[Openswan Users] Help with OpenSwan to Fortigate IPsec VPN

Tyler J. Wagner tyler at tolaris.com
Mon Sep 5 03:56:39 EDT 2011

Thanks for your help, Nick. I resolved the problem with the help of someone
on the Fortigate forums.


The problem was two-fold:

1. Reducing the encryption proposals to exactly one on each end.
2. Setting the subnet "quick selector" on the Fortigate.

I mistakenly assumed that using multiple encryption offerings would allow
both ends to negotiate the best choice. That doesn't appear to be true for
at least one end of this link.


On 2011-09-04 19:41, Nick Howitt wrote:
> Hi Tyler
> I am a regular over on the ClearOS forums and I'll see if I can give you a
> hand, but some of the guys on the mailing lists know a lot more than me.
> First off, is this a test config where your left and right are simulating
> public IP's or are both devices NAT'd? For the moment I will assume the
> former. In "config setup", please add "oe=no" and if you are simulating
> public IP's can you remove the nat_traversal line?
> In "conn test" please add a line leftsourceip="your_ClearOS_LAN_IP". I
> would also remove the references to leftupdown and rightupdown. If they are
> the default ones the references are not needed and if they are ClearOS
> tinkered ones (rather than the default ones) they are not needed either. Is
> there any reason you have rekey=no? I would let it rekey as you are
> allowing the ClearOS to initiate the connection. To match the Fortigate,
> also set ikelifetime=86400 but both these values are quite long. Typically
> you would use values of 1h and 8h but opinions seem to vary as to which
> should be which.
> With these changes what do you see in /var/log/secure when you start ipsec
> (only the later part where the conn starts negotiating, not where openswan
> is loading)? The log items contain the reference "pluto[....]".
> Also worth trying is to stop the ClearOS initiating the conn and see how it
> responds (rekey=no, auto=add and remove ike and phase2alg references.
> Regards,
> Nick
> On 30/08/2011 06:49, Tyler J. Wagner wrote:
>> Hello all,
>> I've been trying to bring up an IPsec VPN between a ClearOS 5.2 device and
>> a Fortigate router. If anyone has advice or a working example of such a
>> configuration, I would really appreciate the help.
>> The ClearOS GUI is useless for this, so I'm really just using a generic
>> OpenSwan device. On the ClearOS router, the firewall passes esp and ah
>> traffic input and output, and does not masquerade it. rp_filter is
>> disabled, and of course ip_forwarding is enabled.
>> Attached is a condensed ipsec.conf from the ClearOS GUI.
>> On the Fortigate router, I've created a "route-based VPN", to use the
>> Fortigate terminology from their IPsec user guide. This means I've
>> established an IPsec configuration, then created firewall policies for
>> internal-to-ipsec and ipsec-to-internal traffic directions. I already have
>> a working Fortigate-to-Fortigate IPsec VPN using this configuration. This
>> is a second link.
>> Attached are screenshots of the IPsec config from the Fortigate router.
>> Suggestions?
>> Regards,
>> Tyler
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan: 
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

"No one can terrorize a whole nation, unless we are all his accomplices."
   -- Edward R. Murrow

More information about the Users mailing list