![]() Security Associations (1 up, 0 connecting):įortiGate: ESTABLISHED 8 minutes ago, 10.0.0.2.10.0.0.1įortiGate: 0.0.0.0/0 = ip addr show dev vti0ĥ: mtu 1332 qdisc noqueue state UNKNOWN group default qlen 1000 StrongSwan: $ sudo ipsec status FortiGate In this case, shut down the tunnel interface, then enable it again. Important: I ran into a bug where the FortiGate showed its interface as up but the static route did not appear in the routing table (it was marked as inactive in the database). You can verify its status by doing the checks described below. If no errors were made, the tunnel should be up by now. If you’re working in a lab environment, you can start from “permit any any” to make sure the traffic doesn’t get blocked obviously you should never do this on production systems or if your lab is directly connected to the internet. Policiesĭon’t forget to add policies to allow traffic through the tunnel interfaces. Note: To make these settings persistent, you need to add them in your distro’s appropriate config files. ![]() Sudo ip tunnel add vti0 local 10.0.0.2 remote 10.0.0.1 mode vti key 42 # Create the VTI the key has to match the mark value in nf you can use different values for additional tunnels. Run these CLI commands on the Linux box after bringing up the strongSwan daemon: # Create a loopback adapter this is not mandatory but useful in certain cases (e.g. ![]() Make sure the “mark” key has the same value as the “vti key” (shown later, both highlighted with red). Modify them with the tunnel parameters, as well as the nf to enable routing on the Linux host. StrongSwan stores its settings in config files.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |