[Openswan Users] Setting up VPN between Linux box and Fortigate firewall

[Jim Barber]

It's interesting that you needed to specify the nexthop parameters.
I didn't need to.
My complete config is as follows:

	version 2.0

	config setup
		virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.128.0.0/16

	conn fortigate
		auto=start
		authby=secret
		compress=yes
		esp=3des
		keyingtries=0
		left=X.X.X.X
		leftsourceip=10.128.0.1
		leftsubnet=10.128.0.0/16
		right=Y.Y.Y.Y
		rightsubnet=192.168.252.0/22

Where X.X.X.X is the external IP address of my Linux host with a 10.128.0.0/16 network behind it and 10.128.0.1 bound to one of it's interfaces.
Y.Y.Y.Y is the external IP address of the fortigate unit and has a 192.168.252.0/22 network behind it.

Note the above is the result of me combining sections together into one to simplify for this message.
I actually have 'conn %default' section with common settings, and multiple definitions for accessing different subnet ranges that are behind the fortigate device.
These definitions are using something like 'also=fortigate-common' to include the parts that are common to all.

I'm not sure if I need the virtual_private setting or not.
It is still there from when I was playing with road-warrior setups, but I figure there's no harm in leaving it and specifying within it to exclude my own private address space (10.128.0.0/16).

I'm using NETKEY so there are no separate ipsecX interfaces created.
As others have already mentioned, the traffic that gets encrypted is completely controlled by the IPsec policy that you define in your config.
This also goes for routes, etc. You never explicitly add routes.
Any subnets you need to reach on the other side will need an IPsec phase2 config set up.

As you stated you also need the correct firewall rules in place to allow this to work.
I no longer use iptables directly as I found it started to get unwieldy maintaining all of the rules after a while.
I now use shorewall which was quite easy to set up.

----------
Jim Barber
DDI Health


Rhys Johnson wrote:
> Ok I can ping from both sides now. However how can I ensure that only
> traffic destined for the remote subnet will be encrypted? All other
> traffic should proceed out the default gateway as normal.
> 
> My routing table is
> Destination     Gateway         Genmask         Flags Metric Iface
> 202.72.174.24   0.0.0.0         255.255.255.252 U     0       eth1
> 192.168.102.0   0.0.0.0         255.255.255.0   U     0       eth0
> 192.168.1.0     202.72.174.25   255.255.255.0   UG    0       eth1
> 0.0.0.0         202.72.174.25   0.0.0.0         UG    0       eth1
> 
> I added the interfaces="ipsec0=eth1" line to my ipsec.conf to get
> openswan to only manage packets heading out the ipsec0 interface. Thus
> leaving web traffic out eth1 alone.
> ============================
> config setup       
>         klipsdebug=none
>         interfaces="ipsec0=eth1"
> 
> # Add connections here
> conn fortigate
>      auto=start
>      left=202.72.174.26
>      leftsubnet=192.168.102.0/24
>      leftnexthop=202.72.174.25
>      leftsourceip=192.168.102.1
>      right=221.133.201.34
>      rightsubnet=192.168.1.0/24
>      keyingtries=0
>      pfs=yes
>      auth=esp
>      esp=3des
>      authby=secret
> ===============================
> I restarted ipsec but it won't add a new route for ipsec0. What am I
> doing wrong?
> 
> I also added the following firewall rule so that packets to the remote
> subnet weren't NATed
> # Masquerade the connection out eth1
> iptables -t nat -A POSTROUTING -o $EXTERNAL_IF -d ! 192.168.1.0/24 -j
> SNAT --to-source $EXTERNAL_IP
> 
> Cheers
> Rhys