VPN IPSEC - StrongSwan with FortiGate

alix · ‎11-10-2021

Hi,

I tried to use strongswan on Linux host to up a IPsec VPN with FortiGate. On the Windows FortiClient, no problem.

My FortiGate configuration is :

[ul]

FortiGate VPN : IKE v1, agressive, NAT-T[/ul]

[ul]

Phase 1 :[/ul]

    edit "vpn-IPSEC"
        set type dynamic
        set interface "INET"
        set local-gw PublicIP
        set mode aggressive
        set peertype any
        set mode-cfg enable
        set ipv4-dns-server1 x.x.x.31
        set proposal aes256-sha512 aes256-sha384
        set dpd on-idle
        set dhgrp 14
        set xauthtype auto
        set authusrgrp "SI_admin"
        set ipv4-start-ip x.x.x.1
        set ipv4-end-ip x.x.x.10
        set ipv4-netmask x.x.x.0
        set ipv4-split-include "group-VPN"
        set psksecret ENC *****************************************==
        set dpd-retryinterval 60
    next

[ul]

Phase 2 :[/ul]

    edit "vpn-IPSEC"
        set phase1name "vpn-IPSEC"
        set proposal aes256-sha512 aes256-sha384
        set dhgrp 14
    next

My Strongswan configuration is :

#/etc/ipsec.d/forti.conf
config setup
 charondebug = "dmn 1, mgr 1, ike 1, ike 2, chd 1, job 1, cfg 3, knl 2, net 2, lib 1"
 nat_traversal = yes

conn fortinet
 type = tunnel
 reauth = yes
 authby = xauthpsk
 left = %defaultroute
 leftsourceip = %config
 leftsubnet = %dynamic,192.168.1.0/24
 leftauth = psk
 leftauth2 = xauth
 right = PeerIP
 rightaddresspool = x.x.x.1-x.x.x.10
 rightauth = psk
 rightmodecfgserver = yes
 keyexchange = ikev1
 aggressive = yes
 ikelifetime = 86400s
 pfs = yes
 ike = aes256-sha512;modp2048
 phase2 = esp
 phase2alg = aes256-sha512;modp2048
 keylife = 43200s
 xauth_identity = USERNAME
 auto=add

#/etc/ipsec.secrets
PeerIP : PSK "PSK"
@USERNAME : XAUTH "PASSWORD"

Could someone help me?

Thanks

Alix

emnoc · ‎11-11-2021

You need to do some diagnostics but I would read the following post sinc 99% of what your doing is covered in this previous post

https://forum.fortinet.com/tm.aspx?m=179755

Also, i would get ipsec log and diag debug application ike -1 from the linux client and fortigate respectively.

Lastly, you need to do some packet captures on linux ( e.g tcpdump -nnvvv -i eth0 host x.x.x.x and port 500 or 4500 ) or ( fgt. cli. diag sniffer packet any "host y.y.y.y" )

In your cfg I would also simplify the following lines and ensure you have this

e.g

conn vpn-dialup1

left=%any

leftsourceip=%config

leftid=@user1.example.com

right=vpnserverfgt100D.example.com. # the dns or ipv4 address of fortigate interfaces that matches the address in phase1-interface interface

rightsubnet=0.0.0.0/0 # optional probably not needed

leftsubnet=0.0.0.0/0

rightid=@vpn.my.net. # I would set a matching IKE-ID on the fortigate and then populate that here in your cfg

auto=add

ipsec up your "fortinet" profile , grab your logs, grab a packet capture at the linux host and|or fortigate and then do the proper analysis based on your findings.

tip, if you have iptables or firewalld, you need proper rules to allow traffic.

YMMV but the above examples , link and tips should get you pointed in the right direction.

Ken Felix

PCNSE

NSE

StrongSwan

VPN IPSEC - StrongSwan with FortiGate

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website