IPSec mezi Debian OpenSwan a FortiGate 60B

/etc/ipsec.conf

version 2.0
config setup
       virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
       nat_traversal=yes
       protostack=netkey
conn presto
        type=tunnel
        leftsubnet=192.168.204.0/24
        left=192.168.1.100
        leftnexthop=192.168.1.1
        right=93.93.132.175
        rightsubnet=192.168.5.0/24
        keyexchange=ike
        auto=start
        authby=secret
        pfs=yes
        esp=aes128-sha1
        ike=aes128-sha1

/etc/ipsec.secrets

192.168.1.100 93.93.132.175 : PSK "my_strong_password"

Prichazeji tezke vahy

Potoze me nenapadlo jak rychle rozchodit u sebe podsit 192.168.204.x/24 - stavajici 192.168.1.x/24 jsem pouzit nemohl a nechtelo se mi lovit heslo na muj router a prenastavovat ho - udelal jsem tudle berlicku:

ifconfig eth0:1 192.168.204.123 netmask 255.255.255.0
route add -net 192.168.5.0/24 gw 192.168.204.123

Poznamky nakonec

Je nutne podotknout, ze IPSec pri pouziti nat-traversal pomoci netkey nevytvari novy interface ipsec0.

Pro debug jsem krome klasickeho

 tail -f /var/log/auth.log
 tail -f /var/log/syslog

pouzival jeste

 ipsec auto --status
 ip xfrm policy
 ip xfrm state

Table of Contents

IPSec mezi Debian OpenSwan a FortiGate 60B

Prichazeji tezke vahy

Poznamky nakonec