VPN Fortigate 60B - Openswan

[netcrc]

tengo la siguiente situacion y no he logrado hacer que trabaje
necestio conectar con oficinas; la oficina principal tiene un servidor debina-lenny con openswan, iptables. La oficina remota un fortigate 60b (firewall-vpn)

La idea aparte de la VPN y que las dos redes LAN se puedan comunicar , es utlizar la IP publicas de la oficina pricipal y poder dirigar el trafico https al server localizado en las oficinas remotas

Internet-------- >www-------- >IP Publica - Officinas Principal<--------------------VPN-------------- >Officina remota-------------- >WEB server (LAN)
|
|
|
LAN

La configuracion actual de los equipos es la siguiente

Fortigate 60B
VPN-- > IP SEC

Phase 1
Static IP Address
Local Interface = WAN1
Mode = Main (ID Protection)
Authentication Method = Pre-shared Key
Peer Options = Accept any peer ID
P1 Proposal
1- Encryption = 3DES Authentication = MD5
2- Encryption = 3DES Authentication = SHA1
DH Group = 2 – 5
Keylife = 28800
Local ID = ________
XAuth = Disable
NAT-traversal = enable
Keep alive Frequency = 10 seconds
Dead Peer Detection = enable

Phase 2
P2 Proposal
1- Encryption = 3DES Authentication = MD5
2- Encryption = 3DES Authentication = SHA1
Enable replay detection = yes
Enable perfect forward secrecy (PFS) = yes
DH Group = 5
Keylife= 1800 Seconds
Autokey Keep Alive = enable
Quick Mode Selector
- Source address = 192.168.x.x/24 (LAN this side)
- Source port = 0
- Destinations address = 192.168.x.x (LAN side Openswan)
- Protocol = 0

Log Access
# Date time Level User Interface Action Message
1 2010-09-04 13:22:27 notice negotiate Initiator: sent x.x.x.x (public IP openswan) main mode message #1 (OK)


Openswan

- #/etc/ipsec.conf
nat_traversal=yes
nat_traversal=yes
# Add connections here
include /etc/ipsec.d/fortigate.conf

- VPN
conn nb-vpn # Nombre de la conexion
type=tunnel
auth=esp
authby=secret
esp=3des-md5!;modp1536
ikelifetime=1800s
keyingtries=10
keylife=28800s
pfs=yes
left=x.x.x.x # Public IP Openswan
leftsubnet=192.168.x.x/24 #LAN Openswan
leftid=x.x.x.x # Public IP Openswan
leftrsasigkey=abc # key
leftnexthop=y.y.y.y # %defaultroute correct in many situations
right=a.b.c.d # Public Ip Fortigate
rightsubnet=192.168.x.x/24 #LAN Fortigate
rightid=a.b.c.d # Public IP Fortigate
rightrsasigkey=abc # key
rightnexthop=%defaultroute # correct in many situations
auto=add # authorizes but doesn't start this
ike=3des-md5!
keyexchange=ike # connection at startup

/etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.4.12..

ipsec auto --up vpn (wait and wait….)

ipsec auto –status
000 "vpn": 192.168.x.x/24===a.b.c.d---a.b.c..d...a.b.c.d---a.b.c.d===192.168.x.x/24; unrouted; eroute owner: #0
000 "vpn": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "vpn": ike_life: 1800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 10
000 "vpn": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; encap: esp;
000 "vpn": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "vpn": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "vpn": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1536(5), 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "vpn": ESP algorithms wanted: 3DES(3)_000-MD5(1); pfsgroup=MODP1536(5); flags=strict
000 "vpn": ESP algorithms loaded: 3DES(3)_000-MD5(1); pfsgroup=MODP1536(5); flags=strict
000
000 #61: "vpn":500 STATE_MAIN_I1 (sent MI1, expecting MR1); none in -1s; lastdpd=-1s(seq in:0 out:0)
000 #61: pending Phase 2 for "nb-vpn" replacing #0

cat /var/log/syslog
Sep 4 14:43:45 VPN1 ipsec_setup: Stopping Openswan IPsec...
Sep 4 14:43:45 VPN1 kernel: [104640.705317] NET: Registered protocol family 15
Sep 4 14:43:45 VPN1 kernel: [104640.853503] padlock: VIA PadLock Hash Engine not detected.
Sep 4 14:43:45 VPN1 kernel: [104640.976681] padlock: VIA PadLock Hash Engine not detected.
Sep 4 14:43:46 VPN1 kernel: [104641.153758] padlock: VIA PadLock not detected.
Sep 4 14:43:46 VPN1 kernel: [104641.350985] Initializing XFRM netlink socket
Sep 4 14:43:46 VPN1 ipsec_setup: NETKEY on eth0 a.b.c.d/255.255.255.128 broadcast a.b.c.255
Sep 4 14:43:46 VPN1 ipsec_setup: ...Openswan IPsec started
Sep 4 14:43:46 VPN1 ipsec_setup: Starting Openswan IPsec 2.4.12...

Quedo a la espera de sus comentarios
Saludos
Erick Ch.

[gabyrossi]

hola, pregunta basica, la red local es la misma que la red remota???

saludos