Tuesday, August 25, 2009

Site-to-Site VPN - Openswan to Fortinet

Openswan IPSec is an open source implementation of IPSec that is included in many Linux distributions. When appropriately configured, it can interoperate with FortiGate VPNs.

Global settings

The global settings for the Openswan IPSec service are found in /etc/ipsec.conf. Unless you are certain that you don't need NAT traversal, ensure that the following line appears in ipsec.conf:


The line must begin with whitespace and be in the config setup section of the file.

There is also an include line that defines the name and location of your connection definition files. For example,

include /etc/ipsec.d/*.conf

Put your definition file in this location with an appropriate name.

Connection definition

You need a connection definition for each remote network you want to access.

An Openswan connection definition does not use the terms "source" or "destination". Instead, you define the two ends of the VPN as "left" and "right". The software determines for itself which definition applies to its end of the tunnel.

Example -- /etc/ipsec.d/office.conf

conn office
#left side is home
#right side is work
#set right to vpn remote gateway
#set rightsubnet to remote network
#Automatically bring up VPN tunnel auto=start
#specify encryption FortiGate VPN uses
#perfect forward secrecy (default yes)
#optionally enable compression

For more information, see the ipsec.conf man page.

Secrets file for preshared keys

If you use a preshared key for authentication, you need to specify the key for the connection. Check the /etc/ipsec.secrets file. Typically this contains an include statement that defines the location and naming for the file, for example:

include /etc/ipsec.d/*.secrets

Put your definition file in this location with an appropriate name, typically ipsec.secrets. This file contains sensitive information, so it should be accessible only to the root user.

Entries in the secrets file should take either one of these two forms: : PSK "pre_shared_key" # specify remote gateway only if your host's IP address is dynamic : PSK "pre_shared_key" # specify remote and local IPs

( is the local address, is the remote gateway you are connecting to)

The definition that specifies only the remote gateway address does not always work. You might get an error message that no PSK was found for your connection. The definition that specifies both local and remote gateway addresses is useful only if you have a fixed local IP address.

Starting the IPSec service

Typically, the IPSec service is configured to start at boot-up. If you are not sure that it is running, enter the following command as root:

/sbin/service ipsec restart

The startup messages will show if there are problems with the installation or syntactic problems with your configuration files.

Starting and stopping the VPN

If you used the auto=start option in your connection definition, the VPN is established when the IPSec service starts. Otherwise, you need to use the ipsec command to start and stop the vpn.

You might need to use the whereis command to locate the ipsec command unless it is on the command path. /usr/sbin is a typical location.

In these examples, the connection is called office.

To start the VPN

/usr/sbin/ipsec auto --add office
/usr/sbin/ipsec auto --up office

To view VPN status

/usr/sbin/ipsec auto --status

To stop the VPN

/usr/sbin/ipsec auto --down office
/usr/sbin/ipsec auto --delete office

(Using information from Fortinet Knowledgebase Article at http://kc.forticare.com/default.asp?id=1835&Lang=1&SID)


Adrian said...

I dare you to try interface mode...

Sebastian said...

Funny enough, I did :)
Works like a champ.

Tico said...

Interface mode is IMPOSSIBLE!!

I Tried Everything!!!

How did you do it??

Renato Sávio said...

Bom dia pessoal....
Baseando neste artigo consegui fazer minha ipsec com um fornecedor meu q utiliza fortinet segue como ficou meu ipsec.conf para ajudar como me ajudou este artigo.... uso centos 6.5 e openswan 2.6.38, colocar a psk no ipsec.secrets

seu ip valido ip valido outra ponta PSK "chavepredefinida"

conn open-fort
### phase 1 ###
### phase 2 ###
left=seu ip valido
leftsourceip=seu gateway valido
leftsubnet=sua rede interna /24
leftnexthop=seu gateway valido
right=ip valido outra ponta
rightsubnet=rede local outra ponta
rightnexthop=gateway valido outra ponta