Post

FortiGate Removed SSL VPN — How I Got Linux Clients Working with IPsec on Fedora 42

Fix FortiGate 7.4.8 SSL VPN removal. Step-by-step strongSwan IPsec (IKEv2) setup for Linux Fedora 42 and Ubuntu clients.

Posted Updated
FortiGate and Linux strongSwan
FortiGate and Linux strongSwan
By Osama Siddiqui
3 min read
FortiGate Removed SSL VPN — How I Got Linux Clients Working with IPsec on Fedora 42

When FortiOS 7.4.8 shipped, SSL VPN was removed on some FortiGate models. Remote access broke for users who relied on SSL VPN tunnel mode with FortiClient on Linux.

FortiGate 7.4.8 removed SSL VPN: the problem

  • Windows clients used IPsec with FortiClient.
  • Linux clients (e.g., Fedora) used SSL VPN, since FortiClient for Linux lacks IPsec.
  • After upgrading to 7.4.8, SSL VPN was removed on the firewall, so FortiClient on Linux stopped working.
  • There is no official Fortinet IPsec client for Linux.

I tested, searched docs and forums, and built a working IKEv2 dial‑up IPsec solution using strongSwan 5.9.14 on Fedora 42.

Linux strongSwan IPsec setup for FortiGate 7.4.8

FortiGate (Phase 1 — dial‑up IPsec)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

config vpn ipsec phase1-interface
    edit "dialup-IPSEC1"
        set type dynamic
        set interface "WAN1"
        set ike-version 2
        set local-gw <FORTIGATE_PUBLIC_IP>
        set authmethod psk
        set peertype any
        set mode-cfg enable
        set proposal aes256-sha256
        set dhgrp 14
        set transport udp
        set nattraversal enable
        set fragmentation enable
        set ip-fragmentation post-encapsulation
        set assign-ip enable
        set assign-ip-from name
        set ipv4-name "IPSEC-VPN-ADDRESS"
        set ipv4-netmask 255.255.255.255
        set dns-mode auto
        set ipv4-split-include "all"
        set psksecret ENC <SECRET PSK>
    next
end

Fedora client: packages and services

1
2
3
4
5
6
7
8

sudo dnf install -y strongswan-swanctl
sudo mkdir -p /etc/strongswan/swanctl
sudo nano /etc/strongswan/swanctl/swanctl.conf   # paste the config below
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
sudo systemctl enable --now strongswan-swanctl
sudo swanctl --load-all
sudo swanctl --initiate --child dialup-cubes

Option 1: Shared PSK (simple)

Pros: simple, quick, high performance.
Cons: shared secret for all clients, no per‑user audit.

Create /etc/strongswan/swanctl/swanctl.conf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

connections {
    dialup-cubes {
        version = 2
        remote_addrs = 1.1.1.1   # FortiGate public IP
        local {
            auth = psk
            id = @fedora-client
        }
        remote {
            auth = psk
            id = 1.1.1.1          # FortiGate public IP
        }
        children {
            dialup-cubes {
                local_ts = 0.0.0.0/0
                remote_ts = 0.0.0.0/0
                esp_proposals = aes256-sha256-modp2048
            }
        }
        pools = ipsec_pool
        proposals = aes256-sha256-modp2048
        send_certreq = no
        encap = no               # disable NAT‑T if client has public IP
        dpd_delay = 60s
        rekey_time = 86400s
        send_cert = never
        unique = never
        vips = 0.0.0.0           # request virtual IP via mode‑cfg
    }
}

pools {
    ipsec_pool {
        # Dummy pool — FortiGate assigns the VIP
        addrs = 0.0.0.0/0
    }
}

secrets {
    ike-1 {
        secret = "<PSK>"         # must match FortiGate
    }
}

Why it works

  • FortiGate mode-cfg + assign-ip for dynamic clients.
  • Matching IDs and proposals (AES256/SHA256/DH14).
  • MTU handled by post-encapsulation fragmentation.
  • NAT‑T disabled if the client is on a public IP.

Option 2: Per‑user auth

Method A: EAP‑MSCHAPv2 (IKEv2)

Works with swanctl. Supports username/password. Can back to RADIUS/LDAP.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

connections {
    dialup-cubes {
        version = 2
        remote_addrs = 1.1.1.1
        local {
            auth = eap-mschapv2
            id = osama
            eap_id = osama
        }
        remote {
            auth = pubkey
        }
        children {
            dialup-cubes {
                local_ts = 0.0.0.0/0
                remote_ts = 0.0.0.0/0
                esp_proposals = aes256-sha256-modp2048
            }
        }
        proposals = aes256-sha256-modp2048
        dpd_delay = 60s
        rekey_time = 86400s
        vips = 0.0.0.0
        send_certreq = yes
        encap = no
        unique = never
    }
}

secrets {
    eap-osama {
        id = osama
        secret = "secure-user-password"
    }
}

FortiGate must allow EAP and present a valid certificate. If using RADIUS, create users there.

Method B: XAuth (legacy, IKEv1)

Use only if required by old setups. Needs ipsec.conf instead of swanctl and is not recommended.

Notes

  • Tested on Fedora 42 with strongSwan 5.9.14.
  • Replace placeholders such as <FORTIGATE_PUBLIC_IP> and <PSK>.
  • If the client is behind NAT, set encap = yes and ensure UDP/500 and UDP/4500 are open.
  • For split‑tunnel, narrow remote_ts to required subnets.

On Ubuntu, the setup is the same (just use apt instead of dnf).

Networking, VPN
fortigate fortios ssl vpn removed linux vpn fedora vpn ubuntu vpn strongswan ikev2 ipsec tunnel vpn setup guide
This post is licensed under CC BY 4.0 by the author.