[Openswan Users] Openswan to Fortigate 60B - VPN
Erick Chinchilla Berrocal
erick at netcrc.net
Mon Sep 6 15:50:40 EDT 2010
Rodrigo
Thanks for your help
The VPN is UP, but now only I have the following issue
- Don't can the ICMP (ping between the LAN)
- At this time I don't used the IPTables, default setup.
- Can you explain with more detail the policies in the Fortigate 60b
- I looked this options, in the Fortigate 60B
--firewall--policy--create new--
source interface/zone=wan1 (dmz-internal-wan1)
source address= Local Network (create new,LAN IP, WAN IP, all, pptp users)
destination interface zone=wan1 (dmz,internal, modem, ssl.root, wan1,wan2)
destination address= VPN-Network (LAN IP, WAN IP, all, pptp users)
schedule=always
service= ANY
action= ACCEPT (Accept, Deny, IPSec, SSl-VPN)
NAT= x
Dynamic IP Pool= n/a
Fixed Port= n/a
I don't look the options = tunnel / encryption
Best regards
Erick Ch.
> Ok i had the same problem (i have once more but ill open a new thread for
> that) i got my fortigate 60B working with my openswan server in "tunnel
> mode", here is the configuration:
>
> OPENSWAN
>
> conn netcafe
> auth=esp
> authby=secret
> auto=start
> esp=3des-md5!
> ikelifetime=1800s
> keyingtries=10
> keylife=28800s
> left=mydyndns1(openswan)
> leftid=192.9.201.254
> leftnexthop=192.9.201.254
> leftsubnet=192.9.201.0/24
> right=mydyndns2(fortigate)
> rightid=%any
> rightnexthop=10.0.254.254
> rightsubnet=10.0.254.0/24
> ike=3des-md5!
> keyexchange=ike
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart
> then in my ipsec.secrets i have:
> : PSK "mypassword"
>
> in my ipsec.conf i have:
>
> # Do not set debug options to debug configuration issues!
> # plutodebug / klipsdebug = "all", "none" or a combation from
> below:
> # "raw crypt parsing emitting control klips pfkey natt x509 dpd
> private"
> # eg:
> # plutodebug="control parsing"
> #
> # enable to get logs per-peer
> # plutoopts="--perpeerlog"
> #
> # Again: only enable plutodebug or klipsdebug when asked by a
> developer
> #
> # NAT-TRAVERSAL support, see README.NAT-Traversal
> nat_traversal=yes
> #forceencaps=yes
> # exclude networks used on server side by adding %v4:!a.b.c.0/24
>
> virtual_private=%v4:192.9.201.0/24,%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4
> :172.16.0.0/12
> # OE is now off by default. Uncomment and change to on, to enable.
> oe=off
> # which IPsec stack to use. netkey,klips,mast,auto or none
> protostack=netkey
> plutodebug=all
> # Add connections here
> include /etc/ipsec.d/*.conf <------------------- (as you see at this point
> i
> use "conf scripts in ipsec.d)
>
> FORTIGATE SIDE:
>
> Phase 1
> Remote gateway:dyndns
> local interface : wan1
> mode: main (id)
> auth method: preshared key
>
> encrypt: 3des - md5
> DH group = 2
> keylife 28800
> nat transversal = enable
> keep alive frequency : 10
> dpd detection = yes
>
> Phase 2
> encrypt : 3des - md5
> enable pfs
> dh group = 2
> seconds = 1800
> autokey keepalive = yes
>
> quickmode selector =
>
> src: 10.0.254.0/24
> port: 0
>
> dst: 192.9.201.0/24
> port = 0
> protocol = 0
>
> then you need to enable the tunnel in the fortigate firewall as is:
>
> policy::
> (FROM INTERNAL TO EXTERNAL)
> network-local (10.0.254.0/24) ---------------------------> network
> openswan
> (192.9.201.0/24) -------> encrypt (tunnel: the name of your tunnel)
> -----------------> Accept
>
>
> and wow! you're done and you have your vpn up!
>
> Ing. Rodrigo Fernndez Rodrguez
> Field Application Engineer
> Tels: 1204-4795
> 1204-4796
> 1204-4797 ext. 101
> 01800-1302233
> Cel: 04455-1388-9354
> Web: http://www.netcafe-solutions.net <http://www.netcafe-solutions.net/>
> Mail: rfernandez at netcafe-solutions.net
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list