====== IPSec mezi Debian OpenSwan a FortiGate 60B======

///etc/ipsec.conf//
<file>
version 2.0
config setup
       virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
       nat_traversal=yes
       protostack=netkey
conn presto
        type=tunnel
        leftsubnet=192.168.204.0/24
        left=192.168.1.100
        leftnexthop=192.168.1.1
        right=93.93.132.175
        rightsubnet=192.168.5.0/24
        keyexchange=ike
        auto=start
        authby=secret
        pfs=yes
        esp=aes128-sha1
        ike=aes128-sha1
</file>

///etc/ipsec.secrets//
<file>
192.168.1.100 93.93.132.175 : PSK "my_strong_password"
</file>

====== Prichazeji tezke vahy ======
{{:linux:vpn:fat_pig.gif|}}
Potoze me nenapadlo jak rychle rozchodit u sebe podsit 192.168.204.x/24 - stavajici 192.168.1.x/24 jsem pouzit nemohl a nechtelo se mi lovit heslo na muj router a prenastavovat ho - udelal jsem tudle berlicku:

<code>
ifconfig eth0:1 192.168.204.123 netmask 255.255.255.0
route add -net 192.168.5.0/24 gw 192.168.204.123
</code>

====== Poznamky nakonec ======
Je nutne podotknout, ze **IPSec pri pouziti nat-traversal pomoci netkey nevytvari** novy interface //ipsec0//. 

Pro debug jsem krome klasickeho
   tail -f /var/log/auth.log
   tail -f /var/log/syslog
pouzival jeste
   ipsec auto --status
   ip xfrm policy
   ip xfrm state