2

So I am using Strongswan to connect to remote Fortigate since native Fortinet VPN client does not support IPsec. I also have hardware FortiToken 200 that provides a OTP.

My current config is the following:

/etc/ipsec.conf

conn my-config
keyexchange=ikev1
aggressive=yes
ike = aes256-sha256-modp1536
esp = aes256-sha1-modp1536

right=remote_ip
rightid=%any
rightsubnet=0.0.0.0/0
rightauth=psk

leftsourceip=%config
leftauth=psk
leftauth2=xauth
xauth_identity="username"
auto=add

/etc/ipsec.secrets

remote_ip : PSK "passphrase_here"
username : XAUTH "password_here"

When I run:

ipsec up my-config

initiating Aggressive Mode IKE_SA german[5] to remote_ip
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 10.0.2.15[500] to remote_ip[500] (460 bytes)
received packet: from remote_ip[500] to 10.0.2.15[500] (536 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 10.0.2.15[4500] to remote_ip[4500] (140 bytes)
received packet: from remote_ip[4500] to 10.0.2.15[4500] (92 bytes)
parsed TRANSACTION request 1581697690 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
no XAuth method found
generating TRANSACTION response 1581697690 [ HASH CP ]
sending packet: from 10.0.2.15[4500] to remote_ip[4500] (76 bytes)

Obviously, it is necessary to edit the config somehow so it would prompt for OTP at some point.

The question is: how do I it?

fteox
  • 21
  • 2
  • There is no support for such OTPs in strongSwan. But the immediate problem above is that you apparently don't even have an XAuth plugin loaded (e.g. _xauth-generic_). Also note that XAuth/PSK with Aggressive Mode is [completely unsafe](https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Aggressive-Mode). – ecdsa Nov 23 '21 at 16:22
  • @ecdsa, Thanks for the heads up! As a matter of fact, I am the client who `have no other choice`. Could you think of any other option besides Strongswan that might work in my situation? – fteox Nov 24 '21 at 08:40

1 Answers1

1

It is possible to connect to a FortiGate VPN using StrongSwan and a FortiToken one-time password (OTP). I haven't tried with a hardware token, but I expect it to work the same.

The main trick is to append the OTP to the XAuth password.

The rest of this answer is about making a convenient prompt, and includes a working configuration.

In order to avoid changing the /etc/ipsec.secrets each time I connect, I built a little script that prompts for the OTP using zenity and modifies the secrets file accordingly. The script needs to be run as root as it makes changes to /etc/ipsec.secrets. Out of convenience, it expects to replace an existing 6 digit number, meaning the first time you set this up, enter some arbitrary 6 digits after your XAuth password.

Disclaimer: Note that this script will replace each occurrence of 6 digits followed by a double quote ". The script assumes a single set of XAuth credentials and will potentially destroy other information than you intend. Use at your own risk, and only if you fully understand what it is doing.

#!/bin/bash

SECRETS_FILE="/etc/ipsec.secrets"

TOKEN=$(zenity --entry --title "FortiToken" --text "Enter FortiToken")

if [ ${#TOKEN} -ne 6 ]; then
    echo "The token needs to be exactly 6 characters. Quitting."
    exit
fi

# Expects a 6-digit token to be already present after the password.
sed -Ei 's/[0-9]{6}\"/'"$TOKEN"'\"/' "$SECRETS_FILE"

echo "Updated $SECRETS_FILE"

ipsec restart --nofork

For completeness, here is my /etc/ipsec.conf:

conn fortigate_vpn
    type = tunnel
    dpdaction = restart
    dpddelay = 30
    dpdtimeout = 60
    keyexchange = ikev1
    ike = aes128-sha1-modp1536
    esp = aes256-sha256-modp1536
    aggressive = yes
    right = 1.2.3.4                  # fortigate gateway
    rightsubnet = 192.168.15.0/24    # subnet
    rightid = %any
    rightauth = psk

    left = %defaultroute
    leftsourceip = %config
    leftauth = psk
    leftauth2 = xauth
    xauth_identity = "foo"           # XAuth id
    leftid = "bar"                   # local id / peer id
    auto = start

And the /etc/ipsec.secrets:

: PSK "foobarpsk"
foo : XAUTH "pa$$word990099"         # where pa$$word is your XAuth password

Kudos to https://blog.boll.ch/fortigate-ipsec-vpn-with-native-macos-client/, where I found the append idea.

snwflk
  • 111
  • 2