[Openswan Users] Tunnel Up But Not Passing Traffic Openswan to Fortigate VPN Firewall

Robyn Orosz rorosz at gmail.com
Wed Dec 2 12:48:35 EST 2009


Hi Again,

I'm still looking into this issue.  I am just wondering if anyone has ever
run into interoperability issues between Openswan and Fortigate.  Or, has
anyone experienced an issue where the tunnel appears to be up on both ends
but ESP packets are silently dropped and not decrypted and passed to the
protected subnet.

Thanks again,

Robyn

On Tue, Dec 1, 2009 at 9:00 AM, Robyn Orosz <rorosz at gmail.com> wrote:

> Hi There,
>
> I'm still in the process of troubleshooting this issue but wanted to throw
> this out there in case anyone's ever run into a similar issue and solved it
> some how:
>
> I have an established IPSec tunnel between a Linux box running Openswan
> U2.4.12 on 2.6.26 to a Fortigate FG1000A VPN firewall.  The tunnel appears
> to be up but it does not pass traffic.  I can send a ping from the Openswan
> side to the Fortigate local network and I see the ESP packets leaving the
> Linux box on the outside interface but they either don't reach the Fortigate
> box or they reach it and don't get decrypted.  If a ping is sent from the
> Fortigate box, I see ESP packets entering the outside interface on the Linux
> box but they don't appear to get decrypted either.  There is no NAT or
> firewall involved on either end.
>
> I've tried disabling/ enabling compression.  With compress=yes, the tunnel
> does not come up.  I've tried disabling PFS on both sides.  This makes not
> difference.  Here is the Openswan config:
>
> config setup
>         interfaces="ipsec0=eth0"
>         hidetos=yes
>         syslog=local0.debug
>         plutodebug="all"
>         nhelpers=5
>         plutowait=yes
>
> conn clear
>         auto=ignore
>
> conn clear-or-private
>         auto=ignore
>
> conn private-or-clear
>         auto=ignore
>
> conn private
>         auto=ignore
>
> conn block
>         auto=ignore
>
> conn packetdefault
>         auto=ignore
>
> conn Fortigate
>         left=Fortigate-Public-IP
>         right=Linux-Public-IP
>         leftsubnet=172.16.100.0/24
>         rightsubnet=172.16.101.0/24
>         ike=aes128-sha1-modp1536
>         ikelifetime=28800s
>         aggrmode=no
>         esp=aes256-sha1
>         keylife=3600s
>         rekeymargin=540s
>         type=tunnel
>         pfs=no
>         compress=no
>         authby=secret
>         auto=start
>
> Has anyone run into a similar issue before and if so, any idea how to work
> around it?  Or, if someone has a working connection between Openswan and a
> Fortigate FG1000A, I'd love to know the details. ;-)
>
> I don't currently have access to the Fortigate but can provide details from
> it if needed.  Basically, the proposals appear to match as the tunnel is
> established.  Also, I have debugging running for Openswan but am unsure of
> what to look for.
>
> Thanks a ton!
>
> Robyn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091202/e3ac7b61/attachment.html 


More information about the Users mailing list