0

I really want to connect to a Fortigate IPsec VPN from Linux, but "it's not working" (see below).

I tried Shrewsoft first, but it wasn't compiling, and while I was searching for a fix, I heard that Shrewsoft VPN is moribund.

I've moved on to vpnc, but I'm not having much luck with that either. My redacted config file is below, along with the error I'm getting. It bothers me more than a little that ike-scan thinks my gateway isn't handshaking. Also, my IT guy says there are no failed login attempts on the Fortigate side.

My vpnc config looks like:

IPSec gateway redacted.example.com
IPSec ID redacted
IPSec secret redacted
#IKE Authmode hybrid
IKE Authmode psk
Xauth username redacted
#Xauth password redacted

The error I get is:

$ vpnc-connect
Enter password for [email protected]:
vpnc-connect: no response from target

If I strace vpnc, I can see it timing out trying to poll for an answer back from udp/500 on host.example.com.

I see something similar if I try to ike-scan host.example.com:

Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
Ending ike-scan 1.9.4: 1 hosts scanned in 3.311 seconds (0.30 hosts/sec). 0 returned handshake; 0 returned notify

It's like I have the wrong server or something, but the hostname does resolve, and I can see the UDP/500 port open|filtered in the output from:

nmap -P0 -sU -p 500 host.example.com

I've got some special characters in my PSK, including a comment character, but I don't think that's supposed to matter to vpnc.

I'm on Debian 10.10. and I'm using vpnc 0.5.3r550-3

Fortigate as the server is a requirement, but we have a lot of flexibility on the client. As long as it's Debian Linux.

Any suggestions?

Thanks!

Improve this question
8
  • Please note that the SSL VPN doesn't satisfy the requirement. Our Fortigate is IPsec only.
    – dstromberg
    Commented Jul 7, 2021 at 20:29
  • I also tried NetworkManager, but it failed to establish a connection as well.
    – dstromberg
    Commented Jul 7, 2021 at 20:32
  • You need a Linux version of the Fortigate client app. Fortigate client conflicts with vanilla IPSec clients. We have seen this hardware at customers.
    – anon
    Commented Jul 7, 2021 at 20:35
  • If you suspect the special characters contained within your PSK, the obvious solution, is to get rid of those special characters temporarily. Of course I would agree with your initial conclusion, the client does not even appear to even attempt a connection to the server, likely due to a client conflict. It should be pointed out, you won't receive any software recommendations for IPsec clients, as software recommendations are specifically out of scope here at Super User. Any (sanitized) verbose logs would be helpful. Verify the actual port on the VPN is 500
    – Ramhound
    Commented Jul 7, 2021 at 20:53
  • Try this: reddit.com/r/fortinet/comments/ggk02l/…
    – anon
    Commented Jul 7, 2021 at 21:08

2 Answers 2

Reset to default
0

I'm still not getting complete authentication, but I've cleared one hurdle and moved on to the next.

The hurdle comprising this question was cleared by adding:

IKE DH Group dh5

...to:

/etc/vpnc/default.conf
Improve this answer
0

vpnc worked with ipsec to me, my conf file is:

IPSec gateway <yourgatewayip> 
IPSec ID <youripsecid>
IPSec secret <youripsecsecret>
Xauth username <yourusername>
Xauth password <yourpass>
IKE DH Group dh5
Perfect Forward Secrecy dh5
Interface name myvpn-ike
Improve this answer
1
  • As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.
    – Community Bot
    Commented Oct 26, 2022 at 20:33

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .