FortiGate
to Fedora IPSec VPN Configuration
IPSec
VPN:
Internet Protocol Security (IPsec)
is a protocol suite for securing
internet Protocol (IP) communications by authenticating and encrypting each IP packets of a communication
session. IPsec also includes protocols for establishing mutual authentication between
agents at the beginning of the session and negotiation of cryptographic keys to be used
during the session.
IPsec is an
end-to-end security scheme operating in the Internet
Layer of the Internet
Protocol Suite. It can be used in protecting data flows between a pair
of hosts (host-to-host), between a pair of security gateways (network-to-network),
or between a security gateway and a host (network-to-host).
Network
Diagram:
IPsec
Configuration in Fedora
- OpenSwan:
-
Openswan is an implementation of IPsec for the Linux operating system. Is it a code fork of the FreeS/WAN project which has been terminated. It provides IPSEC (IP Security, which is both encryption and authentication) kernel extensions and an IKE (Internet Key Exchange, keying and encrypted routing daemon), as well as various rc scripts and documentation. Openswan is known to interoperate with other IPSEC and IKE systems already deployed by other vendors. It features Opportunistic Encryption, subnet extrusion, X.509 certificates, NAT Traversal support, XAUTH, and DNSSEC support.
Go to Fedora Terminal.
[root@fedora ~]# Cd /home/test/Downloads/
[root@fedora Downloads~]# rpm
–I Openswan2.4.4.rpm
After installation Open the ipsec.conf file.
[root@fedora ~]# nano /etc/ipsec.conf
Ipsec.conf File:
#
/etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place
your own config files in /etc/ipsec.d/ ending in .conf
version
2.0 # conforms to second version of
ipsec.conf specification
# basic
configuration
config setup
# Debug-logging controls: "none" for (almost) none,
"all" for lots.
# klipsdebug=none
# plutodebug="control
parsing"
nat_traversal=yes
include
/etc/ipsec.d/*.conf
|
Save This Configuration. And run this
command
[root@fedora ~]#nano /etc/ipsec.d/office.conf
Office.conf
file:
conn office
auth=esp
authby=secret
auto=start
esp=3des-md5!
ikelifetime=1800s
#keyingtries=10
keylife=1800s
#left side is home
left=%defaultroute
#set right to vpn remote gateway
right=x.x.x.x
#set rightsubnet to remote network
rightsubnet=192.168.10.0/24
ike=3des-md5!
keyexchange=ike
dpddelay=30
|
save this file.
Run this command in fedora,
[root@fedora ~]# nano /etc/ipsec.secrets
ipsec.secrets
file,
x.x.x.x
192.168.2.12: PSK
"mypassword"
#include
/etc/ipsec.d/*.secrets
|
Save this file.
Restart IPsec Configuration,
[root@fedora ~]# /sbin/service ipsec restart
IPsec
Configuration in FortiGate-60B:
Phase1 configuration:
Name
|
Fedora
|
Remote
Gateway
|
Dialup
User
|
Local
Interface
|
Wan2
|
Mode
|
Main
(ID Protection)
|
Pre-shared
key
|
Mypassword
|
Peer
Options
|
Accept
any peer ID
|
Enable
Ipsec Interface Mode
|
Dissable
|
P1
Proposal
|
Encryption-3DES Authentication-MD5
|
DH
Group
|
2
|
Keylife
|
1880
|
XAuth
|
Disable
|
NAT
Traversal
|
Enable
|
Keepalive
Frequency
|
10
|
Dead
peer Detection
|
Enable
|
Phase2
Configuration:
Name
|
Fedora2
|
Phase1
|
Fedora
|
P2
proposal
|
Encryption-3DES Authentication-MD5
|
Enable
replay detection
|
Enable
|
Enable
perfect forward secrecy
|
Enable
|
Keylife
|
1800
seconds
|
Autokey
keep alive
|
Enable
|
DHCP-IPsec
|
Disable
|
Source
address
|
192.168.10.0/24
|
Destination
address
|
192.168.2.12/32
|
Firewall
Policy,
Source
Interface/Zone
|
Internal
|
Source
Address
|
192.168.10.0/24
|
Destination
Interface/Zone
|
Wan2
|
Destination
Address
|
192.168.2.0/24
|
Schedule
|
Always
|
Services
|
Any
|
Action
|
IPSEC
|
Log
Allowed Traffic
|
Enable
|
VPN
Tunnel
|
Fedora
|
Allow
inbound
|
Enable
|
Allow
outbound
|
Enable
|
In Fedora,
To start the VPN
/usr/sbin/ipsec auto --add office
/usr/sbin/ipsec auto --up office
To view VPN status
/usr/sbin/ipsec auto --status
To stop the VPN
/usr/sbin/ipsec auto --down
office
/usr/sbin/ipsec auto --delete office
FortiGate IPSec Monitor:
Fedora IPsec Status:
[root@fedora ~]# service ipsec status
IPsec running
- pluto pid: 7933
pluto pid 7933
1 tunnels up
ReplyDeleteThanks For sharing this Superb article.I use this Article to show my assignment in college.it is useful For me Great Work.
conclusion of the review