On Sun, Feb 10 2008 at 23:03, Chris Jones wrote: > Thanks for the advice I will look into that should the gif option not work. > Do you have any advice as to how to run gif over ipsec? Sorry I don't have any clue to setup gif tunneling with a Fortinet end point. Between 2 OpenBSD boxes it's quite easy, just do s/GRE/gif/ in my previous sentense ;-)
Claer > Claer wrote: >> On Sat, Feb 09 2008 at 00:10, Chris Jones wrote: >>> Hi all, >> Hi, >>> A while back I attempted to setup a route-based VPN tunnel between a >>> Fortigate firewall and an OpenBSD firewall with no success. I now have >>> the need to get this to work and wondering if someone on the list can >>> shed some light on the configuration. The end goal is to have a gif(4) >>> interface run over IPSec so that I can use a dynamic routing protocol to >>> route traffic to remote VPN networks. >>> >>> I can successfully create an IPSec VPN connection between the Fortigate >>> and OpenBSD 4.2 system. Normally the tunnel interfaces on Fortigates and >>> Netscreens are un-numbered. >>> >>> I have tried bringing up the gif interface after successfully >>> establishing an IPSec connection by issuing the following commands. >>> >>> $ sudo ifconfig gif0 create >>> $ sudo ifconfig gif0 tunnel 1.1.1.1 2.2.2.2 >>> $ sudo ifconfig gif0 10.0.0.3 10.0.0.2 prefixlen 32 >>> $ sudo route add -inet 10.2.0.0/16 10.0.0.2 >>> >>> I then modified the un-numbered tunnel interface on the Fortigate side to >>> use src 10.0.0.2 dst 10.0.0.3. This didn't seem right to begin with as I >>> already have an IPSec tunnel established. Where I'm confused is setting >>> up gif to tunnel over the IPSec connection in order route traffic across >>> it. Can someone point me in the right direction. >> "Routed VPN" in Netscreen and Fortinet is done by modifying the way ipsec >> should work. It's not the way to go if you want to take the vpn decision >> based on ip routes. >> I'd firstly try to create a GRE tunnel (numbered) between peers and then >> create a host to host vpn with GRE tunnel on top of it. Both OpenBSD and >> Netscreen support GRE, I hope Fortinet does. >> Claer >>> My setup is quite simple. >>> >>> network >>> ------- >>> >>> internal external external internal >>> ----------- | -------- -> Internet -> -------- | ----------- >>> 10.1.1.0/24 1.1.1.1 2.2.2.2 10.2.0.0/16 >>> >>> >>> ipsec.conf >>> ---------- >>> >>> remote_gw = "2.2.2.2" >>> >>> ike dynamic esp from 10.1.1.0/24 to 10.2.0.0/16 peer $remote_gw \ >>> aggressive auth hmac-sha1 enc 3des group modp1536 \ >>> quick auth hmac-sha1 enc 3des group modp1536 \ >>> srcid [EMAIL PROTECTED] \ >>> psk "secret" >>> >>> >>> Thanks, >>> -Chris >>> >>> -- >>> Chris Jones > > -- > Chris Jones > > GDI Software Services Canada Inc. > Suite 1300, 1500 West Georgia St. > Vancouver, BC, Canada > V6G 2Z6 > Email: [EMAIL PROTECTED] > Mobile: 604.218.5981 > Phone: 604.909.3300 | Fax: 604.909.0100