So a certificate request was issued. I used getacrt for both gateways. The CN for the FortiGate is "fgt.socpuppets.com" and the CN for the strongswan is "strongswan".
Let's do the strongswan side. 1st you will need the certificate and key. Save these as two separate files with the extension pem. You have to copy these files into ./ipsec.d/certs and ./ipsec.d/private directories.
You will also need the root-cacert from getacrt , & copy to it ./ipsec.d/cacerts
e.g
Now you can build a connection profile in ipsec.conf. In my setup I used the following;
use the %any for the rightid to ascertain the correct string if you have problems or see in your /var/log/daemon.log constraint errors. I will explain more later.
Once you have the ipsec.conf configured, you need to touch up ipsec.secrets. The entry is typically set in the following method & format
: RSA <certificate_name.pem>
if you get "can't find private key" in your logs is either one of the following 1> ipsec.conf has a typo 2> the reference ./ipsec/private/ directory is missing the file 3> the filename is incorrect 4> or the structure of : RSA <filename.pem> is bad
This concludes the strongswan side of the configuration.
On the fortigate it's pretty much straight forward as in route-based vpn thats for a dynamic-peer.
1st we define a user peer for identifying the remote gateway, calling up the CA and CN values
2nd phase1 config
3rd phase2 config
4th route
And finally firewall-policy
Okay, that concludes the configuration. On the FortiGate I had already created a CSR and import the signed certificate from getacrt, your certificate would typically be signed by your privateCA or public-CA that signs your CSR.
e.g https://getacert.com/
Now let's look at some diagnostic and show. On strongswan you will use primary the following for review and troubleshooting
ipsec status
ipsec listcerts
ipsec statusall
cat /var/log/daemon.log
tcpdump -nnnnvv -i <interface public facing> host y.y,y.y
# y.y.y.y == right gateway ipv4 address
On fortiOS
diag debug flow
diag debug application ike -1
diag sniffer packet <interface public facing> "host x.x.x.x"
# x.x.x.x = strongswan device ipv4
diag vpn ike gateway
diag vpn tunnel list
So in my strongswan, I run the ipsec up command to start my ipsec connection attempt, since we have this connection set as "add" in the ipsec.conf
I've laid both a fortios & strongsan ipsec details next to each other , see the matching SPIs ?
For fortiOS phase1-details we use the "diag vpn ike gateway" command
For some more diagnostic tips
> ensure you have a policy with the action accept on the fortigate or you will get no policy found errors in diag debug application ike
> you monitor the loaded plugins in strongswan and for any errors during startup or tunnel up commands
> If your running iptables or a local host firewall, ensure you allow for both isakmp and esp.
> If you are getting constraint errors check the remote-identity string or use t he temporary use of %any to isolate the issue and to obtain the correct string. The order and items in the string is critical in your ipsec.conf file. Always check for errors or typos.
examples
CN=fgt.socpuppets.com is not the same as CN=fgt
'C=US, ST=TX, L=AUSTIN, O=socpuppets, CN=fgt.socpuppets.com' is not the same as 'ST=TX, L=AUSTIN, O=socpuppets, CN=fgt.socpuppets.com'
> if your certificate-date has expired the vpn will not establish
Almost all problems can be tracked down to incorrect named files or typos in the strongswan configurations from my personal experience & observations.
I've been working with strongswan for almost 13 years , btw. It's simple to deploy and use with linux based firewalls. You can build linux-based firewall and run strongswanfor remote-vpn with little to very little money invested. OPEX cost is very low and versus the performance potential
A design topology and a hub-DC mixed with a commercial FW.
A design topology and a hub-DC mixed with a commercial FW.
Enjoy
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment