Fortigate to SoftEther IPSec Site to Site VPN?

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
imposter_syndrome
Posts: 4
Joined: Sun Jan 29, 2023 4:39 am

Fortigate to SoftEther IPSec Site to Site VPN?

Post by imposter_syndrome » Sun Jan 29, 2023 4:55 am

Hello. I have some experience with VPN but not much. Long story short I have an urgent (and perhaps temporary) need to set up a a site to site VPN between my company and a small partner. The purpose is to print directly from an application on our network to printers at theirs. We have Fortigate, they have a router that does not have VPN support. My company has one of our PC's on the partners LAN which we have remote access to (Splashtop). Among other ideas, one of them is to install SoftEther on the PC, forward UDP ports 500 and 4500, and create the VPN from the Fortigate to the SoftEther.

I've attempted to test this using my home network but I am stuck. I successfully forwarded the ports to the computer on my home LAN which is running SoftEther. I checked the box for IPSec Site to Site VPN, configured a PSK. Configured the VPN on the FG side as best I know, using the same PSK, my home ISP public IP as the remote peer, the local and remote networks that make up the VPN, etc. On the Fortigate side the VPN never comes up. In the SoftEther log file I see entries like this (IP's hidden):

2023-01-28 23:46:34.229 IPsec Client 418 (Company IP:4500 -> Home LAN IP:4500): A new IPsec client is created.
2023-01-28 23:46:35.239 IPsec Client 419 (Company IP:500 -> Home LAN IP:500): A new IPsec client is created.
2023-01-28 23:46:35.239 IPsec IKE Session (IKE SA) 247 (Client: 419) (Company IP:500 -> Home LAN IP:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xB0F2BFAEA0FDFF4F, Responder Cookie: 0x4123EF14830E0EBE, DH Group: MODP 1536 (Group 5), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 86400 seconds
2023-01-28 23:46:35.260 IPsec Client 419 (Company IP:500 -> Home LAN IP:500): This client (Client 419) and the other client (Client 418) is the same client. So they are merged to the client 418.
2023-01-28 23:46:35.260 IPsec Client 418 (Company IP:4500 -> Home LAN IP:4500):
2023-01-28 23:46:35.260 IPsec IKE Session (IKE SA) 247 (Client: 418) (Company IP:4500 -> Home LAN IP:4500): This IKE SA is established between the server and the client.
2023-01-28 23:46:44.233 IPsec Client 418 (Company IP -> Home LAN IP:4500): This IPsec Client is deleted.
2023-01-28 23:46:44.233 IPsec IKE Session (IKE SA) 247 (Client: 418) (Company IP:4500 -> Home LAN IP:4500): This IKE SA is deleted.

Would anyone possibly be able to help me or point me in the right direction? Thanks!

imposter_syndrome
Posts: 4
Joined: Sun Jan 29, 2023 4:39 am

Re: Fortigate to SoftEther IPSec Site to Site VPN?

Post by imposter_syndrome » Sun Jan 29, 2023 6:36 am

Well, now I have been tinkering for hours, and something must have happened, I can no longer get ANY kind of connections showing in the logs at all, not for the past hour, I've tried every setting I can see on the SoftEther and the Fortinet, every time of VPN connection and option, and now I see nothing at all in the log file, rebooted, some thing. Weird and frustrating.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Fortigate to SoftEther IPSec Site to Site VPN?

Post by solo » Sun Jan 29, 2023 10:43 am

imposter_syndrome wrote:
Sun Jan 29, 2023 4:55 am
I have an urgent (and perhaps temporary) need... to print directly from an application on our network to printers at theirs... LAN which we have remote access to (Splashtop).
- urgent
- temporary
- print only
- Splashtop exists already

Splashtop printing is optimal in this scenario.

imposter_syndrome
Posts: 4
Joined: Sun Jan 29, 2023 4:39 am

Re: Fortigate to SoftEther IPSec Site to Site VPN?

Post by imposter_syndrome » Sun Jan 29, 2023 3:51 pm

solo wrote:
Sun Jan 29, 2023 10:43 am
[quote=imposter_syndrome post_id=98012 time=<a href="tel:1674968127">1674968127</a> user_id=36217]
I have an urgent (and perhaps temporary) need... to print directly from an application on our network to printers at theirs... LAN which we have remote access to (Splashtop).
- urgent
- temporary
- print only
- Splashtop exists already

Splashtop printing is optimal in this scenario.
[/quote]

Splashtop printing is not going to help us print from our business application to these printers. Do you know how to get the VPN working?

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Fortigate to SoftEther IPSec Site to Site VPN?

Post by solo » Sun Jan 29, 2023 7:58 pm

For some reason you don't like the optimal way so here is the next easiest one:
- on the remote LAN install SoftEther Server
- bridge it to a LAN NIC
- from your location connect SoftEther Client to VPN Azure address

imposter_syndrome
Posts: 4
Joined: Sun Jan 29, 2023 4:39 am

Re: Fortigate to SoftEther IPSec Site to Site VPN?

Post by imposter_syndrome » Mon Jan 30, 2023 3:46 am

solo wrote:
Sun Jan 29, 2023 7:58 pm
For some reason you don't like the optimal way so here is the next easiest one:
- on the remote LAN install SoftEther Server
- bridge it to a LAN NIC
- from your location connect SoftEther Client to VPN Azure address
For some reason you don't like to answer the question. The application sending the print jobs is an AS/400. SoftEther Client doesn't pertain. I am trying to get the site to site IPSEC vpn working. MIght you know how to do that?

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Fortigate to SoftEther IPSec Site to Site VPN?

Post by solo » Mon Jan 30, 2023 7:14 am

imposter_syndrome wrote:
Mon Jan 30, 2023 3:46 am
SoftEther Client doesn't pertain.
It does. Considering new info provided, let's update the setup:

- on the remote LAN install SoftEther Server
- don't bridge, enable SecureNAT on it (all defaults)
- from your location connect SoftEther Client to VPN Azure address

assumptions for illustration:

- remote LAN (with the printer) 10.1.1.0/24
- local LAN 10.2.2.0/24
- local Windows PC with SoftEther Client 10.2.2.2
- local AS/400 computer 10.2.2.3

config:

- on 10.2.2.2 start the "Routing and Remote Access" service
- on 10.2.2.3 add a static route equivalent of: ip route add 10.1.1.0/24 via 10.2.2.2
- if VPN Azure is too slow and you can do port forwading then switch to direct connection

That's all. Fortigate with L2TP/IPsec may not be this easy, if feasible at all.

Post Reply