Openswan IPSec is an open source implementation of IPSec that is included in many Linux distributions. When appropriately configured, it can interoperate with FortiGate VPNs.
Global settings
The global settings for the Openswan IPSec service are found in /etc/ipsec.conf. Unless you are certain that you don't need NAT traversal, ensure that the following line appears in ipsec.conf:
nat_traversal=yes
The line must begin with whitespace and be in the config setup section of the file.
There is also an include line that defines the name and location of your connection definition files. For example,
include /etc/ipsec.d/*.conf
Put your definition file in this location with an appropriate name.
Connection definition
You need a connection definition for each remote network you want to access.
An Openswan connection definition does not use the terms "source" or "destination". Instead, you define the two ends of the VPN as "left" and "right". The software determines for itself which definition applies to its end of the tunnel.
Example -- /etc/ipsec.d/office.conf
conn office
#left side is home
left=%defaultroute
#right side is work
#set right to vpn remote gateway
right=xxx.xxx.xxx.xxx
#set rightsubnet to remote network
rightsubnet=172.20.120.0/24
keyexchange=ike
#auth=esp
#auto=start
authby=secret
#specify encryption FortiGate VPN uses
esp=3des
#perfect forward secrecy (default yes)
#pfs=no
#optionally enable compression
compress=yes
For more information, see the ipsec.conf man page.
Secrets file for preshared keys
If you use a preshared key for authentication, you need to specify the key for the connection. Check the /etc/ipsec.secrets file. Typically this contains an include statement that defines the location and naming for the file, for example:
include /etc/ipsec.d/*.secrets
Put your definition file in this location with an appropriate name, typically ipsec.secrets. This file contains sensitive information, so it should be accessible only to the root user.
Entries in the secrets file can take several forms:
: PSK "pre_shared_key" # OK for typical remote user with one key
1.23.45.67: PSK "pre_shared_key" # specify remote gateway only
1.23.45.67 10.10.10.100: PSK "pre_shared_key" # specify remote and local IPs
The typical remote user who has only one VPN connection using a preshared key can reliably use the secrets file definition that does not specify IP addresses. The definition that specifies only the remote gateway address does not always work. You might get an error message that no PSK was found for your connection. The definition that specifies both local and remote gateway addresses is useful only if you have a fixed local IP address.
Starting the IPSec service
Typically, the IPSec service is configured to start at boot-up. If you are not sure that it is running, enter the following command as root:
/sbin/service ipsec restart
The startup messages will show if there are problems with the installation or syntactic problems with your configuration files.
Starting and stopping the VPN
If you used the auto=start option in your connection definition, the VPN is established when the IPSec service starts. Otherwise, you need to use the ipsec command to start and stop the vpn.
You might need to use the whereis command to locate the ipsec command unless it is on the command path. /usr/sbin is a typical location.
In these examples, the connection is called office.
To start the VPN
/usr/sbin/ipsec auto --add office
/usr/sbin/ipsec auto --up office
To view VPN status
/usr/sbin/ipsec auto --status
To stop the VPN
/usr/sbin/ipsec auto --down office
/usr/sbin/ipsec auto --delete office
