<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:428627562;
mso-list-type:hybrid;
mso-list-template-ids:-1912823772 2045414114 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:%1-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:1159005780;
mso-list-type:hybrid;
mso-list-template-ids:-1912823772 2045414114 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-text:%1-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:1768310203;
mso-list-type:hybrid;
mso-list-template-ids:-590306798 -668550284 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=WordSection1>
<p class=MsoNormal><span style='font-size:12.0pt'>I have the following
situation<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>I need connect two office, in
the main office used Debian-Lenny with IPtables and openswan and the remote
office used Fortigate 60B (firewall and VPN).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>The web server is located in
the remote office, but need use the Public IP from the Main Office<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Internet-------- >www--------
>Public IP in the Main Office<--------------------VPN-------------- >Remote
Office-------------- >WEB server (LAN)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'> |
Public IP<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'> | <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'> |<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
LAN<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
Main Office<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>This is the configuration in
both sides , but at this moment not work<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Fortigate 60B<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>VPN-- > IP SEC<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Phase 1<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Static IP Address<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Local Interface = WAN1<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Mode = Main (ID Protection)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Authentication Method = Pre-shared
Key<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Peer Options = Accept any peer
ID<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>P1 Proposal<o:p></o:p></span></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='font-size:12.0pt'><span style='mso-list:Ignore'>1-<span
style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span
style='font-size:12.0pt'>Encryption = 3DES Authentication = MD5<o:p></o:p></span></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='font-size:12.0pt'><span style='mso-list:Ignore'>2-<span
style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span
style='font-size:12.0pt'>Encryption = 3DES Authentication = SHA1<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>DH Group = 2 – 5<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Keylife = 28800<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Local ID = ________<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>XAuth = Disable<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>NAT-traversal = enable<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Keep alive Frequency = 10
seconds<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Dead Peer Detection = enable<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Phase 2<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>P2 Proposal<o:p></o:p></span></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo2'><![if !supportLists]><span
style='font-size:12.0pt'><span style='mso-list:Ignore'>1-<span
style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span
style='font-size:12.0pt'>Encryption = 3DES Authentication = MD5<o:p></o:p></span></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo2'><![if !supportLists]><span
style='font-size:12.0pt'><span style='mso-list:Ignore'>2-<span
style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span
style='font-size:12.0pt'>Encryption = 3DES Authentication = SHA1<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Enable replay detection = yes<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Enable perfect forward
secrecy (PFS) = yes<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>DH Group = 5<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Keylife= 1800 Seconds<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Autokey Keep Alive = enable<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Quick Mode Selector<o:p></o:p></span></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l2 level1 lfo3'><![if !supportLists]><span
style='font-size:12.0pt'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='font-size:12.0pt'>Source address =
192.168.x.x/24 (LAN this side)<o:p></o:p></span></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l2 level1 lfo3'><![if !supportLists]><span
style='font-size:12.0pt'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='font-size:12.0pt'>Source port = 0<o:p></o:p></span></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l2 level1 lfo3'><![if !supportLists]><span
style='font-size:12.0pt'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='font-size:12.0pt'>Destinations
address = 192.168.x.x (LAN side Openswan)<o:p></o:p></span></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l2 level1 lfo3'><![if !supportLists]><span
style='font-size:12.0pt'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='font-size:12.0pt'>Protocol = 0<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Log Access <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'># Date time Level User
Interface Action Message <o:p></o:p></span></p>
<table class=MsoNormalTable border=0 cellspacing=1 cellpadding=0 width=1086
style='width:814.5pt'>
<tr>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><span style='font-size:12.0pt'>1 2010-09-04<o:p></o:p></span></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><span style='font-size:12.0pt'>13:22:27<o:p></o:p></span></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><span style='font-size:12.0pt'>notice<o:p></o:p></span></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><span style='font-size:12.0pt'> <o:p></o:p></span></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><span style='font-size:12.0pt'>negotiate<o:p></o:p></span></p>
</td>
<td style='padding:0in 0in 0in 0in'>
<p class=MsoNormal><span style='font-size:12.0pt'>Initiator: sent x.x.x.x (public
IP openswan) main mode message #1 (OK)<o:p></o:p></span></p>
</td>
</tr>
</table>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Openswan<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l2 level1 lfo3'><![if !supportLists]><span
style='font-size:12.0pt'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='font-size:12.0pt'>#/etc/ipsec.conf<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>nat_traversal=yes<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>nat_traversal=yes<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'># Add connections here<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>include
/etc/ipsec.d/fortigate.conf<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l2 level1 lfo3'><![if !supportLists]><span
style='font-size:12.0pt'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='font-size:12.0pt'>VPN<o:p></o:p></span></p>
<p class=MsoNormal><span lang=ES-CR style='font-size:12.0pt'>conn nb-vpn #
Nombre de la conexion<o:p></o:p></span></p>
<p class=MsoNormal><span lang=ES-CR style='font-size:12.0pt'>
</span><span style='font-size:12.0pt'>type=tunnel<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
auth=esp<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
authby=secret<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
esp=3des-md5!;modp1536<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
ikelifetime=1800s<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
keyingtries=10<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
keylife=28800s<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
pfs=yes<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
left=x.x.x.x
# Public IP Openswan<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
leftsubnet=192.168.x.x/24 #LAN Openswan<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
leftid=x.x.x.x # Public IP Openswan<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
leftrsasigkey=abc # key<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
leftnexthop=y.y.y.y # %defaultroute correct in
many situations<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
right=a.b.c.d
# Public Ip Fortigate<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
rightsubnet=192.168.x.x/24 #LAN Fortigate<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
rightid=a.b.c.d # Public IP Fortigate<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
rightrsasigkey=abc # key<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
rightnexthop=%defaultroute # correct in many situations<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'> auto=add
# authorizes but doesn't start this<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
ike=3des-md5!<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>
keyexchange=ike
# connection at startup<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>/etc/init.d/ipsec restart<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>ipsec_setup: Stopping
Openswan IPsec...<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>ipsec_setup: Starting
Openswan IPsec 2.4.12..<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>ipsec auto --up vpn (wait and
wait….)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>ipsec auto –status<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>000 "vpn": 192.168.x.x/24===a.b.c.d---a.b.c..d...a.b.c.d---a.b.c.d===192.168.x.x/24;
unrouted; eroute owner: #0<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>000 "vpn":
srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>000 "vpn":
ike_life: 1800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 10<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>000 "vpn":
policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; encap: esp;<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>000 "vpn":
newest ISAKMP SA: #0; newest IPsec SA: #0; <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>000 "vpn":
IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5),
3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>000 "vpn":
IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1536(5),
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>000 "vpn":
ESP algorithms wanted: 3DES(3)_000-MD5(1); pfsgroup=MODP1536(5); flags=strict<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>000 "vpn":
ESP algorithms loaded: 3DES(3)_000-MD5(1); pfsgroup=MODP1536(5); flags=strict<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>000 <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>000 #61: "vpn":500
STATE_MAIN_I1 (sent MI1, expecting MR1); none in -1s; lastdpd=-1s(seq in:0
out:0)<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>000 #61: pending Phase 2 for
"nb-vpn" replacing #0<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>cat /var/log/syslog<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Sep 4 14:43:45 VPN1
ipsec_setup: Stopping Openswan IPsec...<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Sep 4 14:43:45 VPN1
kernel: [104640.705317] NET: Registered protocol family 15<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Sep 4 14:43:45 VPN1
kernel: [104640.853503] padlock: VIA PadLock Hash Engine not detected.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Sep 4 14:43:45 VPN1
kernel: [104640.976681] padlock: VIA PadLock Hash Engine not detected.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Sep 4 14:43:46 VPN1
kernel: [104641.153758] padlock: VIA PadLock not detected.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Sep 4 14:43:46 VPN1
kernel: [104641.350985] Initializing XFRM netlink socket<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Sep 4 14:43:46 VPN1
ipsec_setup: NETKEY on eth0 a.b.c.d/255.255.255.128 broadcast a.b.c.255 <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Sep 4 14:43:46 VPN1
ipsec_setup: ...Openswan IPsec started<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Sep 4 14:43:46 VPN1
ipsec_setup: Starting Openswan IPsec 2.4.12...<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>any recommendation are
welcome<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Best regards<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:12.0pt'>Erick Ch.<o:p></o:p></span></p>
</div>
<BR><BR>__________ Information from ESET NOD32 Antivirus, version of virus signature database 5423 (20100904) __________<BR><BR>The message was checked by ESET NOD32 Antivirus.<BR><BR><A HREF="http://www.eset.com">http://www.eset.com</A><BR> </body>
</html>