[Openswan Users] Openswan to Fortigate 60B - VPN

Ing. Rodrigo Fernandez rfernandez_net at yahoo.com.mx
Mon Sep 6 09:58:01 EDT 2010 

Ok i had the same problem (i have once more but ill open a new thread for
that) i got my fortigate 60B working with my openswan server in "tunnel
mode", here is the configuration: 
 
OPENSWAN
 
conn netcafe
        auth=esp
        authby=secret
        auto=start
        esp=3des-md5!
        ikelifetime=1800s
        keyingtries=10
        keylife=28800s
        left=mydyndns1(openswan)
        leftid=192.9.201.254
        leftnexthop=192.9.201.254
        leftsubnet=192.9.201.0/24
        right=mydyndns2(fortigate)
        rightid=%any
        rightnexthop=10.0.254.254
        rightsubnet=10.0.254.0/24
        ike=3des-md5!
        keyexchange=ike
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
then in my ipsec.secrets i have:
: PSK "mypassword"
 
in my ipsec.conf i have:
 
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"
        # eg:
        # plutodebug="control parsing"
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Again: only enable plutodebug or klipsdebug when asked by a
developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        #forceencaps=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
 
virtual_private=%v4:192.9.201.0/24,%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4
:172.16.0.0/12
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. netkey,klips,mast,auto or none
        protostack=netkey
        plutodebug=all
# Add connections here
include /etc/ipsec.d/*.conf <------------------- (as you see at this point i
use "conf scripts in ipsec.d)

FORTIGATE SIDE:
 
Phase 1
Remote gateway:dyndns
local interface : wan1
mode: main (id)
auth method: preshared key
 
encrypt: 3des - md5
DH group = 2
keylife 28800
nat transversal = enable
keep alive frequency : 10
dpd detection = yes
 
Phase 2
encrypt : 3des - md5
enable pfs
dh group = 2
seconds = 1800
autokey keepalive = yes
 
quickmode selector = 
 
src: 10.0.254.0/24
port: 0
 
dst: 192.9.201.0/24
port = 0
protocol = 0
 
then you need to enable the tunnel in the fortigate firewall as is:
 
policy::
(FROM INTERNAL TO EXTERNAL)
network-local (10.0.254.0/24)  ---------------------------> network openswan
(192.9.201.0/24) -------> encrypt (tunnel: the name of your tunnel)
-----------------> Accept
 
 
and wow! you're done and you have your vpn up!
 
Ing. Rodrigo Fernndez Rodrguez
Field Application Engineer
Tels: 1204-4795
        1204-4796
        1204-4797 ext. 101
        01800-1302233
Cel:  04455-1388-9354
Web: http://www.netcafe-solutions.net <http://www.netcafe-solutions.net/> 
Mail: rfernandez at netcafe-solutions.net

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100906/0623c3a9/attachment.html

More information about the Users mailing list