IPSec VPN to Linux StrongSwan
I'm beating my head against a brick wall with an IPSec VPN configuration. Here's the basic topology:
192.168.x.x (my lan) --> [FortiGate 20c] --> 10.1.10.x (wan) --> [Cisco/Comcast Router] --> 18.104.22.168 (my public IP) --> [*Internet*] --> 22.214.171.124 (peer's public IP) --> [Linux StrongSwan] --> 172.16.x.x (peer's lan)
I have put my FG (10.1.10.10) in the DMZ on the Comcast router to try and eliminate problems there.
My FG has a functioning tunnel-mode VPN already configured and working. I'm adding a second, but interface mode.
So, I've read a LOT of the manuals and forum posts, etc, but can't seem to make this go.
ThisVPN Phase 1
IP Address: 126.96.36.199 (peer's public IP)
Local Interface: wan
Authentication method: Preshared Key
Pre-shared Key: xxxxxxxxxxxx (matches with peer)
Enable IPsec Interface Mode: enabled
IKE Version: 1
Local Gateway IP: Main Interface IP (can I / should I put my public Internet IP here instead?)
P1 Proposal: AES128 / SHA512 (matches peer)
DH Group: 2, 5 (unknown if matches peer)
Keylife 86400 seconds (matches peer)
Local ID: 188.8.131.52 (my public IP, seems to be what peer expects)
Nat Traversal: Enabled
ThisVPN_P2 Phase 2
P2 Proposal: AES128 / SHA512 (matches peer)
Replay detection: enabled
PFS: disabled (matches peer)
Keylife: 86400 seconds (matches peer)
Keep alive: enabled
Selectors: all zeroes (allow everything)
172.16.x.x --> ThisVPN
lan --> ThisVPN
ThisVPN --> lan
When I look at some of the debug output from the CLI, I see:
IPsec SA connect 4 10.1.10.10 -> 184.108.40.206:500
If the peer has NAT-T as I do, they will be getting an IKE request from 10.1.10.10, no? How do I fix this?
Thanks in advance for any and all help!