In this document we are going to try to describe all the steps we will need to connect a Linux machine to a VPN that is offering a Fortigate, in this case an IPSEC VPN. A post that I hope does not harbor much mystery.

This post is based on a linux machine with Ubuntu, if you're using another non-Debian-based OS, I understand that except for the installation, the other steps will be the same, and similar installation, go. That we have the machine updated, with a name, an IP address… total, that we started! We will install the StrongSwan VPN client:

sudo apt install strongswan -y sudo apt install charon-systemd -y

If we want to allow packets forwarded through us to the VPN, that is, for other computers on the Linux network that can connect to the VPN network, We edit 'sudo nano /etc/sysctl.conf’ and we will comment on the following lines, Staying:

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

We edit the StrongSwan configuration file 'sudo nano /etc/ipsec.conf’ and create the VPN configuration based on the definition on the IPSEC VPN side of Fortigate, Leaving something like this (Obviously you may have to change some value, It will depend on whether you have left the standard configurations, as well as provide some directions):

config setup charondebug = "Damn 1, Mgr 1, ike 2, CHD 1, Job 1, cfg 3, KNL 2, Net 2, Lib 1"
   nat_traversal = yes conn "FORTI_VPN"
        type=tunnel         dpdaction=restart         keyexchange=ikev1         ikelifetime=1440m         keylife=60m         aggressive=yes         ike=aes128-sha1-modp1536         esp=aes128-sha1-modp1536         xauth=client         #leftid=LOCAL_ID #Si tenemos Local ID.
        left=�faultroute         leftsourceip=%config         leftauth=psk         rightid=%any         rightauth=psk         leftauth2=xauth         right=IP_PUBLICA_FORTIGATE         rightsubnet=RED_LADO_VPN/MASCARA         xauth_identity=NOMBRE_DE_USUARIO         auto=add

Creamos el fichero de secretos ‘sudo nano /etc/ipsec.secrets’ and with the following format we add and modify our data:

IP_PUBLICA_FORTIGATE : PSK "SECRETO_PRESHARED_KEY"
NOMBRE_DE_USUARIO : XAUTH "CONTRASEÑA_DEL_USUARIO"

We reload and test connecting the VPN…

Sudo systemctl restart strongswan sudo IPSEC update sudo IPSec reload sudo IPSEC up FORTI_VPN

Since everything will have gone smoothly 😉, it's time to create a script to run automatically when your computer starts, that connects the VPN and that also, if the VPN disconnects, try to reconnect, 'nano /home/user/inicia_vpn.sh’ leaving something like:

#!/bin/bash while :
Do sudo ipsec status |Grep "ESTABLISHED"
  RET=$?
  if [ ! $RET -eq 0 ];Then echo "[!] No tunnel raised, Reconnecting..."
      Sudo SystemCTL Restart strongSwan sudo IPSec Update sudo IPSec Reload sudo IPSec up FORTI_VPN Fi Sleep 5
Done

We make the script executable with 'chmod +x /home/user/inicia_vpn.sh’ And we put it in the cron so that when the Linux machine boots it connects by itself, via 'crontab -e':

# m h dom mon dow command @reboot sleep 30 && sudo /home/user/inicia_vpn.sh

And that's it! We would already have a linux machine connected by the IPSEC VPN of a Fortigate, as well as a script that will control connectivity! As Arguiñano would say… ¡Easy, Simple and family-friendly! Ale, May it go very well for you, I send you a hug!!