Fortinet Devices
Known Quirks
-
IKEv2 is only supported with a single set of subnets per CHILD_SA. Thus a separate child definition has to be created in the
children
subsection ofswanctl.conf
for each additional subnet. -
When the device receives an IKE_SA_INIT from any valid peer, it initiates a tunnel on its own to that peer. This leads to CHILD_SA duplication.
-
The FortiGate device sometimes sends an invalid checksum, causing strongSwan to switch to NAT-T encapsulated ESP while the FortiGate device remains unchanged, resulting in strongSwan not processing inbound traffic. The workaround is to force ESPinUDP encapsulation, i.e. to set
connections.<conn>.encap = yes
inswanctl.conf
.