Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Palamar
New Contributor

Created on ‎10-04-2017 10:30 AM

fortiwifi 80c connect to strongswan server

hi,

i need connect to strongswan server from my fortigate.

help me please.I did not work in cli

 

my ipsec.conf

 

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup # strictcrlpolicy=yes uniqueids = yes

include /var/lib/strongswan/ipsec.conf.inc

conn %default dpdaction=clear dpddelay=35s dpdtimeout=300s

fragmentation=yes rekey=no

ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!

esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!

# left - local (server) side left=%any leftauth=pubkey leftcert=194.87.147.234.crt leftsendcert=always leftsubnet=0.0.0.0/0 # right - remote (client) side right=%any rightauth=pubkey rightsourceip=192.168.103.0/24 rightdns=8.8.8.8

conn ikev2-pubkey keyexchange=ikev2 auto=add

conn ikev2-pubkey-osx also="ikev2-pubkey" leftid=194.87.147.234

conn ikev1-fakexauth keyexchange=ikev1 rightauth2=xauth-noauth auto=add

conn ikev2-eap-tls also="ikev2-pubkey" rightauth=eap-tls eap_identity=%identity

4738
0 Kudos
3 REPLIES 3
Palamar
New Contributor

Created on ‎10-05-2017 09:56 AM

I want traffic from my local network to redirect through VPN strongswan

2236
0 Kudos
emnoc
Esteemed Contributor III
In response to Palamar

Created on ‎10-05-2017 11:54 AM

Okay do a search but numerous examples  exist for strong/openswan.

 

http://socpuppet.blogspot.com/2015/07/openswan-cmds-you-should-get-use-to.html

https://forum.fortinet.com/tm.aspx?m=152615

 

Your config does not look too bad but here's some quick suggestions;

 

1: I would drop all of those  Enc-Algo and just pick one e.g

 

 

 ( example of a basic  ipsec.conf )

rightauth=pubkey-sha1

ike=aes128-sha1-modp1024  (  aes128 enc-algo  sha1 auth-algo DiffieHellMan group1 )

esp=aes128-sha1-modp1024

keyingtries=%forever

leftsubnet=10.10.10.0/24

rightsubnet=10.10.11.0/24

 

2:  defined the left/right-subnets with anything that's not a  0.0.0.0/0:0 if your goal is to send ALL traffic thru the  tunnel than you can change that later but on the FGT and Strongswan-linux , just set a src/dst-subnet  for encrypted data

 

3: ensure the ipsec key is correct inyour ipsec.secrets key file and don't use  certificate for the 1st trial run ( and yes certifcate does work , and works very good  betweeen FGT and StrongSwan ) :)

 

ken

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2236
0 Kudos
Palamar
New Contributor
In response to emnoc

Created on ‎10-05-2017 11:09 PM

on the StrongSwan only the public address(93.95.97.67), how to configure the Fortigate?

2236
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.