Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mariaczi
New Contributor

Created on ‎10-22-2019 03:24 AM

strongSwan on linux as IPSec VPN client

Hello.

I'm trying to connect to IPSec VPN on fortigate using strongSwan on linux OS.

My configuration on fortigate:

config vpn ipsec phase1-interface
    edit "MAC"
        set type dynamic
        set interface "wan1"
        set peertype any
        set mode-cfg enable
        set proposal aes256-md5 aes256-sha1
        set dpd on-idle
        set dhgrp 2
        set wizard-type dialup-cisco
        set xauthtype auto
        set authusrgrp "VPN"
        set net-device enable
        set ipv4-start-ip 10.10.0.2
        set ipv4-end-ip 10.10.0.254
        set dns-mode auto
        set psksecret ENC secure_enc_string
        set dpd-retryinterval 5
    next
config vpn ipsec phase2-interface
    edit "MAC"
        set phase1name "MAC"
        set proposal aes256-md5 aes256-sha1
        set pfs disable
        set keepalive enable
        set comments "VPN: MAC (Created by VPN wizard)"
    next
    edit "osx"
        set phase1name "osx"
        set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
        set comments "VPN: osx (Created by VPN wizard)"
    next

My strongSwan config on linux:

/etc/ipsec.conf
config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc2, lib 2"

conn cisco
    fragmentation = yes
    keyexchange = ikev1
    reauth = yes
    forceencaps = no
    mobike = no
    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = restart
    dpddelay = 10s
    dpdtimeout = 60s
    auto = add
    left = 10.10.0.100
    right = IP_OF_REMOTE_VPN_SERVER
    leftid = vpnuser@local
    ikelifetime = 14400s
    lifetime = 3600s
    ike = 3des-sha1-modp1024!
    esp = 3des-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024!
    leftauth = psk
    leftauth2 = xauth
    rightauth = psk
    rightid = vpnuser@VPNSERVER
    aggressive = no
    xauth_identity=vpnuser
    rightsubnet = 10.10.0.0/16
    leftsourceip = %config

/etc/ipsec.secrets
vpnuser : XAUTH "vpnuser_password"
vpnuser@local pgrabowski@VPNSERVER : PSK "psk-preshared-passphrase"

 

When I try to UP this VPN connection on console I receive:

 

# ipsec up cisco
initiating Main Mode IKE_SA cisco[1] to IP_OF_REMOTE_VPN_SERVER
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
sending retransmit 2 of request message ID 0, seq 1
sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)

 

In logs I see:

 

Oct 22 12:18:56 myHOST charon: 04[JOB] watched FD 16 ready to read
Oct 22 12:18:56 myHOST charon: 04[JOB] watcher going to poll() 3 fds
Oct 22 12:18:56 myHOST charon: 03[CFG] received stroke: initiate 'cisco'
Oct 22 12:18:56 myHOST charon: 05[MGR] checkout IKE_SA by config
Oct 22 12:18:56 myHOST charon: 04[JOB] watcher got notification, rebuilding
Oct 22 12:18:56 myHOST charon: 04[JOB] watcher going to poll() 4 fds
Oct 22 12:18:56 myHOST charon: 05[MGR] created IKE_SA (unnamed)[2]
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_VENDOR task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_CERT_PRE task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing MAIN_MODE task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_CERT_POST task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_NATD task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing QUICK_MODE task
Oct 22 12:18:56 myHOST charon: 05[IKE] activating new tasks
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating ISAKMP_VENDOR task
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating ISAKMP_CERT_PRE task
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating MAIN_MODE task
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating ISAKMP_CERT_POST task
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating ISAKMP_NATD task
Oct 22 12:18:56 myHOST charon: 05[IKE] sending XAuth vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending DPD vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending FRAGMENTATION vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending NAT-T (RFC 3947) vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] initiating Main Mode IKE_SA cisco[2] to IP_OF_REMOTE_VPN_SERVER
Oct 22 12:18:56 myHOST charon: 05[IKE] IKE_SA cisco[2] state change: CREATED => CONNECTING
Oct 22 12:18:56 myHOST charon: 05[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message
Oct 22 12:18:56 myHOST charon: 05[ENC] order payloads in message
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: message repeated 4 times: [ 05[ENC] added payload of type VENDOR_ID_V1 to message]
Oct 22 12:18:56 myHOST charon: 05[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Oct 22 12:18:56 myHOST charon: 05[ENC] not encrypting payloads
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type HEADER
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 IKE_SPI
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 IKE_SPI
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 U_INT_4
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 U_INT_4
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 11 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 12 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 13 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 14 U_INT_32
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 15 HEADER_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC] generating HEADER payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type SECURITY_ASSOCIATION_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 U_INT_32
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 11 U_INT_32
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 12 (1259)
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type PROPOSAL_SUBSTRUCTURE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 SPI_SIZE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 SPI
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 (1261)
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 (1263)
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_SUBSTRUCTURE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating PROPOSAL_SUBSTRUCTURE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating SECURITY_ASSOCIATION_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
Oct 22 12:18:56 myHOST charon: 05[MGR] checkin IKE_SA cisco[2]
Oct 22 12:18:56 myHOST charon: 01[JOB] next event in 3s 999ms, waiting
Oct 22 12:18:56 myHOST charon: 05[MGR] checkin of IKE_SA successful
Oct 22 12:18:56 myHOST charon: 06[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500]
Oct 22 12:19:00 myHOST charon: 01[JOB] got event, queuing job for execution
Oct 22 12:19:00 myHOST charon: 01[JOB] no events, waiting
Oct 22 12:19:00 myHOST charon: 12[MGR] checkout IKEv1 SA with SPIs 323c3aef2f033c01_i 0000000000000000_r
Oct 22 12:19:00 myHOST charon: 12[MGR] IKE_SA cisco[2] successfully checked out
Oct 22 12:19:00 myHOST charon: 12[IKE] sending retransmit 1 of request message ID 0, seq 1
Oct 22 12:19:00 myHOST charon: 12[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
Oct 22 12:19:00 myHOST charon: 12[MGR] checkin IKE_SA cisco[2]
Oct 22 12:19:00 myHOST charon: 12[MGR] checkin of IKE_SA successful
Oct 22 12:19:00 myHOST charon: 01[JOB] next event in 7s 199ms, waiting
Oct 22 12:19:00 myHOST charon: 06[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500]
Oct 22 12:19:08 myHOST charon: 01[JOB] got event, queuing job for execution
Oct 22 12:19:08 myHOST charon: 01[JOB] no events, waiting
Oct 22 12:19:08 myHOST charon: 13[MGR] checkout IKEv1 SA with SPIs 323c3aef2f033c01_i 0000000000000000_r
Oct 22 12:19:08 myHOST charon: 13[MGR] IKE_SA cisco[2] successfully checked out
Oct 22 12:19:08 myHOST charon: 13[IKE] sending retransmit 2 of request message ID 0, seq 1
Oct 22 12:19:08 myHOST charon: 13[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
Oct 22 12:19:08 myHOST charon: 13[MGR] checkin IKE_SA cisco[2]
Oct 22 12:19:08 myHOST charon: 13[MGR] checkin of IKE_SA successful
Oct 22 12:19:08 myHOST charon: 06[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500]
Oct 22 12:19:08 myHOST charon: 01[JOB] next event in 12s 959ms, waiting

 

The question is: What I have wrong in this setup that connection can't be established?

 

Thanks for your help!

34566
0 Kudos
19 REPLIES 19
mariaczi
New Contributor
In response to emnoc

Created on ‎10-31-2019 05:06 AM

routes and rules you can find in my earlier post (https://forum.fortinet.com/FindPost/180023) - 3rd block of code.

I haven't virtual adapter in kernel after established VPN tunnel on Ubuntu 18.04 (kernel 4.15) and 19.10 (kernel 5.3) too. The IP address from VPN server is assigned to the network interface which is connected to the local network.

5650
0 Kudos
emnoc
Esteemed Contributor III
In response to mariaczi

Created on ‎10-31-2019 05:25 AM

So you need to do tcpdump against the parent interface and ensure the packets are going out enccrypted, if you set the ping and see it in the clear , than that is a tell-tell sign they are not encrypted.

 

if you do a pcap and see ESP and spi { i.e . 

c877d2c0_i 9fbf289c_o

}

 

in and out, than would be a clue they are encrypted. You can adjust the ping size and confirm the  ESP datagram size increase/decreases as required.

 

/* bash shell

  

   ping -s 166 10.10.0.111

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
5649
0 Kudos
ealburez
New Contributor
In response to emnoc

Created on ‎04-01-2020 05:21 AM

Hello all. 

 

I have a similar problem, the ipsec tunnel is up but no traffic is passing.

I am running strongSwan running on Linux OS (client) and connecting to a Fortigate (server) to access a remote network behind it. 

 

I have other devices all of them using Forticlient(v 6.0) and i can ping any computer behind the Fortigate. 

 

Strongswan version: U5.7.2/K4.19.97-v7+

Linux OS= Raspbian 10 (Buster)

FortiOS= 6.2.

 

In the fortigate I have following configuration (phase 1 & 2): 

  

[code lang=vb]config vpn ipsec phase1-interface
    edit "VPN_LICS"
        set type dynamic
        set interface "wan"
        set mode aggressive
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set comments "VPN: VPN_LICS (Created by VPN wizard)"
        set wizard-type dialup-forticlient
        set xauthtype auto
        set authusrgrp "VPN"
        set ipv4-start-ip 10.172.31.230
        set ipv4-end-ip 10.172.31.249
        set dns-mode auto
        set ipv4-split-include "VPN_LICS_split"
        set save-password enable
        set client-keep-alive enable
        set psksecret ENC secure_string
        set dpd-retryinterval 60
    next

config vpn ipsec phase2-interface
    edit "VPN_LICS"
        set phase1name "VPN_LICS"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set comments "VPN: VPN_LICS (Created by VPN wizard)"
    next

 

In my linux machine (client)

 

cat /etc/ipsec.conf

 

[code lang=vb]config setup


conn fortiOfi

        keyexchange = ikev1

        ike = aes256-sha256-modp2048!
        esp = aes256-sha256-modp2048!

        #added
        dpddelay = 30
        dpdtimeout = 60
        dpdaction = clear

        aggressive = yes

        ikelifetime = 28800s

        right = serverIP
        rightsubnet = 10.72.31.0/24
        rightid = serverIP
        rightauth = psk
        rightdns = 208.67.222.222,208.67.220.220,8.8.8.8

        left = %any
        leftauth = psk
        leftauth2 = xauth
        leftid="anyID"
        leftsourceip = %config
        leftfirewall = yes
        xauth_identity = user

        auto = start
        type = tunnel

        forceencaps = yes
        eap_identity = "me"

 

 

After connecting I get the following in my linux (client)

 [code lang=vb]ipsec statusall: 

 

[code lang=vb]Security Associations (1 up, 0 connecting):
    fortiOfi[2]: ESTABLISHED 16 seconds ago, 192.168.43.105[anyID]...serverIP[serverIP]
    fortiOfi{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: espSentence
    fortiOfi{1}: 10.172.31.230/32 === 10.72.31.0/24

 

On the Fortigate I get: 

 

[code lang=vb]diagnose vpn tunnel list 

 

[code lang=vb]name=VPN_LICS_0 ver=1 serial=4b serverIP:4500->clientIP:22519 dst_mtu=0
bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/896 options[0380]=rgwy-chg rport-chg frag-rfc run_state=1 accept_traffic=1
 
parent=VPN_LICS index=0
proxyid_num=1 child_num=0 refcnt=5 ilast=5 olast=5 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
natt: mode=silent draft=32 interval=10 remote_port=22519
proxyid=VPN_LICS proto=0 sa=1 ref=2 serial=1 add-route
  src: 0:10.72.31.0-10.72.31.255:0
  dst: 0:10.172.31.230-10.172.31.230:0
  SA: ref=3 options=282 type=00 soft=0 mtu=1280 expire=3280/0B replaywin=1024
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=3587/3600
  dec: spi=f59110aa esp=aes key=32 key#
       ah=sha256 key=32 key#
  enc: spi=cd65379b esp=aes key=32 key#
       ah=sha256 key=32 key#
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

 

 The IP table on my linux machine look as follow:

 


#$ ip ru s
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default

#$ ip r s
default via 192.168.43.1 dev wlan0 proto dhcp src 192.168.43.105 metric 303
169.254.0.0/16 dev eth0 scope link src 169.254.148.45 metric 202
192.168.43.0/24 dev wlan0 proto dhcp scope link src 192.168.43.105 metric 303

#$ ip r s t 220
10.72.31.0/24 via 192.168.43.1 dev wlan0 proto static src 10.172.31.230

 

When I try to ping the server I get no traffic: 

 

$ ping 10.172.31.1
PING 10.172.31.1 (10.172.31.1) 56(84) bytes of data.
^C
--- 10.172.31.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 109ms

 

Any ideas what could be going wrong? Any help is higly appreciated!

 

Thanks 

Enio

 

5649
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎04-01-2020 07:14 AM

Your route does not look correct and is missing, what does " ip a " or " ifconfig -a " show for the virtual-interface.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
5649
0 Kudos
ealburez
New Contributor
In response to emnoc

Created on ‎04-01-2020 10:18 AM

Hi emnoc,

 

when I run those command I don't really see a virtual interface (I believe it should be something like tun0, right?).

 

Any idea what the reason for that could be. Bellow the output:

 

for 

ip a
I get the following:

 

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether b8:27:eb:7e:f9:f5 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 16:7f:36:d1:09:4d brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic noprefixroute wlan0
       valid_lft 599251sec preferred_lft 523651sec
    inet 10.172.31.230/32 scope global wlan0
       valid_lft forever preferred_lft forever
    inet6 2a01:c23:6001:2d00:3af7:8f3f:a9ed:1cd9/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 201601sec preferred_lft 115201sec
    inet6 fe80::18aa:4502:1a9f:b6c/64 scope link 
       valid_lft forever preferred_lft forever

 and for 

ifconfig -a
I get:

$ ifconfig -a
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
        ether b8:27:eb:7e:f9:f5 txqueuelen 1000 (Ethernet)
        RX packets 0 bytes 0 (0.0 B)
        RX errors 0 dropped 0 overruns 0 frame 0
        TX packets 0 bytes 0 (0.0 B)
        TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
        inet 127.0.0.1 netmask 255.0.0.0
        inet6 ::1 prefixlen 128 scopeid 0x10<host>
        loop txqueuelen 1000 (Local Loopback)
        RX packets 76 bytes 6036 (5.8 KiB)
        RX errors 0 dropped 0 overruns 0 frame 0
        TX packets 76 bytes 6036 (5.8 KiB)
        TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255
        inet6 fe80::18aa:4502:1a9f:b6c prefixlen 64 scopeid 0x20<link>
        inet6 2a01:c23:6001:2d00:3af7:8f3f:a9ed:1cd9 prefixlen 64 scopeid 0x0<global>
        ether 16:7f:36:d1:09:4d txqueuelen 1000 (Ethernet)
        RX packets 1978 bytes 214033 (209.0 KiB)
        RX errors 0 dropped 0 overruns 0 frame 0
        TX packets 1448 bytes 247697 (241.8 KiB)
        TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

 

Thanks!

5649
0 Kudos
emnoc
Esteemed Contributor III
In response to ealburez

Created on ‎04-01-2020 01:34 PM

Yes that is correct tun0 or ipsec0 something times, but let's go backward

 

When you connect can you get a diag vpn ike gateway output ?

 

Also if you tcpdump on the wan interfaces of the FGT or Linux host do you see your client address

 

 

e.g 

   # linux

   tcpdump -nnnvvv -i eth0 udp port 500 or 4500

 

   #fortiOS

   diag sniffer packet  any "host <your public address for linux client>"

 

 

I would check that if you see no output from diag vpn ike gateway

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
5649
0 Kudos
ealburez
New Contributor
In response to emnoc

Created on ‎04-02-2020 02:30 AM

Hi, 

 

there seems to be some information going back and forth. Looks like some keep-alive exchange but I don't really understand what it is. 

 

Any idea of what could be going wrong?

 

Thanksa lot for the help!

 

 

On the Fortigate I get: 

 

FortigateOfi # diag sniffer packet any "host clientPublicIP"
interfaces=[any]
filters=[host clientPublicIP]
5.709784 clientPublicIP.9470 -> serverIP.4500: udp 1
16.010401 clientPublicIP.9470 -> serverIP.4500: udp 112
16.010707 serverIP.4500 -> clientPublicIP.9470: udp 112
35.709253 clientPublicIP.9470 -> serverIP.4500: udp 1
46.145160 clientPublicIP.9470 -> serverIP.4500: udp 112
46.145510 serverIP.4500 -> clientPublicIP.9470: udp 112
^C
6 packets received by filter
0 packets dropped by kernel

 

On the linux client: 

 

$ sudo tcpdump -nnnvvv -i wlan0 udp port 4500

tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:03:02.397459 IP (tos 0x0, ttl 64, id 52139, offset 0, flags [DF], proto UDP (17), length 29)
192.168.43.42.4500 > serverIP.4500: [udp sum ok] isakmp-nat-keep-alive
11:03:12.758009 IP (tos 0x0, ttl 64, id 52899, offset 0, flags [DF], proto UDP (17), length 140)
192.168.43.42.4500 > serverIP.4500: [udp sum ok] NONESP-encap: isakmp 1.0 msgid 7814c631 cookie <cookie1> -><cookie2>: phase 2/others ? inf: [encrypted hash]
11:03:12.989897 IP (tos 0x0, ttl 43, id 12999, offset 0, flags [none], proto UDP (17), length 140)
serverIP.4500 > 192.168.43.42.4500: [udp sum ok] NONESP-encap: isakmp 1.0 msgid 8281d6a1 cookie <cookie1> -><cookie2>: phase 2/others ? inf: [encrypted hash]
11:03:32.398684 IP (tos 0x0, ttl 64, id 54615, offset 0, flags [DF], proto UDP (17), length 29)
192.168.43.42.4500 > serverIP.4500: [udp sum ok] isakmp-nat-keep-alive
11:03:42.758928 IP (tos 0x0, ttl 64, id 55065, offset 0, flags [DF], proto UDP (17), length 140)
192.168.43.42.4500 > serverIP.4500: [udp sum ok] NONESP-encap: isakmp 1.0 msgid dbb42cab cookie <cookie1> -><cookie2>: phase 2/others ? inf: [encrypted hash]
11:03:43.128081 IP (tos 0x0, ttl 43, id 13000, offset 0, flags [none], proto UDP (17), length 140)
serverIP.4500 > 192.168.43.42.4500: [udp sum ok] NONESP-encap: isakmp 1.0 msgid 39e4d3ba cookie <cookie1> -><cookie2>: phase 2/others ? inf: [encrypted hash]
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel

5649
0 Kudos
pv081079
New Contributor
In response to ealburez

Created on ‎05-08-2020 03:29 PM

Hello,

 

I am trying to set up Strongswan -> Fortigate IPsec VPN with Certificate Auth and Xauth:

 

 

#Fortigate Configuration:

 

IDCFW_BE01 (phase1-interface) # show config vpn ipsec phase1-interface edit "REMOTE_AT" set type dynamic set interface "VPN_870" set authmethod signature set mode aggressive set peertype peergrp set net-device disable set mode-cfg enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set comments "VPN: REMOTE_AT" set wizard-type dialup-forticlient set xauthtype auto set certificate "AGOC_SSL_RSA4096" set peergrp "remotegrp" set ipv4-start-ip 10.184.16.1 set ipv4-end-ip 10.184.16.254 set dns-mode auto set ipv4-split-include "REMOTE_AT_split" set domain "ritta.local" set save-password enable set client-auto-negotiate enable set client-keep-alive enable set dpd-retryinterval 60 next end

config vpn ipsec phase2-interface edit "REMOTE_AT" set phase1name "REMOTE_AT" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: REMOTE_AT (Created by VPN wizard)" next end

 

#Strongswan configs:

 

-> ipsec.conf

config setup ca strongswan       cacert=AGOC_NLC_CA.crt conn AT          fragmentation = yes         keyexchange = ikev1         aggressive = yes          reauth = yes         forceencaps = no         mobike = no         rekey = yes         installpolicy = yes         type = tunnel         #type = passthrough         dpdaction = restart         dpddelay = 10s         dpdtimeout = 60s         ikelifetime = 14400s         lifetime = 3600s         left = %any         leftcert=ple1764Cert.pem         leftauth=pubkey         leftauth2=xauth         xauth_identity = ple1764         leftid ="C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=ple1764, E=xx@xx.xx.xx"         #leftsourceip = %config         right=X.X.X.X         rightsubnet=10.0.0.0/8         rightid="C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=X.X.X.X, E=xx@xx.xx.xx"         rightauth=pubkey         rightdns = 10.191.191.191         auto=start         type=tunnel         #eap_identity="ple1764"                 ike = aes128-sha1-modp2048          esp = aes128-sha1    -> ipsec.secrets

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host # which knows the public part. : RSA ple1764Key.pem

ple1764 : XAUTH "password"

 

-> strongswan.conf

charon {   load = aes sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown  }   -> command "ipsec start --nofork"

Starting strongSwan 5.8.4 IPsec [starter]... !! Your strongswan.conf contains manual plugin load options for charon. !! This is recommended for experts only, see !! http://wiki.strongswan.or...ngswan/wiki/PluginLoad 00[DMN] Starting IKE charon daemon (strongSwan 5.8.4, Linux 5.5.0-kali2-amd64, x86_64) 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, E=xx@xx.xx.xx" from '/etc/ipsec.d/cacerts/AGOC_NLC_CA.crt' 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 00[CFG] loading crls from '/etc/ipsec.d/crls' 00[CFG] loading secrets from '/etc/ipsec.secrets' 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/ple1764Key.pem' 00[CFG] loaded EAP secret for ple1764 00[LIB] loaded plugins: charon aes sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown 00[LIB] dropped capabilities, running as uid 0, gid 0 00[JOB] spawning 16 worker threads charon (4795) started after 40 ms 05[CFG] received stroke: add connection 'AT' 05[CFG] loaded certificate "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=ple1764, E=xx@xx.xx.xx" from 'ple1764Cert.pem' 05[CFG] added configuration 'AT' 07[CFG] received stroke: initiate 'AT' 07[IKE] sending cert request for "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, E=xx@xx.xx.xx" 07[IKE] initiating Aggressive Mode IKE_SA AT[1] to xx.xx.xx.xx 07[ENC] generating AGGRESSIVE request 0 [ SA KE No ID CERTREQ V V V V V ] 07[NET] sending packet: from 192.168.1.104[500] to xx.xx.xx.xx[500] (788 bytes) 09[NET] received packet: from xx.xx.xx.xx[500] to 192.168.1.104[500] (4111 bytes) 09[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID CERT CERT SIG V NAT-D NAT-D V V V V V ] 09[IKE] received NAT-T (RFC 3947) vendor ID 09[IKE] received DPD vendor ID 09[IKE] received XAuth vendor ID 09[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00 09[IKE] received FRAGMENTATION vendor ID 09[IKE] received FRAGMENTATION vendor ID 09[IKE] received end entity cert "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=xx.xx.xx.xx, E=xx@xx.xx.xx" 09[IKE] received issuer cert "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, E=xx@xx.xx.xx" 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 09[CFG] using certificate "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=xx.xx.xx.xx, E=xx@xx.xx.xx" 09[CFG] using trusted ca certificate "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, E=xx@xx.xx.xx" 09[CFG] checking certificate status of "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=xx.xx.xx.xx, E=xx@xx.xx.xx" 09[CFG] certificate status is not available 09[CFG] reached self-signed root ca with a path length of 0 09[IKE] authentication of 'C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=xx.xx.xx.xx, E=xx@xx.xx.xx' with RSA_EMSA_PKCS1_NULL successful 09[IKE] local host is behind NAT, sending keep alives 09[IKE] authentication of 'C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=ple1764, E=xx@xx.xx.xx' (myself) successful 09[ENC] generating AGGRESSIVE request 0 [ NAT-D NAT-D SIG ] 09[NET] sending packet: from 192.168.1.104[4500] to xx.xx.xx.xx[4500] (604 bytes) 12[IKE] sending keep alive to xx.xx.xx.xx[4500] 13[JOB] peer did not initiate expected exchange, reestablishing IKE_SA 13[IKE] reinitiating IKE_SA AT[1] 13[IKE] sending cert request for "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, E=xx@xx.xx.xx" 13[IKE] initiating Aggressive Mode IKE_SA AT[1] to xx.xx.xx.xx 13[ENC] generating AGGRESSIVE request 0 [ SA KE No ID CERTREQ V V V V V ] 13[NET] sending packet: from 192.168.1.104[4500] to xx.xx.xx.xx[4500] (788 bytes) ^C00[DMN] signal of type SIGINT received. Shutting down charon stopped after 200 ms ipsec starter stopped

 

 

What could be wrong with configuration?

Thank you

5649
0 Kudos
pv081079
New Contributor
In response to pv081079

Created on ‎05-09-2020 03:05 PM

Its Working Now, Here My Configs:

 

-> ipsec.conf

 

conn AT fragmentation = yes keyexchange = ikev1 aggressive = yes reauth = yes forceencaps = yes mobike = no rekey = yes installpolicy = yes type = tunnel pfs=yes pfsgroup=5 xauth_identity=ple1764

left = %any leftcert=ple1764Cert.pem leftauth=pubkey leftauth2=xauth leftid ="C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=ple1764, E=xx@xx.xx.xx" leftsendcert=always leftsourceip=%config right=xx.xx.xx.xx rightsubnet=10.0.0.0/8 rightid="C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=xx.xx.xx.xx, E=xx@xx.xx.xx" rightauth=pubkey rightsendcert=always auto=start type=tunnel ike = aes256-sha256-modp1536 esp = aes256-sha256-modp1536

 

 

-> strongswan.conf

 

# strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files

#charon { # load_modular = yes # plugins { # include strongswan.d/charon/*.conf # } #}

#include strongswan.d/*.confi

charon { load = aes sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown xauth-generic }

 

-> ipsec.secrets

 

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host # which knows the public part. : RSA ple1764Key.pem

ple1764 : XAUTH "password"

 

I hope This Helps someone else.

 

Cheers.

5649
0 Kudos
sw2090
Honored Contributor
In response to pv081079

Created on ‎07-11-2020 08:36 AM

yeah after trying shrewsoft and vpnc on linux with no success I turned back to strongswan and this time I got it to run. While shrewsoft is difficult to compile on a current linux due to its age (last rease is from out of 2013) and even though it compiled and runs keeps segfaulting upon connecting a vpn, I couldn't get vpnc to work at all. The network manager plugin of strongswan als didn't work out. So I finally get back to strongswan :)

 

It now does obtain an ip from my FGT and it does do split tunneling via ipsec. However with ikev1 strongswan is limited to one remote (right) subnet - that's a limit in strongswan not the Fortigate. If one needs more then one you have to do ikev2.

Works fine now here with strongswan. I might change the tunnel to do ikev2 to be able to access more than one subnet ;)

What still does not work is that strongswan obtains dns servers (but maybe that is due to my settings on the FGT. Still have to check this. What also does not work is obtaining the list subnets to be accessible via the tunnel from the FGT like shrewsoft or forticlient do on windows and osx. I still have to manually enter them as right subnet(s) in my ipsec.conf connection settings.

But so far I can live with that ;)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
5649
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.