The send-cert-chain attribute set to enable by default in the vpn ipsec
phase1 configuration does not cause the CA certificate chain
(unnecessary Root CA certificate plus Issuing SubCA certificate) to be
included anymore in the IKE_AUTH response by t...
Irrespective whether the FortiGate server certificate is directly issued
by a Root CA or by an Intermediate CA, the Root CA is always sent to the
IPsec VPN client in the CERT payload of the IKE_AUTH response. This
doesn't make any sense since no peer...
I'm enabling IKEv2 digital signatures with rsa-pss on a FortiGate VPN
Gateway: config vpn ipsec phase1-interface edit "xyz" ... set
digital-signature-auth enable set signature-hash-alg sha1 sha2-256
sha2-384 set rsa-signature-format pss nextendWhen t...
They reason that you don't have to specify a destination subnet with the
Fortinet Windows client is that Fortinet by default uses interface-or
route-based IPsec tunnels whereas strongSwan uses policy-based oned.
strongSwan doesn´t install a separate virtual network interface but
installs a source routing rule in table 220 which should look something
like: ip route list table 220172.28.2.0/24 via 10.2.0.1 dev enp0s3 proto
static src 192.168.166.4 dest. subnet...
Since you have removed rightsubnet=0.0.0.0/0 which tunneled all traffic,
the default is now rightsubnet=VPN_IP_HERE/32: which tunnels only
traffic going to the VPN Server but not to the internal network behind
the VPN gateway: CHILD_SA FortinetVPN{1}...
