VPN¶

IPsec vpn-соединение с FortiGate из StrongSwan, ikev1¶

Для xauth-аутентификации нужно устанавливать дополнительный пакет с extra-плагинами

/etc/ipsec.conf

conn fortinet
    fragmentation = no
    keyexchange = ikev1
    aggressive = yes
    reauth = yes
    forceencaps = no
    mobike = no
    rekey = yes
    type = tunnel
    dpdaction = restart
    dpddelay = 10s
    dpdtimeout = 60s
    ikelifetime = 4400s
    lifetime = 3600s
    auto = add
    left = %any
    #leftsubnet=10.0.0.0/24
    leftauth = psk
    leftauth2 = xauth
    leftsourceip = %config
    leftid = LOCAL_EXTERNAL_IP
    xauth_identity=aux.dev
    right = REMOTE_IP
    rightid = REMOTE_IP
    # route all trafic via this tunnel
    rightsubnet = 0.0.0.0/0
    rightauth = psk
    ike = aes256-sha256-modp1536,aes256-sha1-modp1536!
    esp=aes256-sha2_256-modp2048!

/etc/ipsec.secrets

aux.dev : XAUTH "<PASSWORD>"
 : PSK "<PSK>"

ipsec restart
ipsec up fortinet

Cisco vpn через openconnect¶

openconnect -c <keyname>.p12 --protocol=anyconnect --servercert pin-sha256:<serverfingerprint> -b <VPN_SERVER>  --key-password=<key_password>