve used the cisco vpnclient and strongswan from cli. Either one of these should be good for ipsec.
Fortigate has forticlient for macosx or linux ( iirc ). Maybe you can getting these working from a cli also.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That' s the direction I' m looking at now. I' ve also come across something called OpenConnect VPN which is supposed to connect to SSL VPN' s on Cisco devices. Have you looked at that setup too?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OpenConnectYes, it works but the cisco client is way much better in my opinion. It' s beta and use at your risk.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don' t have a cisco TAC account so I can' t download the cisco client. I' m attempting to use vpnc on ubuntu. So far it' s not working, I get a " no response from target. Looking at the logs on the FG it is saying;
ike 0: IKEv1 Aggressive, comes 23.2.143.80:54981->207.69.179.34 14, peer-id=L2TPClients .
ike 0: no IKEv1 phase1 configuration matching 23.2.143.80:54981->207.69.179.34 14
ike shrank heap by 118784 bytes
ike shrank heap by 8192 bytes
------------------
Looks like I need the handshaking parameters for IKE. Do you have an example config I can have a look at?
Thanks
Nick
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically for vpnc, it' s very simple. You will need to modify your vpnc.conf file and place the group, xauth information.
Now what that said, I never used it against a fortigate, but the setup should be the same. I would be suspected of what to apply for the group setting but I' m sure it would be remote-peer identify. You will have to play around with it.
I' m doing some FGT-3040 install next week, so maybe I might give it a try and see what happens on one of my VMs.
Here' s my vpnc.conf that I use to a ASA.
#
IKE Authmode hybrid
IKE DH group dh2
IPSec gateway vpn01.xxxx.net
IPSec ID RAWARRIOR
IPSec secret Ims0s3cur3d
IPSec target network 10.20.87.0/255.255.255.0
IKE Authmode PSK
Xauth username neteng-admin
Xauth password Temporary
#
note: LinuxOS = Debian Lenny with bigmem kernel support but I don' t think I had to do anything special within the kernel or recompile anything.
You might be better off using the shrewclient or the real cisco IPSCE client to test ALL parameters and then craft the same for vpnc setting on your LinuxOS. This way you can conduct better diagnostics and get better debug information, and less beating your head into the wall.
I did this when working on how to use my cisco IPSEC client against a fortigate and yes, I got it to worked :)
Same as with the vpnclient or vpnc, you can import a .pcf file extension for cisco into your env and conduct all on the CLI with no interaction. I did this when crafting some linux-fw-gateway devices and in the same fashion of what the cisco EzVPN does for client xauth access.
I don' t think Fortinet has ever came up with something similar ( a PCF file ) that would allow you to hand over all of the vpn-gw information, and just have one pre-configuration file to ease remote-access VPNs.
I think you will have to do some experimentation, no matter what path you go. But I pretty much try all of the above with 3des/AES128 and your choice of diffiehellman group 2 and with PSK or hybrid ( PSK +xauth ).
I never tried any of the above with pfs enabled btw. Like I suggested above, you have to play around with it. On my ASAs it was quite simple to craft a tunnel-group for iPhone/Androids and then one for other users and get it all working with little problems. Only my androids had problems and mainly withe sslvpn and OpenVPN connections.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks emnoc, but this config gives the exact same results as before " no IKEv1 phase1 configuration matching..."
I' ll try a couple more things.
N
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So how is your ike p1 proposals set on the vpn-gateway? If the key doesn' t match you will get that same error.
What you might want to do is try the -natt-mode force-natt if you think it' s NAT-T related.
vpnc --debug 100 --natt-mode natt or force-natt
Since your doing this from a command line, tcpdump your connection that gateway and look for any responses and the same for the fortigate. Make sure ike is getting thru and that you see trafic before the ESP proto.
Like I said, vpnc was hit or miss with working. I always use the shrewsoft client 1st to weed out any configuration parameters and then tackle it with the cli binaries.
I do agreed that fortigate should rethink their positions in the linux market and produce something simple and quick for CLI or crontab scripts with auto connections either ssl or ipsec VPNs.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Labels
-
FortiGate
10,637 -
FortiClient
2,166 -
FortiManager
892 -
5.2
687 -
FortiAnalyzer
682 -
5.4
638 -
FortiSwitch
588 -
FortiClient EMS
565 -
FortiAP
562 -
IPsec
422 -
6.0
416 -
SSL-VPN
384 -
FortiMail
372 -
5.6
362 -
FortiNAC
287 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
197 -
FortiAuthenticator
178 -
FortiGuard
160 -
5.0
152 -
Firewall policy
145 -
FortiGate-VM
134 -
6.4
128 -
FortiCloud Products
116 -
FortiSIEM
113 -
FortiToken
113 -
FortiGateCloud
112 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
86 -
FortiProxy
78 -
ZTNA
76 -
Routing
75 -
Fortivoice
73 -
SAML
73 -
DNS
71 -
VLAN
71 -
BGP
70 -
FortiEDR
69 -
FortiADC
68 -
Authentication
68 -
Certificate
66 -
RADIUS
61 -
LDAP
60 -
FortiLink
56 -
SSO
54 -
NAT
54 -
FortiSandbox
53 -
FortiExtender
52 -
4.0MR3
49 -
vdom
47 -
Interface
46 -
Application control
46 -
FortiDNS
43 -
Logging
41 -
Virtual IP
41 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
SSL SSH inspection
36 -
FortiConnect
35 -
Web profile
35 -
Automation
33 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
API
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
WAN optimization
21 -
FortiMonitor
20 -
OSPF
20 -
Security profile
19 -
Web rating
19 -
FortiSoar
18 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
FortiAP profile
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiCASB
14 -
NAC policy
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2609 | |
| 1390 | |
| 804 | |
| 664 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.