[Openswan Users] Setting up VPN between Linux box and Fortigate firewall

Andy Gay andy at andynet.net
Wed Aug 23 11:17:34 EDT 2006


On Wed, 2006-08-23 at 16:42 +0800, Rhys Johnson wrote:
> Ok I can ping from both sides now. However how can I ensure that only
> traffic destined for the remote subnet will be encrypted? All other
> traffic should proceed out the default gateway as normal.
> 
As Paul has explained, your IPsec policy determines that, not your
routing tables.
All packets are matched against IPsec policy *before* they're routed.
Usually that match just looks at the source and destination addresses.
If the addresses match an active IPsec policy then the packets are
encrypted, otherwise they're not. The active IPsec policies are
determined by the left/right subnets in your connections.


> My routing table is
> Destination     Gateway         Genmask         Flags Metric Iface
> 202.72.174.24   0.0.0.0         255.255.255.252 U     0       eth1
> 192.168.102.0   0.0.0.0         255.255.255.0   U     0       eth0
> 192.168.1.0     202.72.174.25   255.255.255.0   UG    0       eth1
> 0.0.0.0         202.72.174.25   0.0.0.0         UG    0       eth1
> 
> I added the interfaces="ipsec0=eth1" line to my ipsec.conf to get
> openswan to only manage packets heading out the ipsec0 interface. Thus
> leaving web traffic out eth1 alone.

You don't have an ipsec0 interface - you only get that if you use KLIPS,
you're using netkey. Which should be adequate for your needs.

The route to 192.168.1.0 via eth1 is the one that Openswan put there.
It's not strictly necessary, since your default route will suffice. But
more complex routing setups do need it, so the standard updown script
always adds it.


> ============================
> config setup       
>         klipsdebug=none
>         interfaces="ipsec0=eth1"
> 
> # Add connections here
> conn fortigate
>      auto=start
>      left=202.72.174.26
>      leftsubnet=192.168.102.0/24
>      leftnexthop=202.72.174.25
>      leftsourceip=192.168.102.1
>      right=221.133.201.34
>      rightsubnet=192.168.1.0/24
>      keyingtries=0
>      pfs=yes
>      auth=esp
>      esp=3des
>      authby=secret
> ===============================
> I restarted ipsec but it won't add a new route for ipsec0. What am I
> doing wrong?

All looks OK to me. I suspect there's nothing wrong, except you're
expecting an ipsec0 when there isn't one. Is something not working? You
told us you can ping from both sides. What more do you need?

> 
> I also added the following firewall rule so that packets to the remote
> subnet weren't NATed
> # Masquerade the connection out eth1
> iptables -t nat -A POSTROUTING -o $EXTERNAL_IF -d ! 192.168.1.0/24 -j
> SNAT --to-source $EXTERNAL_IP
> 
> Cheers
> Rhys
> 
> On Tue, 2006-08-22 at 12:49 -0400, Andy Gay wrote:
> > On Tue, 2006-08-22 at 15:15 +0800, Rhys Johnson wrote:
> > > Thanks Jim
> > > I made the changes you suggested and the tunnel is now up! I can ping
> > > out from the 192.168.1.0/24 network behind the fortigate. However I
> > > can't ping from the linux box side running openswan. I allow all pings
> > > from 192.168.100.0/24 through the fortigate. The error I am getting on
> > > the linux box is:
> > > 
> > > Aug 22 14:44:56 localhost pluto[15850]: "fortigate" #2: route-client
> > > output: /usr/lib/ipsec/_updown: doroute `ip route add 192.168.1.0/24 via
> > > 221.133.201.34 dev eth1 ' failed (RTNETLINK answers: Network is
> > > unreachable)
> > > 
> > > Any ideas what would be stopping this route from being created?
> > 
> > Add a leftnexthop= setting. You need to set it to the address of the
> > next hop gateway, probably your default gateway. You can use
> > leftnexthop=%defaultroute in that case, I think. Or just change left= to
> > left=%defaultroute .
> > 
> > You'll probably want to set leftsourceip= as well, set that to your
> > inside address on leftsubnet.
> > 
> > You really don't want plutodebug="all"....
> > 
> > 
> > > 
> > > Cheers
> > > Rhys
> > > 
> > > 
> > > On Tue, 2006-08-22 at 07:13 +0800, Jim Barber wrote:
> > > > I have exactly the same as this setup working fine.
> > > > I don't specify the leftid or rightid parameters at all.
> > > > With the fortigate set up to use 3des you need to add the following parameter to your openswan connection definition.
> > > > 
> > > > 	esp=3des
> > > > 
> > > > Without the above I also got the exact same error.
> > > > 
> > > > Also in the addresses that you defined in your fortigate policy area, make sure these match exactly with what you defined in openswan.
> > > > So in your example they would be set to 192.168.1.0/255.255.255.0
> > > > 
> > > > You don't need DH 2 set in the phase one.
> > > > Sticking with DH 5 works properly.
> > > > 
> > > > Regards,
> > > > 
> > > > ----------
> > > > Jim Barber
> > > > DDI Health
> > > > 
> > > > 
> > > > Rhys Johnson wrote:
> > > > > Hello
> > > > > I am trying to set up a VPN between 2 firewall machines with private
> > > > > subnets behind them. A have a linux box running openswan2.2 and a
> > > > > Fortigate firewall running IPSEC. I am trying to connect from the
> > > > > fortigate to the linux box, however the connection is failing on error.
> > > > > The fortigate is set up as follows
> > > > > Phase 1:
> > > > > 	Local IP: 221.133.201.34
> > > > > 	Remote IP: 58.6.14.254
> > > > > 	Main mode
> > > > > 	PSK
> > > > > 	Accept any peer id
> > > > > 	Encryption/Authentication. try 3DES-MD5, 3DES-SHA1
> > > > > 	DH groups 2 and 5
> > > > > 	Disable XAUTH
> > > > > Phase 2:
> > > > > 	Enable PFS
> > > > > 	DH group 5
> > > > > 
> > > > > The linux box has the following configuration
> > > > > ipsec.conf
> > > > > -----------------------------------
> > > > > config setup
> > > > >         # Debug-logging controls:
> > > > >         klipsdebug=none
> > > > >         plutodebug="all"
> > > > > 
> > > > > conn fortigate
> > > > >      auto=add
> > > > >      left=58.6.14.254
> > > > >      leftsubnet=192.168.100.0/24
> > > > >      leftid=@home
> > > > >      right=221.133.201.34
> > > > >      rightsubnet=192.168.1.0/24
> > > > >      rightid=%any
> > > > >      keyingtries=0
> > > > >      pfs=yes
> > > > >      auth=esp
> > > > >      authby=secret
> > > > > ------------------------------
> > > > > 
> > > > > ipsec.secrets
> > > > > -----------------
> > > > > @home 221.133.201.34 58.6.14.254: PSK "************"
> > > > > -----------------
> > > > > 
> > > > > The error I receive on the Fortigate from the linux box is:
> > > > > 
> > > > > 2006-08-21 15:58:53 error negotiate Received error notification from
> > > > > peer: INVALID_ID_INFORMATION type=event subtype=ipsec pri=error
> > > > > loc_ip=221.133.201.34 loc_port=500 rem_ip=58.6.14.254 rem_port=500
> > > > > out_if=wan1 vpn_tunnel=Caldwell_VPN
> > > > > cookies=8f1a03ec12122b32/0d4f5c4330f10e82 action=negotiate
> > > > > status=negotiate_error msg="Received error notification from peer:
> > > > > INVALID_ID_INFORMATION" negotiate_error 
> > > > > 
> > > > > What does this error mean?
> > > -- 
> > > Kind regards
> > > 
> > > Rhys Johnson
> > > SystemX Pty Ltd
> > > Ph:  08 9421 8009
> > > Fax: 08 9421 8055
> > > Email: rhys at systemx.com.au 
> > > 
> > > _______________________________________________
> > > Users at openswan.org
> > > http://lists.openswan.org/mailman/listinfo/users
> > > Building and Integrating Virtual Private Networks with Openswan: 
> > > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> > > 
> > 
> -- 
> Kind regards
> 
> Rhys Johnson
> SystemX Pty Ltd
> Ph:  08 9421 8009
> Fax: 08 9421 8055
> Email: rhys at systemx.com.au 
> 
> 



More information about the Users mailing list