[strongSwan] Configuring site-to-site IPsec VPN to a Fortigate using certificates

JR jrmailgate-strongswan at yahoo.com
Tue Oct 22 10:41:03 CEST 2019


 Hi

Thank you for the reply. I have now got a site-to-site VPN tunnel working between StrongSWAN and a Fortigate using certificates!

A couple of things to note:

IP Fragmentation was indeed an issue, and resolved on the Fortigate end by running the following commands:

config vpn ipsec phase1-interface
edit <tunnel-name>
set fragmentation enable
end

At a high level, the following needs to be done on the Fortigate:

- Load the CA certificate that was used to sign the StrongSWAN certificate
- Load the Fortigate certificate
- Create a PKI user that has the Distinguished Name (DN) as set in the "id" field on StrongSWAN and that matches the DN in the StrongSWAN certificate. Select the CA root certificate that was installed above. This basically tells the Fortigate which CA certificate it should use when passed the ID from StrongSWAN.

Note: When cutting and pasting the DN into this field, the Fortigate adds spaces around the "=" signs, so "C=GB" in the certificate and in the StrongSWAN configuration becomes "C = GB" on the Fortigate. Don't change this or the certificate will fail to match!

- When using certificates, the "Local ID" setting on the Fortigate appears to be ignored and it doesn't matter what you set this to.
- If you set the Fortigate VPN type to "Static IP Address", then the tunnel will automatically be initiated. If you only want the StrongSWAN end to establish the connection, set the type to "Dialup User".

As mentioned above, the "id" is the distinguished name as found in the certificate, not the FQDN.

This was tested on Fortigate 5.6.10 build6020 (GA) to StrongSWAN 5.6.2-1ubuntu2.4

Hope this is useful to others.

JR
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191022/8496f81d/attachment.html>


More information about the Users mailing list