- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPSec VPN to Linux StrongSwan
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSec VPN to Linux StrongSwan
I'm beating my head against a brick wall with an IPSec VPN configuration. Here's the basic topology:
192.168.x.x (my lan) --> [FortiGate 20c] --> 10.1.10.x (wan) --> [Cisco/Comcast Router] --> 50.1.1.1 (my public IP) --> [*Internet*] --> 50.2.2.2 (peer's public IP) --> [Linux StrongSwan] --> 172.16.x.x (peer's lan)
I have put my FG (10.1.10.10) in the DMZ on the Comcast router to try and eliminate problems there.
My FG has a functioning tunnel-mode VPN already configured and working. I'm adding a second, but interface mode.
So, I've read a LOT of the manuals and forum posts, etc, but can't seem to make this go.
I have:
ThisVPN Phase 1
IP Address: 50.2.2.2 (peer's public IP)
Local Interface: wan
Authentication method: Preshared Key
Pre-shared Key: xxxxxxxxxxxx (matches with peer)
Enable IPsec Interface Mode: enabled
IKE Version: 1
Local Gateway IP: Main Interface IP (can I / should I put my public Internet IP here instead?)
P1 Proposal: AES128 / SHA512 (matches peer)
DH Group: 2, 5 (unknown if matches peer)
Keylife 86400 seconds (matches peer)
Local ID: 50.1.1.1 (my public IP, seems to be what peer expects)
XAuth: Disabled
Nat Traversal: Enabled
DPD: Enabled
ThisVPN_P2 Phase 2
P2 Proposal: AES128 / SHA512 (matches peer)
Replay detection: enabled
PFS: disabled (matches peer)
Keylife: 86400 seconds (matches peer)
Keep alive: enabled
Auto-negotiate: enabled
Selectors: all zeroes (allow everything)
Static route:
172.16.x.x --> ThisVPN
Policies:
lan --> ThisVPN
Source: MySubnet
Dest: PeerSubnet
Sched: always
Service: all
Action: allow
ThisVPN --> lan
Source: PeerSubnet
Dest: MySubnet
Sched: always
Service: all
Action: allow
When I look at some of the debug output from the CLI, I see:
IPsec SA connect 4 10.1.10.10 -> 50.2.2.2:500
If the peer has NAT-T as I do, they will be getting an IKE request from 10.1.10.10, no? How do I fix this?
Thanks in advance for any and all help!
-Terry
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Terry,
Your IKE traffic should be source natted with 50.1.1.1 (your public IP)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a vpn t-shoot guide
http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html
Here's swan guide
http://socpuppet.blogspot.com/2015/07/openswan-cmds-you-should-get-use-to.html
Quick observation:
qaud 0s is probably not going to work ( aka 0.0.0.0:0 ) for phase2 and a open/strongswan
the linux host has tcpdump, run it from the bash shell on the FGT_peer-ID
dun the diagnostic commands for ike/ipsec on the fortigate
That should lead you in the right direction.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One of the docs I read said quad 0's was the way to allow everything. Not so?
I'll try it with my Public IP and his Private Subnet as the selectors.
-T
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Again here's working openswan example
http://socpuppet.blogspot.com/2014/05/openswan-to-fortigate-route-based-vpn.html
Follow that above reference and change the lef/right to match your networks and define the PSK and enable NAT-T on the fortigate . Ensure porks 500/4500 is open on the linux side of things and ESP protocols.
1 > tcpdump on the linux side, 2> run diag cmd 3> review logs
e.g
tcpdump -i em0 "udp port 500 or 4500"
tcpdump -i em0 "proto 50"
It's really that easy.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks everyone for your help!
What ended up being the critical issues were these:
- On the Strongswan side, he had to set "rightid=%any" in ipsec.conf
- On my FG side, I had to set the P2 Quick Mode Selector Source address to my internal subnet, rather than my public IP, and the Destination address to the peer's internal subnet.
Working like a charm now!
-Terry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Terry C wrote:Hi Terry, Could you share your complete config file along with FG configuration? I'm having currently same issue and can't force it to work :( ThanksThanks everyone for your help!
What ended up being the critical issues were these:
- On the Strongswan side, he had to set "rightid=%any" in ipsec.conf
- On my FG side, I had to set the P2 Quick Mode Selector Source address to my internal subnet, rather than my public IP, and the Destination address to the peer's internal subnet.
Working like a charm now!
-Terry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shouldn't the "Local Gateway IP" setting take care of this? It's currently set to the WAN IP, but I could set it to the Public IP instead.
The reasons I wonder about this are two:
1 There is a functioning IPsec tunnel-mode VPN on this FortiGate already, to a different vendor, with no special natting.
2 Per ALL the docs and examples, I have my Phase 1 set with NAT-T enabled. Wouldn't that defeat this?
Thanks!
-Terry
Related Posts
- Fortclient VPN Client Linux - IPSEC... 301 Views
- Ipsec connection in linux mint with... 1375 Views
- fortigate 500E site to site... 501 Views
- strongswan site to site fortigate vpn... 645 Views
- SSL VPN Performance (ssl.root mtu size) 2627 Views
Labels
-
FortiGate
6,456 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.