[strongSwan] Configuring site-to-site IPsec VPN to a Fortigate using certificates
tobias at strongswan.org
Tue Oct 15 14:10:07 CEST 2019
> Mon, 2019-10-14 17:16 07[JOB] <1> deleting half open IKE_SA with 22.214.171.124 after timeout
This means the IKE_AUTH message somehow doesn't get through. Either
because required UDP ports (4500) are blocked, or the message is too
large and gets fragmented (IP fragments are often dropped on the way).
If you can't use IKEv2 fragmentation (not sure if Fortigate supports
it), there isn't much you can do (using smaller certificates or not
sending them are some of the possible workarounds).
More information about the Users