FortiGate - VPN IPSec x Client IPSec no Linux ( Debian )

Fortinet não fornece o Forticlient para Linux, procurando na internet encontrei algumas alternativas, porém nenhuma foi estável.

Durante a procura sobre algo que funcione legal, encontrei o projeto Shrew https://www.shrew.net/home

Instalação das dependências:

sudo apt-get install cmake libqt4-core libqt4-dev libqt4-gui libedit-dev libssl-dev checkinstall flex bison

Download da última versão:
 
wget https://www.shrew.net/download/ike/ike-2.2.1-release.tbz2

Extraindo

tar xvfvj ike-2.2.1-release.tbz2

Acesse a pasta e execute o cmake, no README.TXT sobre o procedimento.

cd ike
cmake -DCMAKE_INSTALL_PREFIX=/usr -DQTGUI=YES -DETCDIR=/etc -DNATT=YES 

checkinstall -y

make

sudo make install

cd /source/iked/

mv iked.conf.samp /etc/iked.conf


Execute o shrew 

# iked

ii : created ike socket 0.0.0.0:500
ii : created natt socket 0.0.0.0:4500
## : IKE Daemon, ver 2.2.1
## : Copyright 2013 Shrew Soft Inc.
## : This product linked OpenSSL 1.0.1t  3 May 2016




Execute a interface gráfica do Shrew
# qikea

Para conseguir acessar a VPN IPSec do FortiGate entre com as seguintes informações.

Clique em ADD

Guia General

Remote Host

Host Name or IP Address = IP do FortiGate
Port = 500
Auto Configuration = Ike config pull

Local Host

Address Method = Use a Virtual adapter and assigned address
Marque a caixa de seleção = Obtain Automatically

Guia Client

Firewall Options

Nat Traversal = enable
Nat Traversal Port = 4500
Keep-Alive Packet Rate = 15 secs
IKE Fragmentation = disable


Other Options

Marque as 3 caixas de seleção
Enable Dead Peer Detection
Enable IKSAMP Failure Notifications
Enable Client Login Banner


Guia Name Resolution

Marque
Enable DNS
Obtain Automatically


Guia Authentication

Autentication Method = Mutual PSK + XAuth

Local Identity

Identification Type = Fully Qualified Domain Name

Remote Identity = Any

Credentials - Pre Shared Key = Inserir a Senha Compartilhada


Guia Phase 1

Proposal Parameters 

Exchange Type = Aggressive
DH Exchange =group 5
Cipher Algorithm = aes
Cipher Key Length = 128 bits
Hash Algorithm = sha1
Key Life Time Limit = 86400 Secs
Key Life Data Limit = 0 Kbs


Guia Phase 2 

Proposal Parameters

Transform Algorithm = auto
HMAC Algorithm = sha1
PFS Exchange group 5
Compression  Algorithm = deflate
Key Life Time Limit = 43200 Secs
Key Life Data Limite = 5120 KBs


Guia Policy

IPsec Policy Configuration

Policy Generation Level = Auto

Marque - Obtain Topology Automatically or Tunnel All

Clique em Save.

Execute a conexão e entre com o usuário e senha.