Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

VPN IPSEC - StrongSwan with FortiGate



I tried to use strongswan on Linux host to up a IPsec VPN with FortiGate. On the Windows FortiClient, no problem.


My FortiGate configuration is :

  • FortiGate VPN : IKE v1, agressive, NAT-T[/ul]


  • Phase 1 :[/ul]

        edit "vpn-IPSEC"
            set type dynamic
            set interface "INET"
            set local-gw PublicIP
            set mode aggressive
            set peertype any
            set mode-cfg enable
            set ipv4-dns-server1 x.x.x.31
            set proposal aes256-sha512 aes256-sha384
            set dpd on-idle
            set dhgrp 14
            set xauthtype auto
            set authusrgrp "SI_admin"
            set ipv4-start-ip x.x.x.1
            set ipv4-end-ip x.x.x.10
            set ipv4-netmask x.x.x.0
            set ipv4-split-include "group-VPN"
            set psksecret ENC *****************************************==
            set dpd-retryinterval 60

  • Phase 2 :[/ul]

        edit "vpn-IPSEC"
            set phase1name "vpn-IPSEC"
            set proposal aes256-sha512 aes256-sha384
            set dhgrp 14


    My Strongswan configuration is :

    config setup
     charondebug = "dmn 1, mgr 1, ike 1, ike 2, chd 1, job 1, cfg 3, knl 2, net 2, lib 1"
     nat_traversal = yes

    conn fortinet
     type = tunnel
     reauth = yes
     authby = xauthpsk
     left = %defaultroute
     leftsourceip = %config
     leftsubnet = %dynamic,
     leftauth = psk
     leftauth2 = xauth
     right = PeerIP
     rightaddresspool = x.x.x.1-x.x.x.10
     rightauth = psk
     rightmodecfgserver = yes
     keyexchange = ikev1
     aggressive = yes
     ikelifetime = 86400s
     pfs = yes
     ike = aes256-sha512;modp2048
     phase2 = esp
     phase2alg = aes256-sha512;modp2048
     keylife = 43200s
     xauth_identity = USERNAME

    PeerIP : PSK "PSK"


    Could someone help me?




  • 1 REPLY 1
    Esteemed Contributor III

    You need to do some diagnostics but I would read the following post sinc 99% of what your doing is covered in this previous post



    Also, i would get ipsec log and diag debug application ike -1 from the linux client and fortigate respectively.


    Lastly, you need to do some packet captures on linux  ( e.g tcpdump -nnvvv -i eth0 host x.x.x.x and port 500 or 4500 )  or ( fgt.   cli.  diag sniffer packet any "host y.y.y.y"   )


    In your cfg I would also simplify the following lines and ensure you have this 



    conn vpn-dialup1


       leftsourceip=%config  # the dns or ipv4 address of fortigate interfaces that matches the address in phase1-interface interface 

       rightsubnet= # optional probably not needed

       leftsubnet=  # I would set a matching IKE-ID on the fortigate and then populate that here in your cfg




    ipsec up your "fortinet"  profile , grab your logs, grab a packet capture at the linux host and|or fortigate and then do the proper analysis based on your findings.


    tip, if you have iptables or firewalld, you need proper rules to allow traffic.


    YMMV but the above examples , link and tips should get you pointed in the right direction.


    Ken Felix