Fortinet Devices

The U.S. company FORTINET offers a large range of network security devices running the FortiOS operating system that includes IPsec-based VPN functionality. This also encompasses the FortiGate product family.

Known Quirks

  • IKEv2 is only supported with a single set of subnets per CHILD_SA. Thus a separate child definition has to be created in the children subsection of swanctl.conf for each additional subnet.

  • When the device receives an IKE_SA_INIT from any valid peer, it initiates a tunnel on its own to that peer. This leads to CHILD_SA duplication.

  • The FortiGate device sometimes sends an invalid checksum, causing strongSwan to switch to NAT-T encapsulated ESP while the FortiGate device remains unchanged, resulting in strongSwan not processing inbound traffic. The workaround is to force ESPinUDP encapsulation, i.e. to set connections.<conn>.encap = yes in swanctl.conf.