Interoperability with Fortinet brand devices

Including FortiGate devices.

Known Quirks

The following quirks are known:
Software Version Quirks
FortiOS * * IKEv2 is only supported with a single set of subnets per CHILD_SA. Thus the same workaround for IKEv1 has to be used with them.
* When the device receives an IKE_SA_INIT from any valid peer, it initiates a tunnel on its own to that peer. That leads to CHILD_SA duplication.
* The FortiGate device sometimes sends an invalid checksum, causing Strongswan to switch to NAT-T encapsulated ESP while the FortiGate device remains unchanged, resulting in Strongswan not processing inbound traffic. The workaround is to force encapsulation.


For site-to-site tunnels, the aptly named configuration examples from the UsableExamples page can be used.
For roadwarrior type tunnels, it is analogous.