Re: Route-based VPN - Fortigate to OpenBSD
btw., i would really appreciate if somebody could give me access to fortigate/netscreen boxes for some testing. please contact me in private. reyk
Route-based VPN - Fortigate to OpenBSD
Chris Jones writes: > A while back I attempted to setup a route-based VPN tunnel between a > Fortigate firewall and an OpenBSD firewall with no success. I now have > the need to get this to work and wondering if someone on the list can > shed some light on the configuration. The end goal is to have a gif(4) > interface run over IPSec so that I can use a dynamic routing protocol to > route traffic to remote VPN networks. As far as a OpenBSD is concerned when it talks to a FortiGate/Netscreen both are using tunnel mode IPsec. The difference is that FortiGate/Netscreen implement it in such away that a virtual interface is created so that you can route over it. To do the equivalent under OpenBSD you'd either :- * implement an equivalent kind of IPsec network device in the OpenBSD kernel (enc0 is starting point) and modify the IKE daemon to know about it. * Modify the IKE daemon so that when it negotiates tunnel mode then on the OpenBSD side it add transport mode IPsec SAs and creates or binds to a gif device. If you are wondering why FortiGate/Netscreen do things the way they do then it comes down to ease of configuration. For years under Cisco IOS the way to do what you want a combination of transport mode IPsec and GRE interface. Not particularly difficult to setup but still more complicated that it needed to be if all you want is a VPN that you can route over. So Cisco IOS now supports an IPsec interface so that you can forget about transport mode and GRE (unless your talking to *BSD/Linux) and just define your tunnel mode IPsec and you can get an interface to route over.
Re: Route-based VPN - Fortigate to OpenBSD
On Sun, Feb 10 2008 at 23:03, Chris Jones wrote: > Thanks for the advice I will look into that should the gif option not work. > Do you have any advice as to how to run gif over ipsec? Sorry I don't have any clue to setup gif tunneling with a Fortinet end point. Between 2 OpenBSD boxes it's quite easy, just do s/GRE/gif/ in my previous sentense ;-) Claer > Claer wrote: >> On Sat, Feb 09 2008 at 00:10, Chris Jones wrote: >>> Hi all, >> Hi, >>> A while back I attempted to setup a route-based VPN tunnel between a >>> Fortigate firewall and an OpenBSD firewall with no success. I now have >>> the need to get this to work and wondering if someone on the list can >>> shed some light on the configuration. The end goal is to have a gif(4) >>> interface run over IPSec so that I can use a dynamic routing protocol to >>> route traffic to remote VPN networks. >>> >>> I can successfully create an IPSec VPN connection between the Fortigate >>> and OpenBSD 4.2 system. Normally the tunnel interfaces on Fortigates and >>> Netscreens are un-numbered. >>> >>> I have tried bringing up the gif interface after successfully >>> establishing an IPSec connection by issuing the following commands. >>> >>> $ sudo ifconfig gif0 create >>> $ sudo ifconfig gif0 tunnel 1.1.1.1 2.2.2.2 >>> $ sudo ifconfig gif0 10.0.0.3 10.0.0.2 prefixlen 32 >>> $ sudo route add -inet 10.2.0.0/16 10.0.0.2 >>> >>> I then modified the un-numbered tunnel interface on the Fortigate side to >>> use src 10.0.0.2 dst 10.0.0.3. This didn't seem right to begin with as I >>> already have an IPSec tunnel established. Where I'm confused is setting >>> up gif to tunnel over the IPSec connection in order route traffic across >>> it. Can someone point me in the right direction. >> "Routed VPN" in Netscreen and Fortinet is done by modifying the way ipsec >> should work. It's not the way to go if you want to take the vpn decision >> based on ip routes. >> I'd firstly try to create a GRE tunnel (numbered) between peers and then >> create a host to host vpn with GRE tunnel on top of it. Both OpenBSD and >> Netscreen support GRE, I hope Fortinet does. >> Claer >>> My setup is quite simple. >>> >>> network >>> --- >>> >>> internal externalexternal internal >>> --- | -> Internet -> | --- >>> 10.1.1.0/24 1.1.1.1 2.2.2.210.2.0.0/16 >>> >>> >>> ipsec.conf >>> -- >>> >>> remote_gw = "2.2.2.2" >>> >>> ike dynamic esp from 10.1.1.0/24 to 10.2.0.0/16 peer $remote_gw \ >>> aggressive auth hmac-sha1 enc 3des group modp1536 \ >>> quick auth hmac-sha1 enc 3des group modp1536 \ >>> srcid [EMAIL PROTECTED] \ >>> psk "secret" >>> >>> >>> Thanks, >>> -Chris >>> >>> -- >>> Chris Jones > > -- > Chris Jones > > GDI Software Services Canada Inc. > Suite 1300, 1500 West Georgia St. > Vancouver, BC, Canada > V6G 2Z6 > Email: [EMAIL PROTECTED] > Mobile: 604.218.5981 > Phone: 604.909.3300 | Fax: 604.909.0100
Re: Route-based VPN - Fortigate to OpenBSD
Thanks for the advice I will look into that should the gif option not work. Do you have any advice as to how to run gif over ipsec? -Chris Claer wrote: On Sat, Feb 09 2008 at 00:10, Chris Jones wrote: Hi all, Hi, A while back I attempted to setup a route-based VPN tunnel between a Fortigate firewall and an OpenBSD firewall with no success. I now have the need to get this to work and wondering if someone on the list can shed some light on the configuration. The end goal is to have a gif(4) interface run over IPSec so that I can use a dynamic routing protocol to route traffic to remote VPN networks. I can successfully create an IPSec VPN connection between the Fortigate and OpenBSD 4.2 system. Normally the tunnel interfaces on Fortigates and Netscreens are un-numbered. I have tried bringing up the gif interface after successfully establishing an IPSec connection by issuing the following commands. $ sudo ifconfig gif0 create $ sudo ifconfig gif0 tunnel 1.1.1.1 2.2.2.2 $ sudo ifconfig gif0 10.0.0.3 10.0.0.2 prefixlen 32 $ sudo route add -inet 10.2.0.0/16 10.0.0.2 I then modified the un-numbered tunnel interface on the Fortigate side to use src 10.0.0.2 dst 10.0.0.3. This didn't seem right to begin with as I already have an IPSec tunnel established. Where I'm confused is setting up gif to tunnel over the IPSec connection in order route traffic across it. Can someone point me in the right direction. "Routed VPN" in Netscreen and Fortinet is done by modifying the way ipsec should work. It's not the way to go if you want to take the vpn decision based on ip routes. I'd firstly try to create a GRE tunnel (numbered) between peers and then create a host to host vpn with GRE tunnel on top of it. Both OpenBSD and Netscreen support GRE, I hope Fortinet does. Claer My setup is quite simple. network --- internal externalexternal internal --- | -> Internet -> | --- 10.1.1.0/24 1.1.1.1 2.2.2.210.2.0.0/16 ipsec.conf -- remote_gw = "2.2.2.2" ike dynamic esp from 10.1.1.0/24 to 10.2.0.0/16 peer $remote_gw \ aggressive auth hmac-sha1 enc 3des group modp1536 \ quick auth hmac-sha1 enc 3des group modp1536 \ srcid [EMAIL PROTECTED] \ psk "secret" Thanks, -Chris -- Chris Jones -- Chris Jones GDI Software Services Canada Inc. Suite 1300, 1500 West Georgia St. Vancouver, BC, Canada V6G 2Z6 Email: [EMAIL PROTECTED] Mobile: 604.218.5981 Phone: 604.909.3300 | Fax: 604.909.0100
Re: Route-based VPN - Fortigate to OpenBSD
On Sat, Feb 09 2008 at 00:10, Chris Jones wrote: > Hi all, Hi, > A while back I attempted to setup a route-based VPN tunnel between a > Fortigate firewall and an OpenBSD firewall with no success. I now have the > need to get this to work and wondering if someone on the list can shed some > light on the configuration. The end goal is to have a gif(4) interface run > over IPSec so that I can use a dynamic routing protocol to route traffic to > remote VPN networks. > > I can successfully create an IPSec VPN connection between the Fortigate and > OpenBSD 4.2 system. Normally the tunnel interfaces on Fortigates and > Netscreens are un-numbered. > > I have tried bringing up the gif interface after successfully establishing > an IPSec connection by issuing the following commands. > > $ sudo ifconfig gif0 create > $ sudo ifconfig gif0 tunnel 1.1.1.1 2.2.2.2 > $ sudo ifconfig gif0 10.0.0.3 10.0.0.2 prefixlen 32 > $ sudo route add -inet 10.2.0.0/16 10.0.0.2 > > I then modified the un-numbered tunnel interface on the Fortigate side to > use src 10.0.0.2 dst 10.0.0.3. This didn't seem right to begin with as I > already have an IPSec tunnel established. Where I'm confused is setting up > gif to tunnel over the IPSec connection in order route traffic across it. > Can someone point me in the right direction. "Routed VPN" in Netscreen and Fortinet is done by modifying the way ipsec should work. It's not the way to go if you want to take the vpn decision based on ip routes. I'd firstly try to create a GRE tunnel (numbered) between peers and then create a host to host vpn with GRE tunnel on top of it. Both OpenBSD and Netscreen support GRE, I hope Fortinet does. Claer > My setup is quite simple. > > network > --- > > internal externalexternal internal > --- | -> Internet -> | --- > 10.1.1.0/24 1.1.1.1 2.2.2.210.2.0.0/16 > > > ipsec.conf > -- > > remote_gw = "2.2.2.2" > > ike dynamic esp from 10.1.1.0/24 to 10.2.0.0/16 peer $remote_gw \ > aggressive auth hmac-sha1 enc 3des group modp1536 \ > quick auth hmac-sha1 enc 3des group modp1536 \ > srcid [EMAIL PROTECTED] \ > psk "secret" > > > Thanks, > -Chris > > -- > Chris Jones
Route-based VPN - Fortigate to OpenBSD
Hi all, A while back I attempted to setup a route-based VPN tunnel between a Fortigate firewall and an OpenBSD firewall with no success. I now have the need to get this to work and wondering if someone on the list can shed some light on the configuration. The end goal is to have a gif(4) interface run over IPSec so that I can use a dynamic routing protocol to route traffic to remote VPN networks. I can successfully create an IPSec VPN connection between the Fortigate and OpenBSD 4.2 system. Normally the tunnel interfaces on Fortigates and Netscreens are un-numbered. I have tried bringing up the gif interface after successfully establishing an IPSec connection by issuing the following commands. $ sudo ifconfig gif0 create $ sudo ifconfig gif0 tunnel 1.1.1.1 2.2.2.2 $ sudo ifconfig gif0 10.0.0.3 10.0.0.2 prefixlen 32 $ sudo route add -inet 10.2.0.0/16 10.0.0.2 I then modified the un-numbered tunnel interface on the Fortigate side to use src 10.0.0.2 dst 10.0.0.3. This didn't seem right to begin with as I already have an IPSec tunnel established. Where I'm confused is setting up gif to tunnel over the IPSec connection in order route traffic across it. Can someone point me in the right direction. My setup is quite simple. network --- internal externalexternal internal --- | -> Internet -> | --- 10.1.1.0/24 1.1.1.1 2.2.2.210.2.0.0/16 ipsec.conf -- remote_gw = "2.2.2.2" ike dynamic esp from 10.1.1.0/24 to 10.2.0.0/16 peer $remote_gw \ aggressive auth hmac-sha1 enc 3des group modp1536 \ quick auth hmac-sha1 enc 3des group modp1536 \ srcid [EMAIL PROTECTED] \ psk "secret" Thanks, -Chris -- Chris Jones
