Hello /r/networking,
Please could guide me in right direction.
I need to establish kind of site-to-site vpn to route traffic from some internal networks to linux host and next to internet.
I was able to establish IPSec tunnel between Fortigate and ubuntu host with strongswan
Here is the config of strongswan (ipsec.conf)
config setup
charondebug="ike 1, knl 1, cfg 0"
conn FortiGate
authby=secret
type=tunnel
auto=route
compress=no
#linux host public ip
left=138.X.X.X
leftsubnet=0.0.0.0/0
#FG public ip right=185.X.X.X
rightsubnet=0.0.0.0/0
leftfirewall=no
keyexchange=ikev1
ike=aes256-sha256-ecp521
esp=aes256-sha256-ecp521
mark=42
ipsec.secret
#RSA private key for this host, authenticating it to any other host
#which knows the public part.
185.X.X.X 138.X.X.X : PSK "testtest"
sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.ip_no_pmtu_disc = 1
Output of ifconfig
eth0 Link encap:Ethernet HWaddr e6:70:3b:39:07:12
inet addr:138.X.X.X Bcast:138.X.X.X Mask:255.255.240.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6939 errors:0 dropped:0 overruns:0 frame:0
TX packets:4920 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:847539 (847.5 KB) TX bytes:943017 (943.0 KB)
loLink encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:170 errors:0 dropped:0 overruns:0 frame:0
TX packets:170 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:12680 (12.6 KB) TX bytes:12680 (12.6 KB)
vti0 Link encap:IPIP Tunnel HWaddr
inet addr:10.1.1.2 P-t-P:10.1.1.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MTU:1332 Metric:1
RX packets:152 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:12768 (12.7 KB) TX bytes:0 (0.0 B)
As you can see RX packets:152 icmp packets going out FG to vti0
route table of linux host
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
default 138.X.X.X0.0.0.0 UG0 00 eth0
10.1.1.1* 255.255.255.255 UH0 00 vti0
10.16.0.0 * 255.255.0.0 U 0 00 eth0
138.X.X.X* 255.255.240.0 U 0 00 eth0
output of ipsec status FortiGate
Routed Connections:
FortiGate{1}: ROUTED, TUNNEL, reqid 1
FortiGate{1}: 0.0.0.0/0 === 0.0.0.0/0
Security Associations (1 up, 0 connecting):
FortiGate[4]: ESTABLISHED 31 minutes ago, 138.X.X.X[138.X.X.X]...185.X.X.X[185.X.X.X]
FortiGate{5}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c81632fb_i a2f2414e_o
FortiGate{5}: 0.0.0.0/0 === 0.0.0.0/0
Tunnel status from fortigate
get vpn ipsec tunnel name VPN-DO
gateway
name: 'VPN-DO'
type: route-based
local-gateway: 185.X.X.X:0 (static)
remote-gateway: 138.X.X.X:0 (static)
mode: ike-v1
interface: 'wan1' (17)
rx packets: 0 bytes: 0 errors: 0
tx packets: 15 bytes: 1260 errors: 0
dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0
selectors
name: 'VPN-DO'
auto-negotiate: enable
mode: tunnel
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA
lifetime/rekey: 43200/40884
mtu: 1438
tx-esp-seq: 10
replay: enabled
inbound
spi: a2f2414e
enc: aes-cb 1b949d5c0761XXXXXXXXXXXXXXX
auth: sha256 df777659685fXXXXXXXXXXXXXXX
outbound
spi: c81632fb
enc: aes-cb 1413ebedcc3f2XXXXXXXXXXXXXXXX
auth: sha256 30e9176XXXXXXXXXXXXXXXXX
NPU acceleration: encryption(outbound)
get router info routing-table all
S* 0.0.0.0/0 [1/0] via 185.X.X.X, wan1, [0/56]
[1/0] via 194.X.X.X, port15
C 10.1.1.1/32 is directly connected, VPN-DO
C 10.1.1.2/32 is directly connected, VPN-DO
S 10.X.X.X/X [10/0] via 10.X.X.X, LAN
C 10.X.X.X/X is directly connected, LAN
S 10.X.X.X/X [10/0] is directly connected, Site to Site
S 10.211.134.0/24 [10/0] is directly connected, Site to Site
C 185.X.X.X/29 is directly connected, wan1
S 188.X.X.X/32 [1/0] via 10.1.1.2, VPN-DO
C 194.X.X.X/X is directly connected, port15
But I can't get any traffic (even icmp response) back.
Do you have any ideas?
No comments:
Post a Comment