[Openswan Users] Openswan to Fortigate 60B - VPN

Erick Chinchilla Berrocal erick at netcrc.net
Sat Sep 4 14:56:23 EDT 2010 

I have the following situation

I need connect two office, in the main office used Debian-Lenny with
IPtables and openswan and the remote office used Fortigate 60B (firewall and
VPN).

The web server is located in the remote office, but need use the Public IP
from the Main Office

 

Internet-------- >www-------- >Public IP in the Main
Office<--------------------VPN-------------- >Remote Office--------------
>WEB server (LAN)

                                                            |
Public IP

                                                            |


                                                            |

                                                              LAN

                                                        Main Office

 

 

This is the configuration in both sides , but at this moment not work

 

Fortigate 60B

VPN-- > IP SEC

 

Phase 1

Static IP Address

Local Interface = WAN1

Mode = Main (ID Protection)

Authentication Method = Pre-shared Key

Peer Options = Accept any peer ID

P1 Proposal

1-      Encryption = 3DES Authentication = MD5

2-      Encryption = 3DES Authentication = SHA1

DH Group = 2 - 5

Keylife = 28800

Local ID = ________

XAuth = Disable

NAT-traversal = enable

Keep alive Frequency = 10 seconds

Dead Peer Detection = enable

 

Phase 2

P2 Proposal

1-      Encryption = 3DES Authentication = MD5

2-      Encryption = 3DES Authentication = SHA1

Enable replay detection = yes

Enable perfect forward secrecy (PFS) = yes

DH Group = 5

Keylife= 1800 Seconds

Autokey Keep Alive = enable

Quick Mode Selector

-          Source address = 192.168.x.x/24 (LAN this side)

-          Source port = 0

-          Destinations address = 192.168.x.x (LAN side Openswan)

-          Protocol = 0

 

Log Access 

#          Date                time                 Level    User Interface
Action  Message          


1 2010-09-04

13:22:27

notice

 

negotiate

Initiator: sent x.x.x.x (public IP openswan) main mode message #1 (OK)

 

 

Openswan

 

-          #/etc/ipsec.conf

nat_traversal=yes

nat_traversal=yes

# Add connections here

include /etc/ipsec.d/fortigate.conf

 

-          VPN

conn nb-vpn # Nombre de la conexion

        type=tunnel

        auth=esp

        authby=secret

        esp=3des-md5!;modp1536

        ikelifetime=1800s

        keyingtries=10

        keylife=28800s

        pfs=yes

        left=x.x.x.x                 # Public IP Openswan

        leftsubnet=192.168.x.x/24 #LAN Openswan

        leftid=x.x.x.x        # Public IP Openswan

        leftrsasigkey=abc   # key

        leftnexthop=y.y.y.y      # %defaultroute correct in many situations

        right=a.b.c.d                # Public Ip Fortigate

        rightsubnet=192.168.x.x/24 #LAN Fortigate

        rightid=a.b.c.d        # Public IP Fortigate

        rightrsasigkey=abc   # key

        rightnexthop=%defaultroute     # correct in many situations

        auto=add                       # authorizes but doesn't start this

        ike=3des-md5!

        keyexchange=ike                # connection at startup

 

/etc/init.d/ipsec restart

ipsec_setup: Stopping Openswan IPsec...

ipsec_setup: Starting Openswan IPsec 2.4.12..

 

ipsec auto --up vpn (wait and wait..)

 

ipsec auto -status

000 "vpn":
192.168.x.x/24===a.b.c.d---a.b.c..d...a.b.c.d---a.b.c.d===192.168.x.x/24;
unrouted; eroute owner: #0

000 "vpn":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec
_updown;

000 "vpn":   ike_life: 1800s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 10

000 "vpn":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface:
eth0; encap: esp;

000 "vpn":   newest ISAKMP SA: #0; newest IPsec SA: #0; 

000 "vpn":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5),
3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict

000 "vpn":   IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1536(5),
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)

000 "vpn":   ESP algorithms wanted: 3DES(3)_000-MD5(1);
pfsgroup=MODP1536(5); flags=strict

000 "vpn":   ESP algorithms loaded: 3DES(3)_000-MD5(1);
pfsgroup=MODP1536(5); flags=strict

000  

000 #61: "vpn":500 STATE_MAIN_I1 (sent MI1, expecting MR1); none in -1s;
lastdpd=-1s(seq in:0 out:0)

000 #61: pending Phase 2 for "nb-vpn" replacing #0

 

cat /var/log/syslog

Sep  4 14:43:45 VPN1 ipsec_setup: Stopping Openswan IPsec...

Sep  4 14:43:45 VPN1 kernel: [104640.705317] NET: Registered protocol family
15

Sep  4 14:43:45 VPN1 kernel: [104640.853503] padlock: VIA PadLock Hash
Engine not detected.

Sep  4 14:43:45 VPN1 kernel: [104640.976681] padlock: VIA PadLock Hash
Engine not detected.

Sep  4 14:43:46 VPN1 kernel: [104641.153758] padlock: VIA PadLock not
detected.

Sep  4 14:43:46 VPN1 kernel: [104641.350985] Initializing XFRM netlink
socket

Sep  4 14:43:46 VPN1 ipsec_setup: NETKEY on eth0 a.b.c.d/255.255.255.128
broadcast a.b.c.255 

Sep  4 14:43:46 VPN1 ipsec_setup: ...Openswan IPsec started

Sep  4 14:43:46 VPN1 ipsec_setup: Starting Openswan IPsec 2.4.12...

 

 

any recommendation are welcome

 

Best regards

Erick Ch.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100904/eaec90e5/attachment-0001.html

More information about the Users mailing list