Good afternoon dear libreswan community.
I am setting up IPSec between Fortinet and my linux machine using the IKEv1 protocol.
I need to access networks 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/23, 10.0.4.0/24, 172.16.0.0/21 which are behind the Fortinet firewall. When I connect Forticlient everything works. When I connect from a Linux machine, I only have access to the 172.16.0.0/21 network.
Output command ip r
10.0.0.0/24 dev ipsec0 scope link src 10.0.5.2
10.0.1.0/24 dev ipsec0 scope link src 10.0.5.2
10.0.2.0/23 dev ipsec0 scope link src 10.0.5.2
10.0.4.0/24 dev ipsec0 scope link src 10.0.5.2
172.16.0.0/21 dev ipsec0 scope link src 10.0.5.2
Output command ip x p
src 10.0.5.2/32 dst 172.16.0.0/21
dir out priority 1753303 ptype main
tmpl src 192.168.1.128 dst <public_ip_fortinet>
proto esp reqid 16389 mode tunnel
if_id 0x4000
src 10.0.5.2/32 dst 10.0.0.0/24
dir out priority 1753303 ptype main
tmpl src 192.168.1.128 dst <public_ip_fortinet>
proto esp reqid 16389 mode tunnel
if_id 0x4000
src 10.0.5.2/32 dst 10.0.4.0/24
dir out priority 1753303 ptype main
tmpl src 192.168.1.128 dst <public_ip_fortinet>
proto esp reqid 16389 mode tunnel
if_id 0x4000
src 10.0.5.2/32 dst 10.0.2.0/23
dir out priority 1753303 ptype main
tmpl src 192.168.1.128 dst <public_ip_fortinet>
proto esp reqid 16389 mode tunnel
if_id 0x4000
src 10.0.5.2/32 dst 10.0.1.0/24
dir out priority 1753303 ptype main
tmpl src 192.168.1.128 dst <public_ip_fortinet>
proto esp reqid 16389 mode tunnel
if_id 0x4000
src 172.16.0.0/21 dst 10.0.5.2/32
dir fwd priority 1753303 ptype main
tmpl src <public_ip_fortinet> dst 192.168.1.128
proto esp reqid 16389 mode tunnel
if_id 0x4000
src 172.16.0.0/21 dst 10.0.5.2/32
dir in priority 1753303 ptype main
tmpl src <public_ip_fortinet> dst 192.168.1.128
proto esp reqid 16389 mode tunnel
if_id 0x4000
I think that the problem is that there is no policy for networks 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/23, 10.0.4.0/24 similar to the network 172.16.0.0/21.
For example such
src 10.0.0.0/24 dst 10.0.5.2/32
dir fwd priority 1753303 ptype main
tmpl src <public_ip_fortinet> dst 192.168.1.128
proto esp reqid 16389 mode tunnel
if_id 0x4000
src 10.0.0.0/24 dst 10.0.5.2/32
dir in priority 1753303 ptype main
tmpl src <public_ip_fortinet> dst 192.168.1.128
proto esp reqid 16389 mode tunnel
if_id 0x4000
I have attached my config.
What might not be configured correctly?
conn fortinet
authby=secret
pfs=yes
auto=start
compress=yes
rekey=yes
left=%defaultroute
leftid=@<left_id>
leftusername=<left_username>
leftxauthclient=yes
leftmodecfgclient=yes
right=<public_ip_fortinet>
rightid=<public_ip_fortinet>
rightxauthserver=yes
rightmodecfgserver=yes
cisco-unity=no
modecfgpull=yes
remote-peer-type=cisco
ignore-peer-dns=yes
send-vendorid=yes
dpddelay=3
dpdtimeout=60
dpdaction=restart
fragmentation=yes
encapsulation=auto
ikev2=no
aggressive=yes
ipsec-interface=0
keyexchange=ike
ike=aes256-sha2_256;dh14
phase2=esp
phase2alg=aes256-sha2_256;dh14
salifetime=24h
type=tunnel
ikelifetime=12h
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
