FortiGate to Fedora IPSec VPN:


FortiGate to Fedora IPSec VPN Configuration
IPSec VPN:
   Internet Protocol Security (IPsec) is a protocol suite for securing internet Protocol (IP) communications by authenticating and encrypting each IP packets of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.
IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).
     
Network Diagram:
IPsec Configuration in Fedora
  •      OpenSwan:
  •          Openswan is an implementation of IPsec for the Linux operating system. Is it a code fork of the FreeS/WAN project which has been terminated. It provides IPSEC (IP Security, which is both encryption and authentication) kernel extensions and an IKE (Internet Key Exchange, keying and encrypted routing daemon), as well as various rc scripts and documentation. Openswan is known to interoperate with other IPSEC and IKE systems already deployed by other vendors. It features Opportunistic Encryption, subnet extrusion, X.509 certificates, NAT Traversal support, XAUTH, and DNSSEC support.

     Download OpenSwan 2.4.4 in this link “http://download.openswan.org/openswan/old/

 Go to Fedora Terminal.
    [root@fedora ~]# Cd  /home/test/Downloads/
    [root@fedora   Downloads~]# rpm –I  Openswan2.4.4.rpm
  After installation Open the ipsec.conf file.
   [root@fedora ~]# nano /etc/ipsec.conf
Ipsec.conf File:

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup

        # Debug-logging controls:  "none" for (almost) none, "all" for lots.

        # klipsdebug=none

        # plutodebug="control parsing"

        nat_traversal=yes

include /etc/ipsec.d/*.conf


   Save This Configuration. And run this command







[root@fedora ~]#nano /etc/ipsec.d/office.conf
Office.conf file:

conn office

         auth=esp

         authby=secret

         auto=start

         esp=3des-md5!

         ikelifetime=1800s

         #keyingtries=10

         keylife=1800s

         #left side is home

         left=%defaultroute

         #set right to vpn remote gateway

          right=x.x.x.x

         #set rightsubnet to remote network

          rightsubnet=192.168.10.0/24

         ike=3des-md5!

         keyexchange=ike

         dpddelay=30



save this file.


Run this command in fedora,
[root@fedora ~]# nano /etc/ipsec.secrets
ipsec.secrets file,

x.x.x.x  192.168.2.12: PSK "mypassword"

#include /etc/ipsec.d/*.secrets

Save this file.

Restart IPsec Configuration,
[root@fedora ~]# /sbin/service ipsec restart

IPsec Configuration in FortiGate-60B:
 
 Phase1 configuration:
Name
Fedora
Remote Gateway
Dialup User
Local Interface
Wan2
Mode
Main (ID Protection)
Pre-shared key
Mypassword
Peer Options
Accept any peer ID
Enable Ipsec Interface Mode
Dissable
P1 Proposal
Encryption-3DES  Authentication-MD5
DH Group
2
Keylife
1880
XAuth
Disable
NAT Traversal
Enable
Keepalive Frequency
10
Dead peer Detection
Enable


Phase2 Configuration:

Name
Fedora2
Phase1
Fedora
P2 proposal
Encryption-3DES  Authentication-MD5
Enable replay detection
Enable
Enable perfect forward secrecy
Enable
Keylife
1800 seconds
Autokey keep alive
Enable
DHCP-IPsec
Disable
Source address
192.168.10.0/24
Destination address
192.168.2.12/32

Firewall Policy,

Source Interface/Zone
Internal
Source Address
192.168.10.0/24
Destination Interface/Zone
Wan2
Destination Address
192.168.2.0/24
Schedule
Always
Services
Any
Action
IPSEC
Log Allowed Traffic
Enable
VPN Tunnel
Fedora
Allow inbound
Enable
Allow outbound
Enable


In Fedora,
To start the VPN

/usr/sbin/ipsec auto --add office


/usr/sbin/ipsec auto --up office


To view VPN status


/usr/sbin/ipsec auto --status


To stop the VPN

/usr/sbin/ipsec auto --down office

/usr/sbin/ipsec auto --delete office


FortiGate IPSec Monitor:

Fedora IPsec Status:
[root@fedora ~]# service ipsec status
IPsec running  - pluto pid: 7933
pluto pid 7933
1 tunnels up


           

1 comment:


  1. Thanks For sharing this Superb article.I use this Article to show my assignment in college.it is useful For me Great Work.
    conclusion of the review

    ReplyDelete