[Openswan Users] setting up openswan with fortigate

Julien Garnier Julien.garnier4 at free.fr
Wed Jan 23 09:24:54 EST 2008 

Hi everybody,

I'm triyng to setup connection between my linux sever and fortigate at work.

I've first set up fortigate as this :
Firewall : new address :
julien_maison 192.168.10.1/255.255.255.0

Phase 1 :  Julien_Maison
IP: house_ip
mode : main
Auth methode : preshared key : mo2passe
Accept all
3DES-SHA1
3DES-MD5
DH group 5 (28800 liftime)
Xauth :  desactivate
Nat-traversal : active (5s keep alive)
DDP Active

Phase2 : Julien_maison
concentrator : none
3DES-SHA1
3DES-MD5
replay detection : active
PFS : active
DH group 5 (1800s lifetime)
No timout
Use default firewall rules

New firewal rule :
I->E source: St-Dizier Dest julien_maison always, any encrypt

******************
On the linux box:
ipsec.conf :

version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
nat_traversal=yes
nhelpers=0
include /etc/ipsec.d/*.conf 
# (this include no_oe.conf and magasin.conf
*****************
ipsec.secret :
: RSA /etc/ipsec.d/private/gaiaKey.pem
@home "193.251.xxx.xxx" "82.238.xxx.xxx": PSK "mo2passe"

*******************
magasin.conf

conn magasin
 auto=add
 #left side is home
 left=82.238.xxx.xxx
 leftsubnet=192.168.10.0/24
 leftid=@home
 #right side is work
 #set right to vpn remote gateway
 right=193.251.xxx.xxx
 #set rightsubnet to remote network
 rightsubnet=10.52.158.0/24
 keyexchange=ike
 auth=esp
 #auto=start
 authby=secret
 #specify encryption FortiGate VPN uses
 esp=3des
 #perfect forward secrecy (default yes)
 #pfs=no
 #optionally enable compression
 compress=yes
*************************

I add my tunnel :
/usr/sbin/ipsec auto --add magasin

Start my tunnel :
/usr/sbin/ipsec auto --up magasin
022 "magasin": We cannot identify ourselves with either end of this 
connection.

Log of opeswan :
/usr/sbin/ipsec auto --status

000 interface lo/lo ::1
000 interface eth0/eth0 2a01:5d8:.....
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.10.10
000 interface eth0/eth0 192.168.10.10
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, 
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, 
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, 
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
trans={0,0,0} attrs={0,0,0}
000
000 "block": 192.168.10.10[%myid]---192.168.10.1...%group; unrouted; 
eroute owner: #0
000 "block":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "block":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 0
000 "block":   policy: 
TUNNEL+PFS+GROUP+GROUTED+REJECT+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; 
interface: eth0;
000 "block":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear": 192.168.10.10[%myid]---192.168.10.1...%group; unrouted; 
eroute owner: #0
000 "clear":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "clear":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 0
000 "clear":   policy: 
TUNNEL+PFS+GROUP+GROUTED+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; 
interface: eth0;
000 "clear":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear-or-private": 
192.168.10.10[%myid]---192.168.10.1...%opportunisticgroup; unrouted; 
eroute owner: #0
000 "clear-or-private":     srcip=unset; dstip=unset; srcup=ipsec 
_updown; dstup=ipsec _updown;
000 "clear-or-private":   ike_life: 3600s; ipsec_life: 3600s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "clear-or-private":   policy: 
RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+GROUP+GROUTED+PASS+failurePASS+NEVER_NEGOTIATE+lKOD+rKOD; 
prio: 32,0; interface: eth0;
000 "clear-or-private":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "magasin": 
192.168.10.0/24===82.238.xxx.xxx[@home]...193.251.xxx.xxx===10.52.158.0/24; 
unrouted; eroute owner: #0
000 "magasin":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "magasin":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 0
000 "magasin":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 24,24; 
interface: ;
000 "magasin":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "magasin":   ESP algorithms wanted: 3_000-1, 3_000-2, flags=strict
000 "magasin":   ESP algorithms loaded: 3_000-1, 3_000-2, flags=strict
000 "packetdefault": 
0.0.0.0/0===192.168.10.10[%myid]---192.168.10.1...%opportunistic; 
prospective erouted; eroute owner: #0
000 "packetdefault":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "packetdefault":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 3
000 "packetdefault":   policy: 
RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failurePASS+lKOD+rKOD; 
prio: 0,0; interface: eth0;
000 "packetdefault":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private": 
192.168.10.10[%myid]---192.168.10.1...%opportunisticgroup; unrouted; 
eroute owner: #0
000 "private":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "private":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 3
000 "private":   policy: 
RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+GROUP+GROUTED+failureDROP+lKOD+rKOD; 
prio: 32,0; interface: eth0;
000 "private":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear": 
192.168.10.10[%myid]---192.168.10.1...%opportunisticgroup; unrouted; 
eroute owner: #0
000 "private-or-clear":     srcip=unset; dstip=unset; srcup=ipsec 
_updown; dstup=ipsec _updown;
000 "private-or-clear":   ike_life: 3600s; ipsec_life: 3600s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "private-or-clear":   policy: 
RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+GROUP+GROUTED+failurePASS+lKOD+rKOD; 
prio: 32,0; interface: eth0;
000 "private-or-clear":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear#0.0.0.0/0": 
192.168.10.10[%myid]---192.168.10.1...%opportunistic; prospective 
erouted; eroute owner: #0
000 "private-or-clear#0.0.0.0/0":     srcip=unset; dstip=unset; 
srcup=ipsec _updown; dstup=ipsec _updown;
000 "private-or-clear#0.0.0.0/0":   ike_life: 3600s; ipsec_life: 3600s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "private-or-clear#0.0.0.0/0":   policy: 
RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failurePASS+lKOD+rKOD; 
prio: 32,0; interface: eth0;
000 "private-or-clear#0.0.0.0/0":   newest ISAKMP SA: #0; newest IPsec 
SA: #0;
000
000
000 192.168.10.10/32:0 -0-> 193.49.xxx.xxx/32:0 => %pass 32,0    KEY 
record for hostname as %myid (no good TXT): no KEY record for gaia.
000 192.168.10.10/32:0 -0-> 64.233.xxx.xxx/32:0 => %pass 32,0    KEY 
record for hostname as %myid (no good TXT): no KEY record for gaia.
000 192.168.10.10/32:0 -0-> 192.168.10.1/32:0 => %pass 32,0    KEY 
record for hostname as %myid (no good TXT): failure querying DNS for KEY 
of gaia.: Host name lookup failure

After that DNS resolution don't work :
ping google.com
connect: Resource temporarily unavailable

If I remove the tunnel DNS resolution come up :
/usr/sbin/ipsec auto --delete magasin

ping google.com
PING google.com (64.233.167.99) 56(84) bytes of data.
64 bytes from py-in-f99.google.com (64.233.167.99): icmp_seq=2 ttl=237 
time=187 ms


Thanks in advance for your help.

Juju

More information about the Users mailing list