[Openswan Users] Tunnel Up But Not Passing Traffic Openswan to Fortigate VPN Firewall

Robyn Orosz rorosz at gmail.com
Tue Dec 1 12:00:49 EST 2009 

Hi There,

I'm still in the process of troubleshooting this issue but wanted to throw
this out there in case anyone's ever run into a similar issue and solved it
some how:

I have an established IPSec tunnel between a Linux box running Openswan
U2.4.12 on 2.6.26 to a Fortigate FG1000A VPN firewall.  The tunnel appears
to be up but it does not pass traffic.  I can send a ping from the Openswan
side to the Fortigate local network and I see the ESP packets leaving the
Linux box on the outside interface but they either don't reach the Fortigate
box or they reach it and don't get decrypted.  If a ping is sent from the
Fortigate box, I see ESP packets entering the outside interface on the Linux
box but they don't appear to get decrypted either.  There is no NAT or
firewall involved on either end.

I've tried disabling/ enabling compression.  With compress=yes, the tunnel
does not come up.  I've tried disabling PFS on both sides.  This makes not
difference.  Here is the Openswan config:

config setup
        interfaces="ipsec0=eth0"
        hidetos=yes
        syslog=local0.debug
        plutodebug="all"
        nhelpers=5
        plutowait=yes

conn clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn private-or-clear
        auto=ignore

conn private
        auto=ignore

conn block
        auto=ignore

conn packetdefault
        auto=ignore

conn Fortigate
        left=Fortigate-Public-IP
        right=Linux-Public-IP
        leftsubnet=172.16.100.0/24
        rightsubnet=172.16.101.0/24
        ike=aes128-sha1-modp1536
        ikelifetime=28800s
        aggrmode=no
        esp=aes256-sha1
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        pfs=no
        compress=no
        authby=secret
        auto=start

Has anyone run into a similar issue before and if so, any idea how to work
around it?  Or, if someone has a working connection between Openswan and a
Fortigate FG1000A, I'd love to know the details. ;-)

I don't currently have access to the Fortigate but can provide details from
it if needed.  Basically, the proposals appear to match as the tunnel is
established.  Also, I have debugging running for Openswan but am unsure of
what to look for.

Thanks a ton!

Robyn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091201/d1968b25/attachment.html

More information about the Users mailing list