[strongSwan] Configuring site-to-site IPsec VPN to a Fortigate using certificates

Tobias Brunner tobias at strongswan.org
Tue Oct 15 14:10:07 CEST 2019

Hi Julian,

> Mon, 2019-10-14 17:16 07[JOB] <1> deleting half open IKE_SA with after timeout

This means the IKE_AUTH message somehow doesn't get through.  Either
because required UDP ports (4500) are blocked, or the message is too
large and gets fragmented (IP fragments are often dropped on the way).
If you can't use IKEv2 fragmentation (not sure if Fortigate supports
it), there isn't much you can do (using smaller certificates or not
sending them are some of the possible workarounds).


More information about the Users mailing list