Blog Posts
StrongSwan to FortiGate VPN Tunnel

StrongSwan to FortiGate VPN Tunnel

April 19, 2025·Tyler Rasmussen
Tyler Rasmussen

StrongSwan

Recently I was tasked with configuring a site-to-site IPSec VPN between a FortiGate firewall and Debian-based host running StrongSwan. While ultimately this configuration wasn’t used, I want to share my notes incase its helpful to someone else.

Just a quick heads up. I won’t be covering all aspects of getting a site-to-site connection going. Specifically, this blog post won’t address:

  1. Enabling IP Forwarding on Linux.
  2. Configuring iptables to allow IPSec traffic through its firewall.
  3. Configuring masquerading if thats a requirement for your network.

For the FortiGate, I used Fortinet’s article to successfully configure the firewall.

Installation

On a Debian-based host, install strongswan.

sudo apt-get install strongswan

Shared Secret

Configure a IPSec Pre-Shared Key (PSK) under /etc/ipsec.secrets that will be used to authentication the tunnel when its established.

local_ip remote_ip : PSK "password"

Ensure access is restricted to only the root account.

chown root:root /etc/ipsec.secrets
chmod 600 /etc/ipsec.secrets

IPSec Configuration

Within /etc/ipsec.interface add the following configuration.

# basic configuration.
config setup
    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no

# connection to FortiGate router.
conn named_connection
    type = tunnel
    auto = start
    keyexchange = ikev2
    authby = secret
    leftid=local_ip
    leftsubnet=192.168.1.0/24
    right=remote_ip
    rightsubnet=10.0.0.0/20
    ike = aes256-sha256-modp2048
    esp = aes256-sha256
    aggressive = no
    keyingtries = %forever
    ikelifetime = 28800s
    lifetime = 3600s
    dpddelay = 20s
    dpdtimeout = 120s
    dpdaction = restart

Only four values need to be updated:

  • leftid - IP address of Linux host running StrongSwan.
  • rightid - IP address of FortiGate firewall.
  • leftsubnet - Subnet encompassing the networks behind the Linux-based host.
  • rightsubnet - Subnet encompassing the networks behind the FortiGate firewall.

If you’d like to use more modern ciphers, update the previous conifiguration with the following values. I’ve tested and verified these ciphers work with the latest version of FortiOS. Make sure to update the ciphers on the FortiGate however.

ℹ️
For a list of available ciphers in StrongSwan see their documentation. 
    ike = aes256gcm16-sha256-prfsha384-ecp384!
    esp = aes256gcm16!

Restart

Restart the IPsec tunnel for the changes to take effect.

sudo ipsec restart

Monitoring

To monitor and verify the connection, run:

sudo ipsec status
Monitor SSL Certificates w/ CheckMK's AgentsInteractive Prompt in PowerShell