Hi all,
A while back I attempted to setup a route-based VPN tunnel between a
Fortigate firewall and an OpenBSD firewall with no success. I now have
the need to get this to work and wondering if someone on the list can
shed some light on the configuration. The end goal is to have a gif(4)
interface run over IPSec so that I can use a dynamic routing protocol to
route traffic to remote VPN networks.
I can successfully create an IPSec VPN connection between the Fortigate
and OpenBSD 4.2 system. Normally the tunnel interfaces on Fortigates and
Netscreens are un-numbered.
I have tried bringing up the gif interface after successfully
establishing an IPSec connection by issuing the following commands.
$ sudo ifconfig gif0 create
$ sudo ifconfig gif0 tunnel 1.1.1.1 2.2.2.2
$ sudo ifconfig gif0 10.0.0.3 10.0.0.2 prefixlen 32
$ sudo route add -inet 10.2.0.0/16 10.0.0.2
I then modified the un-numbered tunnel interface on the Fortigate side
to use src 10.0.0.2 dst 10.0.0.3. This didn't seem right to begin with
as I already have an IPSec tunnel established. Where I'm confused is
setting up gif to tunnel over the IPSec connection in order route
traffic across it. Can someone point me in the right direction.
My setup is quite simple.
network
-------
internal external external internal
----------- | -------- -> Internet -> -------- | -----------
10.1.1.0/24 1.1.1.1 2.2.2.2 10.2.0.0/16
ipsec.conf
----------
remote_gw = "2.2.2.2"
ike dynamic esp from 10.1.1.0/24 to 10.2.0.0/16 peer $remote_gw \
aggressive auth hmac-sha1 enc 3des group modp1536 \
quick auth hmac-sha1 enc 3des group modp1536 \
srcid foo@foo.com \
psk "secret"
Thanks,
-Chris
--
Chris Jones
