[strongSwan] Configuring site-to-site IPsec VPN to a Fortigate using certificates
Tobias Brunner
tobias at strongswan.org
Tue Oct 15 14:10:07 CEST 2019
Hi Julian,
> Mon, 2019-10-14 17:16 07[JOB] <1> deleting half open IKE_SA with 123.123.123.123 after timeout
This means the IKE_AUTH message somehow doesn't get through. Either
because required UDP ports (4500) are blocked, or the message is too
large and gets fragmented (IP fragments are often dropped on the way).
If you can't use IKEv2 fragmentation (not sure if Fortigate supports
it), there isn't much you can do (using smaller certificates or not
sending them are some of the possible workarounds).
Regards,
Tobias
More information about the Users
mailing list