Hi,
I'm trying to connect to a Fortigate vpn gateway with Strongswan
5.0.2 from linux. I've used parameters from windows fortinet ipsec
client (config below) and I'm able to successfully connect to the
gateway. But I can't connect to multiple remote subnets at the same
time. I can only connect to the last subnet defined. If I re-order the
definitions, I can connect to the other subnet. I've done this before
with site to site vpn connections but this is a road warrior set up.
What am I missing here ?
PS: I've not tried connecting to network-mgmt. That was in the docs
provided for fortinet on windows, but I don't have any servers in that
subnet.
[~]> cat /opt/strongswan/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
uniqueids=never
#charondebug="dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 3, knl 2, net 2,
enc 1, lib 1"
conn %default
ikelifetime=8h
keylife=30m
rekeymargin=3m
keyingtries=3
keyexchange=ikev1
ike=3des-sha-modp1536,aes-sha-modp1536
esp=3des-sha-modp1536,aes-sha-modp1536
aggressive=yes
authby=secret
conn network
left=192.168.1.12
leftid=user
right=gateway.net
rightid=vv.xx.yy.zz
conn network-mgmt
also=network
rightsubnet=xx.yy.248.8/29
auto=start
conn network-trust
also=network
rightsubnet=xx.yy.248.32/28
auto=start
conn network-dmz
also=network
rightsubnet=xx.yy.248.48/28
auto=start
[~]> sudo /opt/strongswan/sbin/ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.2, Linux
2.6.32-358.2.1.el6.i686, i686):
uptime: 7 seconds, since Mar 26 01:24:51 2013
malloc: sbrk 135168, mmap 0, used 95552, free 39616
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
scheduled: 3
loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs8 pgp dn
skey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
socket-default stroke updown xauth-generic
Listening IP addresses:
192.168.1.12
Connections:
network-mgmt: 192.168.1.12...gateway.net IKEv1 Aggressive
network-mgmt: local: [user] uses pre-shared key authentication
network-mgmt: remote: [vv.xx.yy.zz] uses pre-shared key authentication
network-mgmt: child: dynamic === xx.yy.248.8/29 TUNNEL
network-trust: child: dynamic === xx.yy.248.32/28 TUNNEL
network-dmz: child: dynamic === xx.yy.248.48/28 TUNNEL
Security Associations (1 up, 0 connecting):
network-mgmt[1]: ESTABLISHED 6 seconds ago,
192.168.1.12[user]...vv.xx.yy.zz[vv.xx.yy.zz]
network-mgmt[1]: IKEv1 SPIs: a3676024cee6d6d2_i* b8f961a5eedca572_r,
pre-shared key reauthentication in 7 hours
network-mgmt[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
network-mgmt{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c99b5d07_i 381c7157_o
network-mgmt{1}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 24 minutes
network-mgmt{1}: 192.168.1.12/32 === xx.yy.248.8/29
network-trust{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: c44f6125_i 381c7158_o
network-trust{2}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 25 minutes
network-trust{2}: 192.168.1.12/32 === xx.yy.248.32/28
network-dmz{3}: INSTALLED, TUNNEL, ESP in UDP SPIs: c2348492_i 381c7159_o
network-dmz{3}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 24 minutes
network-dmz{3}: 192.168.1.12/32 === xx.yy.248.48/28
[~]> cat /opt/strongswan/etc/ipsec.secrets
user : PSK passphrase
Any help is appreciated.
Regards,
Arun G Nair
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
