Strongswan with /etc/swanctl.conf settings

refrainblue · ‎10-09-2025

Hello I couldn't find any examples with debian linux strongswan using swanctl.conf on the forums, the only examples I've found are for ipsec.conf.

Here is what I know we are using:

1. FortiClient VPN -> IPsec VPN

2. Pre-Shared Key

3. XAuth

Here is my non-working strongswan swanctl.conf:

connections {
	thecompanyvpn {
		remote_addrs = sa.company.com
		version = 1
		aggressive = yes
		proposals = aes256-sha256-modp1536
		local {
			auth = psk
			id = "Tunnel-A"
		}
		remote {
			auth = psk
		}
		local-xauth {
			auth = xauth
			eap_id = worker1
		}
		children {
			child_1 {
				start_action = start
				esp_proposals = aes256-sha256-modp1536
			}
		}
	}
}

secrets {
	ike-company {
		secret = "our preshared key"
	}
	eap-employee {
		id = worker1
		secret = "my secret password"
	}
}

This is the logs:

Oct 08 21:22:04 nova charon-systemd[116776]: parsed TRANSACTION request 853593004 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
Oct 08 21:22:04 nova charon-systemd[116776]: no XAuth password found for 'Tunnel-A' - '12.27.149.2'
Oct 08 21:22:04 nova charon-systemd[116776]: generating TRANSACTION response 853593004 [ HASH CP ]
Oct 08 21:22:04 nova charon-systemd[116776]: sending packet: from 192.168.5.110[4500] to 12.27.149.2[4500] (76 bytes)
Oct 08 21:22:24 nova charon-systemd[116776]: sending keep alive to 15.27.149.2[4500]
Oct 08 21:22:34 nova charon-systemd[116776]: peer did not initiate expected exchange, reestablishing IKE_SA
Oct 08 21:22:34 nova charon-systemd[116776]: reinitiating IKE_SA thecompanyvpn[1]
Oct 08 21:22:34 nova charon-systemd[116776]: initiating Aggressive Mode IKE_SA thecompanyvpn[1] to 15.27.149.2
Oct 08 21:22:34 nova charon-systemd[116776]: generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Oct 08 21:22:34 nova charon-systemd[116776]: sending packet: from 192.168.5.110[4500] to 15.27.149.2[4500] (428 bytes)

I would really appreciate some help fixing my configuration so that I can connect to the VPN. Thanks for anyone reading out there!

Stephen_G · ‎10-12-2025

Hi refrainblue,

Thanks for using our forum! We'll try to get you an answer as soon as we can.

If anybody seeing this has any ideas, feel free to contribute!

Stephen - Fortinet Community Team

Stephen_G · ‎10-15-2025

Hi refrainblue,

We're still trying to get you an answer or help. We'll respond to your post as soon as we have one.

Thanks,

Stephen - Fortinet Community Team

xshkurti · ‎10-16-2025

@refrainblue

It seems like xauth is not working in your case.

Error message states that no xauth was found for tunnel-A "no XAuth password found for 'Tunnel-A' - '12.27.149.2'"

This means that xauth secret is not defined in. You have to define Xauth secret in order for that step to complete.

In this case it seems like you have mixed xauth with eap.
I would suggest you try the below config:

connections {
thecompanyvpn {
remote_addrs = sa.company.com
version = 1
aggressive = yes

proposals = aes128-sha1-modp1536, aes256-sha256-modp1536

local {
auth = psk
id = "Tunnel-A"
}
remote {
auth = psk
}
children {
child_1 {
start_action = start
esp_proposals = aes128-sha1, aes256-sha256
}
}
}
}

secrets {
ike-company {
secret = "our preshared key"
}

xauth-worker1 {
# This 'id' must match the username sent by FortiClient ('worker1' in your old config)
id = worker1
secret = "my secret password"
}
}

The 'local-xauth' block is NOT needed for XAuth to work because strongSwan will automatically handle the XAuth request once the IKE SA is up.
Also DH Group 5 (PFS) in the child section is removed because it is handled implicitly for IKEv1.

Try this or at least change the secrets section from eap to xauth for this to work.
To help others with the same issue, please mark this as the solution if it was helpful.

Regards

refrainblue · ‎10-18-2025

Hello,

I tried using your suggested configuration, but I still could not connect to servers within the vpn network. Additionally, I did not get the duo mobile MFA notification either. If there is any further information I could provide please let me know.

Here is the logs from trying

sudo swanctl --initiate --child child_1

[IKE] initiating Aggressive Mode IKE_SA thecompanyvpn[902] to 12.34.56.7
[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
[NET] sending packet: from 192.168.0.110[500] to 12.34.56.7[500] (464 bytes)
[NET] received packet: from 12.34.56.7[500] to 192.168.0.110[500] (536 bytes)
[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
[IKE] received NAT-T (RFC 3947) vendor ID
[IKE] received DPD vendor ID
[IKE] received XAuth vendor ID
[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
[IKE] received FRAGMENTATION vendor ID
[IKE] received FRAGMENTATION vendor ID
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
[IKE] local host is behind NAT, sending keep alives
[IKE] IKE_SA lambsivy[902] established between 192.168.0.110[Tunnel-A]...12.34.56.7[12.34.56.7]
[IKE] scheduling rekeying in 13068s
[IKE] maximum IKE_SA lifetime 14508s
[ENC] generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
[NET] sending packet: from 192.168.0.110[4500] to 12.34.56.7[4500] (140 bytes)
[ENC] generating QUICK_MODE request 848870923 [ HASH SA No ID ID ]
[NET] sending packet: from 192.168.0.110[4500] to 12.34.56.7[4500] (220 bytes)
[IKE] sending retransmit 1 of request message ID 848870923, seq 3
[NET] sending packet: from 192.168.0.110[4500] to 12.34.56.7[4500] (220 bytes)

[IKE] sending retransmit 2 of request message ID 848870923, seq 3
[NET] sending packet: from 192.168.0.110[4500] to 12.34.56.7[4500] (220 bytes)

[IKE] sending retransmit 3 of request message ID 848870923, seq 3
[NET] sending packet: from 192.168.0.110[4500] to 12.34.56.7[4500] (220 bytes)
[IKE] sending keep alive to 12.34.56.7[4500]
[IKE] sending retransmit 4 of request message ID 848870923, seq 3
[NET] sending packet: from 192.168.0.110[4500] to 12.34.56.7[4500] (220 bytes)
[IKE] sending keep alive to 12.34.56.7[4500]
[IKE] sending keep alive to 12.34.56.7[4500]
[IKE] sending retransmit 5 of request message ID 848870923, seq 3
[NET] sending packet: from 192.168.0.110[4500] to 12.34.56.7[4500] (220 bytes)
[IKE] sending keep alive to 12.34.56.7[4500]
[IKE] sending keep alive to 12.34.56.7[4500]
[IKE] sending keep alive to 12.34.56.7[4500]

sudo swanctl --list-conn
thecompanyvpn: IKEv1, reauthentication every 14400s
  local:  %any
  remote: sa.company.com
  local pre-shared key authentication:
    id: Tunnel-A
  remote pre-shared key authentication:
  child_1: TUNNEL, rekeying every 3600s
    local:  dynamic
    remote: dynamic

ii  libstrongswan                             6.0.2-1                              amd64        strongSwan utility and crypto library
ii  libstrongswan-extra-plugins               6.0.2-1                              amd64        strongSwan utility and crypto library (extra plugins)
ii  libstrongswan-standard-plugins            6.0.2-1                              amd64        strongSwan utility and crypto library (standard plugins)
ii  strongswan                                6.0.2-1                              all          IPsec VPN solution metapackage
ii  strongswan-libcharon                      6.0.2-1                              amd64        strongSwan charon library
ii  strongswan-pki                            6.0.2-1                              amd64        strongSwan IPsec client, pki command
ii  strongswan-swanctl                        6.0.2-1                              amd64        strongSwan IPsec client, swanctl command

Strongswan with /etc/swanctl.conf settings

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website