[Openswan Users] Setting up VPN between Linux box and Fortigate firewall
Rhys Johnson
rhys at systemx.com.au
Wed Aug 23 04:42:41 EDT 2006
Ok I can ping from both sides now. However how can I ensure that only
traffic destined for the remote subnet will be encrypted? All other
traffic should proceed out the default gateway as normal.
My routing table is
Destination Gateway Genmask Flags Metric Iface
202.72.174.24 0.0.0.0 255.255.255.252 U 0 eth1
192.168.102.0 0.0.0.0 255.255.255.0 U 0 eth0
192.168.1.0 202.72.174.25 255.255.255.0 UG 0 eth1
0.0.0.0 202.72.174.25 0.0.0.0 UG 0 eth1
I added the interfaces="ipsec0=eth1" line to my ipsec.conf to get
openswan to only manage packets heading out the ipsec0 interface. Thus
leaving web traffic out eth1 alone.
============================
config setup
klipsdebug=none
interfaces="ipsec0=eth1"
# Add connections here
conn fortigate
auto=start
left=202.72.174.26
leftsubnet=192.168.102.0/24
leftnexthop=202.72.174.25
leftsourceip=192.168.102.1
right=221.133.201.34
rightsubnet=192.168.1.0/24
keyingtries=0
pfs=yes
auth=esp
esp=3des
authby=secret
===============================
I restarted ipsec but it won't add a new route for ipsec0. What am I
doing wrong?
I also added the following firewall rule so that packets to the remote
subnet weren't NATed
# Masquerade the connection out eth1
iptables -t nat -A POSTROUTING -o $EXTERNAL_IF -d ! 192.168.1.0/24 -j
SNAT --to-source $EXTERNAL_IP
Cheers
Rhys
On Tue, 2006-08-22 at 12:49 -0400, Andy Gay wrote:
> On Tue, 2006-08-22 at 15:15 +0800, Rhys Johnson wrote:
> > Thanks Jim
> > I made the changes you suggested and the tunnel is now up! I can ping
> > out from the 192.168.1.0/24 network behind the fortigate. However I
> > can't ping from the linux box side running openswan. I allow all pings
> > from 192.168.100.0/24 through the fortigate. The error I am getting on
> > the linux box is:
> >
> > Aug 22 14:44:56 localhost pluto[15850]: "fortigate" #2: route-client
> > output: /usr/lib/ipsec/_updown: doroute `ip route add 192.168.1.0/24 via
> > 221.133.201.34 dev eth1 ' failed (RTNETLINK answers: Network is
> > unreachable)
> >
> > Any ideas what would be stopping this route from being created?
>
> Add a leftnexthop= setting. You need to set it to the address of the
> next hop gateway, probably your default gateway. You can use
> leftnexthop=%defaultroute in that case, I think. Or just change left= to
> left=%defaultroute .
>
> You'll probably want to set leftsourceip= as well, set that to your
> inside address on leftsubnet.
>
> You really don't want plutodebug="all"....
>
>
> >
> > Cheers
> > Rhys
> >
> >
> > On Tue, 2006-08-22 at 07:13 +0800, Jim Barber wrote:
> > > I have exactly the same as this setup working fine.
> > > I don't specify the leftid or rightid parameters at all.
> > > With the fortigate set up to use 3des you need to add the following parameter to your openswan connection definition.
> > >
> > > esp=3des
> > >
> > > Without the above I also got the exact same error.
> > >
> > > Also in the addresses that you defined in your fortigate policy area, make sure these match exactly with what you defined in openswan.
> > > So in your example they would be set to 192.168.1.0/255.255.255.0
> > >
> > > You don't need DH 2 set in the phase one.
> > > Sticking with DH 5 works properly.
> > >
> > > Regards,
> > >
> > > ----------
> > > Jim Barber
> > > DDI Health
> > >
> > >
> > > Rhys Johnson wrote:
> > > > Hello
> > > > I am trying to set up a VPN between 2 firewall machines with private
> > > > subnets behind them. A have a linux box running openswan2.2 and a
> > > > Fortigate firewall running IPSEC. I am trying to connect from the
> > > > fortigate to the linux box, however the connection is failing on error.
> > > > The fortigate is set up as follows
> > > > Phase 1:
> > > > Local IP: 221.133.201.34
> > > > Remote IP: 58.6.14.254
> > > > Main mode
> > > > PSK
> > > > Accept any peer id
> > > > Encryption/Authentication. try 3DES-MD5, 3DES-SHA1
> > > > DH groups 2 and 5
> > > > Disable XAUTH
> > > > Phase 2:
> > > > Enable PFS
> > > > DH group 5
> > > >
> > > > The linux box has the following configuration
> > > > ipsec.conf
> > > > -----------------------------------
> > > > config setup
> > > > # Debug-logging controls:
> > > > klipsdebug=none
> > > > plutodebug="all"
> > > >
> > > > conn fortigate
> > > > auto=add
> > > > left=58.6.14.254
> > > > leftsubnet=192.168.100.0/24
> > > > leftid=@home
> > > > right=221.133.201.34
> > > > rightsubnet=192.168.1.0/24
> > > > rightid=%any
> > > > keyingtries=0
> > > > pfs=yes
> > > > auth=esp
> > > > authby=secret
> > > > ------------------------------
> > > >
> > > > ipsec.secrets
> > > > -----------------
> > > > @home 221.133.201.34 58.6.14.254: PSK "************"
> > > > -----------------
> > > >
> > > > The error I receive on the Fortigate from the linux box is:
> > > >
> > > > 2006-08-21 15:58:53 error negotiate Received error notification from
> > > > peer: INVALID_ID_INFORMATION type=event subtype=ipsec pri=error
> > > > loc_ip=221.133.201.34 loc_port=500 rem_ip=58.6.14.254 rem_port=500
> > > > out_if=wan1 vpn_tunnel=Caldwell_VPN
> > > > cookies=8f1a03ec12122b32/0d4f5c4330f10e82 action=negotiate
> > > > status=negotiate_error msg="Received error notification from peer:
> > > > INVALID_ID_INFORMATION" negotiate_error
> > > >
> > > > What does this error mean?
> > --
> > Kind regards
> >
> > Rhys Johnson
> > SystemX Pty Ltd
> > Ph: 08 9421 8009
> > Fax: 08 9421 8055
> > Email: rhys at systemx.com.au
> >
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
>
--
Kind regards
Rhys Johnson
SystemX Pty Ltd
Ph: 08 9421 8009
Fax: 08 9421 8055
Email: rhys at systemx.com.au
More information about the Users
mailing list