Hi Again,<br><br>I'm still looking into this issue. I am just wondering if anyone has ever run into interoperability issues between Openswan and Fortigate. Or, has anyone experienced an issue where the tunnel appears to be up on both ends but ESP packets are silently dropped and not decrypted and passed to the protected subnet.<br>
<br>Thanks again,<br><br>Robyn<br><br><div class="gmail_quote">On Tue, Dec 1, 2009 at 9:00 AM, Robyn Orosz <span dir="ltr"><<a href="mailto:rorosz@gmail.com">rorosz@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi There,<br><br>I'm still in the process of troubleshooting this issue but wanted to throw this out there in case anyone's ever run into a similar issue and solved it some how:<br><br>I have an established IPSec tunnel between a Linux box running Openswan U2.4.12 on 2.6.26 to a Fortigate FG1000A VPN firewall. The tunnel appears to be up but it does not pass traffic. I can send a ping from the Openswan side to the Fortigate local network and I see the ESP packets leaving the Linux box on the outside interface but they either don't reach the Fortigate box or they reach it and don't get decrypted. If a ping is sent from the Fortigate box, I see ESP packets entering the outside interface on the Linux box but they don't appear to get decrypted either. There is no NAT or firewall involved on either end.<br>
<br>I've tried disabling/ enabling compression. With compress=yes, the tunnel does not come up. I've tried disabling PFS on both sides. This makes not difference. Here is the Openswan config:<br><br>config setup<br>
interfaces="ipsec0=eth0"<br> hidetos=yes<br> syslog=local0.debug<br> plutodebug="all"<br> nhelpers=5<br> plutowait=yes<br><br>conn clear<br> auto=ignore<br>
<br>conn clear-or-private<br> auto=ignore<br><br>conn private-or-clear<br> auto=ignore<br><br>conn private<br> auto=ignore<br><br>conn block<br> auto=ignore<br><br>conn packetdefault<br> auto=ignore<br>
<br>conn Fortigate<br> left=Fortigate-Public-IP<br> right=Linux-Public-IP<br> leftsubnet=<a href="http://172.16.100.0/24" target="_blank">172.16.100.0/24</a><br> rightsubnet=<a href="http://172.16.101.0/24" target="_blank">172.16.101.0/24</a><br>
ike=aes128-sha1-modp1536<br> ikelifetime=28800s<br> aggrmode=no<br> esp=aes256-sha1<br> keylife=3600s<br> rekeymargin=540s<br> type=tunnel<br> pfs=no<br> compress=no<br>
authby=secret<br> auto=start<br><br>Has anyone run into a similar issue before and if so, any idea how to work around it? Or, if someone has a working connection between Openswan and a Fortigate FG1000A, I'd love to know the details. ;-)<br>
<br>I don't currently have access to the Fortigate but can provide details from it if needed. Basically, the proposals appear to match as the tunnel is established. Also, I have debugging running for Openswan but am unsure of what to look for.<br>
<br>Thanks a ton!<br><font color="#888888"><br>Robyn<br>
</font></blockquote></div><br>