Tuesday, August 25, 2009

Openswan - Host to Subnet Configuration

Sometimes you may want to have a single host running Openswan connecting to your firewall.
Here are some tips on how to configure this scenario.
  • On your host running Openswan put the following information in your connection definition:
conn office
#left side is home
#leftsubnet is the IP of your host with a /32 bit subnetmask
#right side is work
#set right to vpn remote gateway
#set rightsubnet to remote network
#Automatically bring up VPN tunnel auto=start
#specify encryption FortiGate VPN uses
#perfect forward secrecy (default yes)
#optionally enable compression

The key here is that the leftsubnet parameter is the IP address of your Openswan host.

On the Fortigate firewall configure your Phase 1 parameters with the appropriate settings.
In Phase 2 edit the Quick Mode Selectors in the "Advanced" section as follows:

Source Address:
Source Port: 0
Destination Address:
Destination Port: 0
Protocol: 0

This tells the firewall that on one side it is expecting the network and on the remote side it is only expecting to connect to a single host,

1 comment:

Dementor said...

This post is very intrested indeed but for the life of me i couldnt get it to work with my work fortigate.
I've been trying to use openswan to connect from my laptop to the fortigate but had no success it seems like its dropping the connection at phase 2.
i wish there was a forticlient version for linux.
can you elaborate or give some more info regarding this matter.

Thank you so much you blog has been very very helpful.