Suggestion for ipsec vpn software

John_H_Smith · 2021-12-09 11:17:16

Hi there,

in my company we are using the forticlient vpn with ipsec.
The AUR/community packages for the forticlient are only available with SSL vpn and not with ipsec.

Does anyone know an alternative ipsec vpn? It must provide an option for 2FA.

Thanks!

Last edited by John_H_Smith (2021-12-09 11:24:07)

Ferdinand · 2021-12-09 11:50:47

I have used Cisco AnyConnect on Windows in a couple of different companies, and both places it has worked quite well.
I noticed there is a package in AUR: https://aur.archlinux.org/packages/cisco-anyconnect/
Also here's some more info:
Cisco product page: https://www.cisco.com/c/en/us/products/ … index.html
Install guide for Ubuntu: https://www.cisco.com/c/en/us/support/d … buntu.html

John_H_Smith · 2021-12-09 12:13:12

Ferdinand wrote:

I have used Cisco AnyConnect on Windows in a couple of different companies, and both places it has worked quite well.
I noticed there is a package in AUR: https://aur.archlinux.org/packages/cisco-anyconnect/
Also here's some more info:
Cisco product page: https://www.cisco.com/c/en/us/products/ … index.html
Install guide for Ubuntu: https://www.cisco.com/c/en/us/support/d … buntu.html

Thanks for your suggestion.
I checked, there are 2 packages, aur/cisco-anyconnect and aur/cisco-anyconnect-runit. Both of them can not be installed because of invalid URLs in the packages.
Also, you need to have a license for anyconnect to get it installed on ubuntu.

John_H_Smith · 2021-12-15 14:43:59

Any other ideas?

Lone_Wolf · 2021-12-15 20:06:07

Openswan or Strongswan ?

Both have pages in our wiki.

John_H_Smith · 2021-12-17 07:23:16

Lone_Wolf wrote:

Openswan or Strongswan ?
Both have pages in our wiki.

Thank you!
I just checked the wikis, seems like would work for me.
Only thing doesn't mentioned is if they support 2FA... Do you know about it?

Lone_Wolf · 2021-12-17 20:26:28

I think we may have a miscommunication here.

IPSEC is typically used for network to network tunneling and uses digital certificates to authenticate devices.
Client certificates are unique and generated on the server. The certificate is then installed on the client.

This all happens on network level. 2FA usually refers to user authentication which is something entirely different.

Systems for remote access like citrix do use vpn/ipsec & certifcates to establish secure connections with client devices.
They also add a user login on top of it, that user login could use 2FA .

Is that the kind of setup you're looking for ?

Last edited by Lone_Wolf (2021-12-17 20:27:40)

John_H_Smith · 2021-12-17 20:59:11

Lone_Wolf wrote:

I think we may have a miscommunication here.
IPSEC is typically used for network to network tunneling and uses digital certificates to authenticate devices.
Client certificates are unique and generated on the server. The certificate is then installed on the client.
This all happens on network level. 2FA usually refers to user authentication which is something entirely different.
Systems for remote access like citrix do use vpn/ipsec & certifcates to establish secure connections with client devices.
They also add a user login on top of it, that user login could use 2FA .
Is that the kind of setup you're looking for ?

Ah, I see!
My goal is to connect to our fortigate for homeoffice.
Windows and Mac Users are using the FortiClient VPN (ipsec), which provides 2FA for the connection.
But as the FortiClient is not working with unix systems, I am searching for an replacement for my arch system.

Lone_Wolf · 2021-12-17 21:24:05

Have you tried https://aur.archlinux.org/packages/forticlient-vpn/ ?

According to https://www.fortinet.com/support/product-downloads the file it downloads should support both vpn and ipsec .

Or is the company server not compatible with forticlient 7.x.y ?

John_H_Smith · 2021-12-18 14:09:41

Lone_Wolf wrote:

Have you tried https://aur.archlinux.org/packages/forticlient-vpn/ ?
According to https://www.fortinet.com/support/product-downloads the file it downloads should support both vpn and ipsec .
Or is the company server not compatible with forticlient 7.x.y ?

Yeah, I've tried it. But the aur package only supports the ssl-vpn, not the ipsec.
I already flagged it as out of date. The official download from the fortinet website is working fine on windows.

Lone_Wolf · 2021-12-19 13:09:19

I suggest to try the linux client on one of the supported distros to verify if this is a packaging issue or not.

Looks like CentOS 7, RHEL 7 , Fedora 27 , Ubuntu 16.04 , 18.04 and 20.04 are supported for forticlient 6.4 .

John_H_Smith · 2021-12-20 09:26:25

Lone_Wolf wrote:

I suggest to try the linux client on one of the supported distros to verify if this is a packaging issue or not.
Looks like CentOS 7, RHEL 7 , Fedora 27 , Ubuntu 16.04 , 18.04 and 20.04 are supported for forticlient 6.4 .

Yeah, I tested on Ubuntu 20.04, same problem as for the aur package: no ipsec section available

Lone_Wolf · 2021-12-24 16:20:12

Then it seems the problem may be with upstream .

Forticlient vpn doesn't appear to come with support, does the company have a license/support contract for forticlient ZTNA or EPP/APT edition ?

John_H_Smith · 2022-01-03 07:55:06

Lone_Wolf wrote:

Then it seems the problem may be with upstream .
Forticlient vpn doesn't appear to come with support, does the company have a license/support contract for forticlient ZTNA or EPP/APT edition ?

Sorry for the late reply, I had holidays and was not in the office.
No, my company has a VPN free license.

Lone_Wolf · 2022-01-03 12:57:51

That suggests you have a few choices :

- Convince IT to allow ssl vpn for linux fortinet clients

- Convince the company to switch to systems that do support ipsec on all platforms (like strongswan) and use a 2nd layer for the user login 2FA part
(would improve security by a lot)

- use a device where ipsec fortinet works

Mr.Elendig · 2022-01-03 13:57:03

try NetworkManager-fortisslvpn or one of the more generic ipsec nm plugins

edit: hmm ipsec support never got merged in

Last edited by Mr.Elendig (2022-01-03 13:58:58)

John_H_Smith · 2022-01-04 09:57:12

Mr.Elendig wrote:

try NetworkManager-fortisslvpn or one of the more generic ipsec nm plugins
edit: hmm ipsec support never got merged in

Yeah, so I should check some of the ipsec nm plugins?

Arch Linux

#1 2021-12-09 11:17:16

Suggestion for ipsec vpn software

#2 2021-12-09 11:50:47

Re: Suggestion for ipsec vpn software

#3 2021-12-09 12:13:12

Re: Suggestion for ipsec vpn software

#4 2021-12-15 14:43:59

Re: Suggestion for ipsec vpn software

#5 2021-12-15 20:06:07

Re: Suggestion for ipsec vpn software

#6 2021-12-17 07:23:16

Re: Suggestion for ipsec vpn software

#7 2021-12-17 20:26:28

Re: Suggestion for ipsec vpn software

#8 2021-12-17 20:59:11

Re: Suggestion for ipsec vpn software

#9 2021-12-17 21:24:05

Re: Suggestion for ipsec vpn software

#10 2021-12-18 14:09:41

Re: Suggestion for ipsec vpn software

#11 2021-12-19 13:09:19

Re: Suggestion for ipsec vpn software

#12 2021-12-20 09:26:25

Re: Suggestion for ipsec vpn software

#13 2021-12-24 16:20:12

Re: Suggestion for ipsec vpn software

#14 2022-01-03 07:55:06

Re: Suggestion for ipsec vpn software

#15 2022-01-03 12:57:51

Re: Suggestion for ipsec vpn software

#16 2022-01-03 13:57:03

Re: Suggestion for ipsec vpn software

#17 2022-01-04 09:57:12

Re: Suggestion for ipsec vpn software

Board footer