So, I was thinking about setting up my Fedora 36 to connect to a number of Fortigates we deploy for clients that use PSK-based IPSec tunnels (no split tunnels). I don’t really know what to use but just found out a little bit ago there are three possible solutions and I’m like … what do I use… ?
I think they are:
I guess I don’t understand at what to use for what situation. Plus, I found another topic that seems to indicate that if you install all three you may break something or other.
Is this kind of connection — plain IPSec VPN (PSK) — inbuilt in Fedora 36? Do I need any of the others above? I have also seen “networkmanager” in front of the above but I’ve assumed that’s the interface in GNOME that one uses to interact with the underlying service. Is that correct?
I suppose I should say that I support multiple clients that use Fortigates so ideally I’d like to save several profiles and one of those Fortigates uses peer IDs in order to connect to different subnets. So, I may need advanced options as well. Perhaps that matters wrt the options above?
I don’t need people to do homework for me, so please point to documentation if I need to read or watch videos.
Only two options: strongswan and libreswan are in the Fedora repos for plain IPsec. L2tp is a less secure tunneling protocol so it can be encapsulated in IPsec aka L2tp/ipsec.
I do not have an idea which of the two cooperates the best with a Fortigate. Connections are identified by a name, but below this name there is a “left id” and a “right id” so I assume this offers the possibility to discriminate subnets by peer id’s. Networkmanager plugins offer a convenient client configuration, if you want to create a kind of concentrator text files have to be created for each connection.
Sorry, I’m afraid you have to look to comparisons on the web. Both have a learning curve concerning setup and debugging. There are claims that strongswan is the best maintained, and trivial to setup from example files with PSK. Is Fortigate using one of the two or do they have an own version? Take care with NAT, in that case you need UDP encapsulation on port 500 and 4500.