IPsec site-2-site Fortigate

Pavel_Martinek · August 5, 2020, 9:41am

I made ipsec tunnel between two public ip4 addresses WANIP Turris ==== WANIP Fortigate.
Connection was established.
i made changes only in /etc/ipsec.conf
I have no idea how to route traffic from my local LAN to rightsubnet.

I have no clue about iptables etc. Do I need zone? another interface?

hagrid · August 6, 2020, 10:45am

Hi Pavel.
IPSec does not create a tunnel interface by default, it works on IP layer. If you want to have a tunnel interface, you need to chose some tunneling protocol (like GRE for example) and encapsulate the GRE protocol in the IPSec.
But you can use plain IPSec, you just need to add correct rules to the iptables.

Check out the https://serverfault.com/questions/890161/site-to-site-ipsec-routing-ubuntu-strongswan

Pavel_Martinek · August 7, 2020, 5:49am

i will try to make hard reset of my turris router and start again. but i noticed that i have no xfrm policy. how to create one? should it happen automaticaly? by ipsec.conf or not?

Pavel_Martinek · August 7, 2020, 6:01am

so, if i make ipsec tunnel with WAN public IP adressess and create some magic rule to ip tables it will work? like this?
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
but what is tun0? and how to create it? in turris? it happens automaticaly? I tried this: https://youtu.be/HDqAl_PozCU but with ikev1. i think packet wasnt marked (i dont see xfrm policy and traffic on ipsec).

hagrid · August 10, 2020, 2:07pm

Hello Pavel,
have a look at StrongSwan site-to-site IPSec article.

Your setup differs if you have a policy based IPSec VPN or route based IPSec VPN (but you can have policy based VPN on one side and route based VPN on the other side).

Pavel_Martinek · August 11, 2020, 6:42am

I tried it a week ago. When i put configuration to #/etc/config/ipsec and run #/etc/init.d/ipsec, it generate ike v2 connection in ipsec.conf file, but in article example is juniper ike v1 configuration.

My question is: What is better?

Manually edit /etc/ipsec.conf file? (tunnel is established, but no traffic) And what i should to do next in this case? On Turris router.
Should I edit /etc/config/ipsec file? Do i need to do something else with Turris router configuration?

hagrid · August 11, 2020, 3:55pm

Can you describe your setup and crypto map?

Pavel_Martinek · August 19, 2020, 4:33am

What do you mean by crypto map? And setup?

192.168.1.0/24 === public IP (Turrris Omnia) ----------- public IP (Fortigate) ==== some VLANs

I am not sure, if i need to create some ZONE (and how) or another Interface(s) (and how). And how to setup FIREWALL rule(s).

You send me link https://serverfault.com/questions/890161/site-to-site-ipsec-routing-ubuntu-strongswan , but i dont know ho to create interface tun0, set xfrm policy.

I am quite sure about key lifetimes, p1 and p2 algorithms.