How to Connect to Fortinet VPN via IPsec on Ubuntu (Alternative to FortiClient)


1 views

When migrating from Windows to Ubuntu, the FortiClient GUI might not be available, but we can establish the VPN connection through native Linux tools. The key components we'll need:

  • VPN server address (vpn.theserver.com in your case)
  • IPsec configuration (IKE version, encryption algorithms)
  • User credentials (username/password or certificate)

Ubuntu's network-manager supports IPsec VPNs through these packages:


sudo apt update
sudo apt install network-manager-strongswan libstrongswan-standard-plugins libstrongswan-extra-plugins

The easiest method is through Network Manager's GUI:

  1. Open Settings → Network
  2. Click the '+' sign to add a VPN connection
  3. Select "IPsec/IKEv2 (strongSwan)"
  4. Fill in the details:
    • Gateway: vpn.theserver.com
    • Authentication: Username/Password
    • Phase 1 Algorithms: aes256-sha1-modp2048 (verify with your admin)
    • Phase 2 Algorithms: aes256-sha1 (verify with your admin)

For headless servers or scripting purposes, use nmcli:


nmcli connection add type vpn \
  vpn-type org.freedesktop.NetworkManager.strongswan \
  connection.id "Fortinet VPN" \
  vpn.data \
  "address=vpn.theserver.com, method=psk, user=your_username, virtual=yes, encap=yes" \
  vpn.secrets "password=your_password"

If the connection fails:


journalctl -xe -u NetworkManager
strongswan statusall

Common fixes include:

  • Adding "rightauth=eap-mschapv2" to /etc/ipsec.conf
  • Setting MTU lower: sudo ip link set dev eth0 mtu 1400

For regular VPN users, create a systemd service:


[Unit]
Description=Fortinet VPN Connection
After=network.target

[Service]
Type=simple
ExecStart=nmcli connection up "Fortinet VPN"
Restart=on-failure

[Install]
WantedBy=multi-user.target

When migrating from Windows to Ubuntu, connecting to enterprise VPNs like Fortinet can be tricky without the official Forticlient GUI. The process requires manual configuration using native Linux networking tools.

Before proceeding, ensure you have:

  • VPN gateway address (e.g., vpn.theserver.com)
  • Authentication method (PSK or XAUTH)
  • Username/password credentials
  • Phase1/Phase2 encryption parameters (usually from your IT department)

Open terminal and run:

sudo apt update
sudo apt install network-manager-strongswan charon-cmd libstrongswan-extra-plugins

Create a new VPN connection:

  1. Go to Settings > Network > VPN
  2. Click Add and select "IPsec/IKEv2 (strongSwan)"
  3. Configure with these key parameters: 
    Gateway: vpn.theserver.com
Authentication: Pre-shared key
Local ID: your_username
Remote ID: vpn.theserver.com
Phase1 Algorithms: aes256-sha1-modp2048
Phase2 Algorithms: aes256-sha1

For headless servers, edit /etc/ipsec.conf:

conn corporate-vpn
    keyexchange=ikev1
    aggressive=no
    fragmentation=yes
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1!
    left=%defaultroute
    leftsourceip=%config
    leftauth=psk
    leftid=your_username
    right=vpn.theserver.com
    rightauth=psk
    rightid=vpn.theserver.com
    auto=add

After configuration, test with:

sudo ipsec start
sudo ipsec up corporate-vpn
ping 10.0.0.1 (replace with internal network IP)

Common issues and solutions:

  • Check logs: journalctl -xe
  • Verify PSK in /etc/ipsec.secrets
  • Try different Phase1/Phase2 combinations
  • Disable IPv6 if connection fails

For frequent connections, create a bash script:

#!/bin/bash
VPN_NAME="corporate-vpn"

echo "Starting VPN connection..."
sudo ipsec start
sleep 2
sudo ipsec up $VPN_NAME

if [ $? -eq 0 ]; then
    echo "VPN connected successfully"
    # Add route commands if needed
else
    echo "VPN connection failed"
    exit 1
fi