Skip to content

Instantly share code, notes, and snippets.

@litew

litew/libreswan_fortigate_ikev1_rsa_xauth.adoc

Last active October 11, 2023 07:48
Show Gist options
  • Save litew/298249994dd4688ffc58ea4d869699a5 to your computer and use it in GitHub Desktop.
Save litew/298249994dd4688ffc58ea4d869699a5 to your computer and use it in GitHub Desktop.
Download ZIP
Linux libreswan settings for connecting as VPN client to FortiGate VPN with IPSEC/IKEv1, RSA + XAUTH
Raw
libreswan_fortigate_ikev1_rsa_xauth.adoc

Linux libreswan settings for connecting as VPN client to FortiGate VPN with IPSEC/IKEv1, RSA + XAUTH

Prerequisities

  1. libreswan and openssl packages installed;

  2. Stop pluto service with ipsec stop if it was autostarted;

  3. CA, User certs and Private key available for configuring RSA;

  4. Disable ICMP accept_redirects and send_redirects with sysctl.

/etc/ipsec.d/connection-name.conf

Set up /etc/ipsec.d/connection_name.conf:

conn connection-name
    ikev2=no
    ike=aes256-sha256;modp1536
    esp=aes256-sha1;modp1536
    authby=rsasig
    pfs=yes
    auto=add
    left=%defaultroute
    leftcert=<YourLogin>
    leftid=%fromcert
    leftsendcert=always
    leftxauthusername=<YourLogin>
    rightsubnet=0.0.0.0/0
    right=<FortiGate VPN IP-address or DNS-name>
    rightid=%fromcert
    rightxauthserver=yes
    leftxauthclient=yes
    rightmodecfgserver=yes
    leftmodecfgclient=yes
    modecfgpull=yes
    nm-configured=yes
    aggrmode=yes
    cisco-unity=yes
    ikelifetime=86400s
    salifetime=43200s
    dpddelay=20s
    dpdtimeout=60s
    nat-ikev1-method=rfc
    esn=either
    nopmtudisc=yes
    remote-peer-type=cisco
    nat-keepalive=no

In case of using DNS-name in right option pluto could deny connecting to FortiGate VPN server if there is no DNSSEC-record available for domain name. Disable DNSSEC validation in /etc/ipsec.conf:

config setup
    dnssec-enable=no

RSA (certificates)

  1. Initialize NSS database for storing RSA keys:

    ipsec initnss

    Just for info, default path for NSS databases (cert*.db, key*.db, pkcs11.txt):
    RHEL-based → /etc/ipsec.d
    Debian-based → /var/lib/ipsec/nss

  2. Make p12-container from certificates and private key:

    openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile cacert.pem -out YourName.p12 -name YourName

  3. Import p12-container into NSS db:

    ipsec import YourName.p12

  4. Check if cert is listed in NSS db now:

    certutil -L -d <PATH_TO_NSS_DATABASES_DIR>

  5. Start pluto service and check if it sees certificate now:

    ipsec start
ipsec showhostkey --list

  6. Start connection:

    ipsec auto --up connection-name
ipsec auto --start connection-name

DNS

If resolv.conf is controlled by systemd-resolved then link DNS-servers manually to ipsec interface in /etc/sysconfig/pluto_updown (for RPM-based distros) or in /etc/default/pluto_updown (for DEB-based):

#!/bin/bash

resolvectl dns ipsec1 <DNS1_IP> <DNS2_IP> <DNSX_IP>
resolvectl domain ipsec1 <DOMAIN_NAME_1> <DOMAIN_NAME2>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment