IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

Treyarch · 2023-11-22 04:29:16

UDP port 500 is used by ISAKMP, the IPsec key exchange protocol.

https://superuser.com/questions/245087/ … vpnc-error

So, I am just trying to get VPNC working, I put

IPSec gateway 
IPSec ID Any 
IPSec secret 
Xauth username
Xauth password

When starting normally, I got the message about port being in use, so I changed it to some random port and still couldn't connect. Unless the IP needed to be the tunnel IP, I used the normal VPN one.

Treyarch · 2023-11-22 04:30:34

https://community.fortinet.com/t5/Forti … a-p/207149

I might ask my ISP to change this setting to "cisco" not FortiClient then see if that guide works, maybe the FortiClient being stupid does something extra

I tinkered around with xl2tpd again, it seems despite having a logfile param in the config it isn't creating a log, nor spitting out much more then "peer not authorized" when starting with -D interactively., though that was to the VPN assigned IP, not the public one.

xl2tpd[9642]: control_finish: Denied connection to unauthorized peer 172.31.0.1
xl2tpd[9642]: Connection 61887 closed to 172.31.0.1, port 1701 (No Authorization)
xl2tpd[9642]: control_finish: Connection closed to 172.31.0.1, port 1701 (No Authorization), Local: 61887, Remote: 15852

Oh I see from here; https://www.kerkeni.net/en/configure-l2 … os-5-2.htm
I should be using the public IP, however this times out on the default port and zenmap says no other ports are open (to scanning and the Forticlient doesn't require us to change any port let alone a facility to) so I don't think it's using l2tp

Last edited by Treyarch (2023-11-22 08:27:25)

Treyarch · 2023-12-11 03:05:24

So, no idea if my ISP changed things without telling me but they said they closed the case and couldn't help, I'll follow up to make sure, but this config works for me after a bit of head-scratching I am still not sure why

config setup
   charondebug = "all"

conn [Name]
        type = tunnel
        auto = start
        keyexchange = ikev1
        authby = psk
        left = %defaultroute
#       leftid=[MY External]
        rightsubnet=0.0.0.0/0
        installpolicy=yes
        leftfirewall=yes        
        rightfirewall=yes
        leftallowany=yes
        right = [VPN]
        ike=aes256-sha256-modp4096,aes256-sha512-modp4096
        esp=aes256-sha256-modp4096,aes256-sha512-modp4096
        aggressive=yes
        keyingtries=%forever
        ikelifetime=86400s
        lifetime=43200s
        dpddelay=20s
        dpdtimeout=120s
        dpdaction=restart
        modeconfig=pull
        leftsourceip=%modeconfig
        forceencaps=yes
        leftauth=psk    
        rightauth = psk
        leftauth2 = xauth
        xauth_identity = "me"

I have my XPWD and my PSK in the right files, I don't actually know if or what I changed, but hey, I have traffic passing across the VPN now, which is progress, I just now need DNS to work... but I think this is more my computer not seeing the DNS server has changed, using Dig and specifying the local DNS servers of the remote network work, and they're in my resolv.conf, just not sure why ping and other programs wouldn't see them.

Treyarch · 2023-12-11 03:13:09

Oh, that was because systemd-resolv seemed to be conflicting with StrongSwan's ability to read Resolv.conf through OpenResolve as specified in the wiki...

Thanks heaps for the help my man, we got there in the end! Proud of us

Arch Linux

#26 2023-11-22 04:29:16

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#27 2023-11-22 04:30:34

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#28 2023-12-11 03:05:24

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#29 2023-12-11 03:13:09

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

Board footer