<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3698" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>Ok i had the same
problem (i have once more but ill open a new thread for that) i got my fortigate
60B working with my openswan server in "tunnel mode", here is the configuration:
</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2>OPENSWAN</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>conn
netcafe<BR>
auth=esp<BR>
authby=secret<BR>
auto=start<BR>
esp=3des-md5!<BR>
ikelifetime=1800s<BR>
keyingtries=10<BR>
keylife=28800s<BR>
left=mydyndns1(openswan)<BR>
leftid=192.9.201.254<BR>
leftnexthop=192.9.201.254<BR>
leftsubnet=192.9.201.0/24<BR>
right=mydyndns2(fortigate)</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2>
rightid=%any<BR>
rightnexthop=10.0.254.254<BR>
rightsubnet=10.0.254.0/24<BR>
ike=3des-md5!<BR>
keyexchange=ike<BR>
dpddelay=30<BR>
dpdtimeout=120<BR>
dpdaction=restart<BR>then in my ipsec.secrets i have:</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>: PSK
"mypassword"</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>in my ipsec.conf i
have:</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2> # Do not set debug options to
debug configuration issues!<BR> #
plutodebug / klipsdebug = "all", "none" or a combation from
below:<BR> # "raw crypt parsing
emitting control klips pfkey natt x509 dpd
private"<BR> #
eg:<BR> # plutodebug="control
parsing"<BR>
#<BR> # enable to get logs
per-peer<BR> #
plutoopts="--perpeerlog"<BR>
#<BR> # Again: only enable plutodebug
or klipsdebug when asked by a
developer<BR>
#<BR> # NAT-TRAVERSAL support, see
README.NAT-Traversal<BR>
nat_traversal=yes<BR>
#forceencaps=yes<BR> # exclude
networks used on server side by adding
%v4:!a.b.c.0/24<BR>
virtual_private=%v4:192.9.201.0/24,%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4<BR>:172.16.0.0/12<BR>
# OE is now off by default. Uncomment and change to on, to
enable.<BR>
oe=off<BR> # which IPsec stack to use.
netkey,klips,mast,auto or none<BR>
protostack=netkey<BR>
plutodebug=all<BR># Add connections here<BR>include /etc/ipsec.d/*.conf
<------------------- (as you see at this point i use "conf scripts in
ipsec.d)<BR></FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>FORTIGATE
SIDE:</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>Phase
1</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>Remote
gateway:dyndns</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>local interface :
wan1</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>mode: main
(id)</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>auth method:
preshared key</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>encrypt: 3des -
md5</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>DH group =
2</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>keylife
28800</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>nat transversal =
enable</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>keep alive frequency
: 10</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>dpd detection =
yes</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>Phase
2</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>encrypt : 3des -
md5</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>enable
pfs</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>dh group =
2</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>seconds =
1800</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>autokey keepalive =
yes</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>quickmode selector =
</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>src:
10.0.254.0/24</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>port:
0</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>dst:
192.9.201.0/24</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>port =
0</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>protocol =
0</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>then you need to
enable the tunnel in the fortigate firewall as is:</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2>policy::</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>(FROM INTERNAL TO
EXTERNAL)</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>network-local
(10.0.254.0/24) ---------------------------> network openswan
(192.9.201.0/24) -------> encrypt (tunnel: the name of your tunnel)
-----------------> Accept</FONT></SPAN></DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=625293513-06092010><FONT face=Arial size=2>and wow! you're done
and you have your vpn up!</FONT></SPAN></DIV></FONT></DIV>
<DIV> </DIV>
<DIV align=left><FONT face=Arial size=2>Ing. Rodrigo Fernndez Rodrguez<BR>Field
Application Engineer<BR>Tels:
1204-4795<BR> 1204-4796<BR> 1204-4797
ext. 101</FONT></DIV>
<DIV align=left><FONT face=Arial
size=2> 01800-1302233<BR>Cel:
04455-1388-9354<BR>Web: <A
href="http://www.netcafe-solutions.net/">http://www.netcafe-solutions.net</A><BR>Mail:
<A
href="mailto:rfernandez@netcafe-solutions.net">rfernandez@netcafe-solutions.net</A><BR></DIV></FONT>
<DIV> </DIV></BODY></HTML>