Re: Route-based VPN - Fortigate to OpenBSD

[Chris Jones]

Thanks for the advice I will look into that should the gif option not 
work. Do you have any advice as to how to run gif over ipsec?

-Chris
Claer wrote:
On Sat, Feb 09 2008 at 00:10, Chris Jones wrote:
Hi all,
Hi,

A while back I attempted to setup a route-based VPN tunnel between a 
Fortigate firewall and an OpenBSD firewall with no success. I now have the 
need to get this to work and wondering if someone on the list can shed some 
light on the configuration. The end goal is to have a gif(4) interface run 
over IPSec so that I can use a dynamic routing protocol to route traffic to 
remote VPN networks.

I can successfully create an IPSec VPN connection between the Fortigate and 
OpenBSD 4.2 system. Normally the tunnel interfaces on Fortigates and 
Netscreens are un-numbered.

I have tried bringing up the gif interface after successfully establishing 
an IPSec connection by issuing the following commands.

$ sudo ifconfig gif0 create
$ sudo ifconfig gif0 tunnel 1.1.1.1 2.2.2.2
$ sudo ifconfig gif0 10.0.0.3 10.0.0.2 prefixlen 32
$ sudo route add -inet 10.2.0.0/16 10.0.0.2

I then modified the un-numbered tunnel interface on the Fortigate side to 
use src 10.0.0.2 dst 10.0.0.3. This didn't seem right to begin with as I 
already have an IPSec tunnel established. Where I'm confused is setting up 
gif to tunnel over the IPSec connection in order route traffic across it. 
Can someone point me in the right direction.
"Routed VPN" in Netscreen and Fortinet is done by modifying the way ipsec
should work. It's not the way to go if you want to take the vpn decision
based on ip routes.

I'd firstly try to create a GRE tunnel (numbered) between peers and then
create a host to host vpn with GRE tunnel on top of it. 

Both OpenBSD and Netscreen support GRE, I hope Fortinet does.

Claer

My setup is quite simple.

network
-------

internal      external                external   internal
----------- | -------- -> Internet -> -------- | -----------
10.1.1.0/24   1.1.1.1                 2.2.2.2    10.2.0.0/16


ipsec.conf
----------

remote_gw = "2.2.2.2"

ike dynamic esp from 10.1.1.0/24 to 10.2.0.0/16 peer $remote_gw \
        aggressive auth hmac-sha1 enc 3des group modp1536 \
        quick auth hmac-sha1 enc 3des group modp1536 \
        srcid [EMAIL PROTECTED] \
        psk "secret"


Thanks,
-Chris

--
Chris Jones


--
Chris Jones

GDI Software Services Canada Inc.
Suite 1300, 1500 West Georgia St.
Vancouver, BC, Canada
V6G 2Z6
Email:  [EMAIL PROTECTED]
Mobile: 604.218.5981
Phone:  604.909.3300 | Fax: 604.909.0100