[Openswan Users] Setting up VPN between Linux box and Fortigate firewall

Andy Gay andy at andynet.net
Tue Aug 22 12:49:08 EDT 2006


On Tue, 2006-08-22 at 15:15 +0800, Rhys Johnson wrote:
> Thanks Jim
> I made the changes you suggested and the tunnel is now up! I can ping
> out from the 192.168.1.0/24 network behind the fortigate. However I
> can't ping from the linux box side running openswan. I allow all pings
> from 192.168.100.0/24 through the fortigate. The error I am getting on
> the linux box is:
> 
> Aug 22 14:44:56 localhost pluto[15850]: "fortigate" #2: route-client
> output: /usr/lib/ipsec/_updown: doroute `ip route add 192.168.1.0/24 via
> 221.133.201.34 dev eth1 ' failed (RTNETLINK answers: Network is
> unreachable)
> 
> Any ideas what would be stopping this route from being created?

Add a leftnexthop= setting. You need to set it to the address of the
next hop gateway, probably your default gateway. You can use
leftnexthop=%defaultroute in that case, I think. Or just change left= to
left=%defaultroute .

You'll probably want to set leftsourceip= as well, set that to your
inside address on leftsubnet.

You really don't want plutodebug="all"....


> 
> Cheers
> Rhys
> 
> 
> On Tue, 2006-08-22 at 07:13 +0800, Jim Barber wrote:
> > I have exactly the same as this setup working fine.
> > I don't specify the leftid or rightid parameters at all.
> > With the fortigate set up to use 3des you need to add the following parameter to your openswan connection definition.
> > 
> > 	esp=3des
> > 
> > Without the above I also got the exact same error.
> > 
> > Also in the addresses that you defined in your fortigate policy area, make sure these match exactly with what you defined in openswan.
> > So in your example they would be set to 192.168.1.0/255.255.255.0
> > 
> > You don't need DH 2 set in the phase one.
> > Sticking with DH 5 works properly.
> > 
> > Regards,
> > 
> > ----------
> > Jim Barber
> > DDI Health
> > 
> > 
> > Rhys Johnson wrote:
> > > Hello
> > > I am trying to set up a VPN between 2 firewall machines with private
> > > subnets behind them. A have a linux box running openswan2.2 and a
> > > Fortigate firewall running IPSEC. I am trying to connect from the
> > > fortigate to the linux box, however the connection is failing on error.
> > > The fortigate is set up as follows
> > > Phase 1:
> > > 	Local IP: 221.133.201.34
> > > 	Remote IP: 58.6.14.254
> > > 	Main mode
> > > 	PSK
> > > 	Accept any peer id
> > > 	Encryption/Authentication. try 3DES-MD5, 3DES-SHA1
> > > 	DH groups 2 and 5
> > > 	Disable XAUTH
> > > Phase 2:
> > > 	Enable PFS
> > > 	DH group 5
> > > 
> > > The linux box has the following configuration
> > > ipsec.conf
> > > -----------------------------------
> > > config setup
> > >         # Debug-logging controls:
> > >         klipsdebug=none
> > >         plutodebug="all"
> > > 
> > > conn fortigate
> > >      auto=add
> > >      left=58.6.14.254
> > >      leftsubnet=192.168.100.0/24
> > >      leftid=@home
> > >      right=221.133.201.34
> > >      rightsubnet=192.168.1.0/24
> > >      rightid=%any
> > >      keyingtries=0
> > >      pfs=yes
> > >      auth=esp
> > >      authby=secret
> > > ------------------------------
> > > 
> > > ipsec.secrets
> > > -----------------
> > > @home 221.133.201.34 58.6.14.254: PSK "************"
> > > -----------------
> > > 
> > > The error I receive on the Fortigate from the linux box is:
> > > 
> > > 2006-08-21 15:58:53 error negotiate Received error notification from
> > > peer: INVALID_ID_INFORMATION type=event subtype=ipsec pri=error
> > > loc_ip=221.133.201.34 loc_port=500 rem_ip=58.6.14.254 rem_port=500
> > > out_if=wan1 vpn_tunnel=Caldwell_VPN
> > > cookies=8f1a03ec12122b32/0d4f5c4330f10e82 action=negotiate
> > > status=negotiate_error msg="Received error notification from peer:
> > > INVALID_ID_INFORMATION" negotiate_error 
> > > 
> > > What does this error mean?
> -- 
> Kind regards
> 
> Rhys Johnson
> SystemX Pty Ltd
> Ph:  08 9421 8009
> Fax: 08 9421 8055
> Email: rhys at systemx.com.au 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 



More information about the Users mailing list