[Openswan Users] Setting up VPN between Linux box and Fortigate firewall

Rhys Johnson rhys at systemx.com.au
Tue Aug 22 03:15:44 EDT 2006 

Thanks Jim
I made the changes you suggested and the tunnel is now up! I can ping
out from the 192.168.1.0/24 network behind the fortigate. However I
can't ping from the linux box side running openswan. I allow all pings
from 192.168.100.0/24 through the fortigate. The error I am getting on
the linux box is:

Aug 22 14:44:56 localhost pluto[15850]: "fortigate" #2: route-client
output: /usr/lib/ipsec/_updown: doroute `ip route add 192.168.1.0/24 via
221.133.201.34 dev eth1 ' failed (RTNETLINK answers: Network is
unreachable)

Any ideas what would be stopping this route from being created?

Cheers
Rhys


On Tue, 2006-08-22 at 07:13 +0800, Jim Barber wrote:
> I have exactly the same as this setup working fine.
> I don't specify the leftid or rightid parameters at all.
> With the fortigate set up to use 3des you need to add the following parameter to your openswan connection definition.
> 
> 	esp=3des
> 
> Without the above I also got the exact same error.
> 
> Also in the addresses that you defined in your fortigate policy area, make sure these match exactly with what you defined in openswan.
> So in your example they would be set to 192.168.1.0/255.255.255.0
> 
> You don't need DH 2 set in the phase one.
> Sticking with DH 5 works properly.
> 
> Regards,
> 
> ----------
> Jim Barber
> DDI Health
> 
> 
> Rhys Johnson wrote:
> > Hello
> > I am trying to set up a VPN between 2 firewall machines with private
> > subnets behind them. A have a linux box running openswan2.2 and a
> > Fortigate firewall running IPSEC. I am trying to connect from the
> > fortigate to the linux box, however the connection is failing on error.
> > The fortigate is set up as follows
> > Phase 1:
> > 	Local IP: 221.133.201.34
> > 	Remote IP: 58.6.14.254
> > 	Main mode
> > 	PSK
> > 	Accept any peer id
> > 	Encryption/Authentication. try 3DES-MD5, 3DES-SHA1
> > 	DH groups 2 and 5
> > 	Disable XAUTH
> > Phase 2:
> > 	Enable PFS
> > 	DH group 5
> > 
> > The linux box has the following configuration
> > ipsec.conf
> > -----------------------------------
> > config setup
> >         # Debug-logging controls:
> >         klipsdebug=none
> >         plutodebug="all"
> > 
> > conn fortigate
> >      auto=add
> >      left=58.6.14.254
> >      leftsubnet=192.168.100.0/24
> >      leftid=@home
> >      right=221.133.201.34
> >      rightsubnet=192.168.1.0/24
> >      rightid=%any
> >      keyingtries=0
> >      pfs=yes
> >      auth=esp
> >      authby=secret
> > ------------------------------
> > 
> > ipsec.secrets
> > -----------------
> > @home 221.133.201.34 58.6.14.254: PSK "************"
> > -----------------
> > 
> > The error I receive on the Fortigate from the linux box is:
> > 
> > 2006-08-21 15:58:53 error negotiate Received error notification from
> > peer: INVALID_ID_INFORMATION type=event subtype=ipsec pri=error
> > loc_ip=221.133.201.34 loc_port=500 rem_ip=58.6.14.254 rem_port=500
> > out_if=wan1 vpn_tunnel=Caldwell_VPN
> > cookies=8f1a03ec12122b32/0d4f5c4330f10e82 action=negotiate
> > status=negotiate_error msg="Received error notification from peer:
> > INVALID_ID_INFORMATION" negotiate_error 
> > 
> > What does this error mean?
-- 
Kind regards

Rhys Johnson
SystemX Pty Ltd
Ph:  08 9421 8009
Fax: 08 9421 8055
Email: rhys at systemx.com.au

More information about the Users mailing list