IPsec with default Android Client

schmil · ‎11-17-2016

In the Log files I get "peer SA proposal not match local policy". I guess this means the Phase 1 Settings from the Android Client don't match these from the Fortigate?!? Which settings and Encryption proposals I need for the Client? The Windows Forticlient works perfectly with these Server Settings.

x_member · ‎11-18-2016

For a native L2TP IPSEC Xauth VPN on iPhone (tested iOS 9+) and Android (tested v5+) we use:

config vpn ipsec phase1-interface

edit <name>

set type dynamic

set interface "wan1"

set mode-cfg enable

set proposal aes256-md5 3des-sha1 aes192-sha1 set dhgrp 14 5 2 set xauthtype auto

set authusrgrp <usergroup>

set ipv4-start-ip <start of range>

set ipv4-end-ip <end of range>

set dns-mode auto

set psksecret <very long psk>

end

... and phase2:

config vpn ipsec phase2-interface

edit <name> set phase1name <phase1 name> set proposal aes256-md5 3des-sha1 aes192-sha1 set pfs disable set keepalive enable

end

... and l2tp:

config vpn l2tp set eip <end of range> set sip <start of range> set status enable set usrgrp <usergroup> end

schmil · ‎11-21-2016

Wont work - aaaaah:

ike 7:L2TP_0: link is idle 13 1.2.3.4->80.187.123.91:23267 dpd=1 seqno=1
ike 7:L2TP_0:408: send IKEv1 DPD probe, seqno 1
ike 7:L2TP_0:408: enc 2D28BADF62499790A3767847F254FE949808100501D137D6C7000000500B000014942DA55CDFAD90A555DF7F9481632C1F000000200000000101108D282D28BAD54F62499790A3767847F2FE949800000001
ike 7:L2TP_0:408: out 2D28BADF62499790A3767847F2FE93449808100501D137D6C70000005C89BF3D940FC56E7C47EFDA59A8F428921B09C8E20F8179A5BA5968FC766F0D0D3D787152F410FDA1B3BAC28B8BD8EBC76CD926C9A2385C9B60C6EAFD37AD43FAD
ike 7:L2TP_0:408: sent IKE msg (R-U-THERE): 1.2.3.4:4500->80.187.123.91:23267, len=92, id=2d28badf62499790/a3767847f2fe9498:d137d6c7
ike 7: comes 80.187.123.91:23267->1.2.3.4:4500,ifindex=13....
ike 7: IKEv1 exchange=Informational id=2d28badf62499790/a3767847f2fe9498:f59f12c1 len=92
ike 7: in 2D28BADF62499790A3767847F2F45E949808100501F59F12C10000005C29BAAD1A7245AFC284C20115500686976C29A5B45B9A8A67AD160713B5FE1EA4599BFA592806C14553587B1A446F86F3EF7355D63DE9597BC2C60BB85843BAAF1F
ike 7:L2TP_0:408: dec 2D28BADF62499790A3767847F2FE94980810055301F59F12C10000005C0B0000142A8330899552CE661743C85F45B2A312000000200000000101108D29432D28BADF62499790A3767847F2FE94980000000100000000000000000000000C
ike 7:L2TP_0:408: notify msg received: R-U-THERE-ACK
ike 7: comes 80.187.123.91:23267->1.2.3.4:4500,ifindex=13....
ike 7: IKEv1 exchange=Quick id=2d28badf62499790/a3767847f2fe9498:a32e8520 len=316
ike 7: in 2D28BADF62499790A3767847F2FE949808102001A32E85200000013C12AA0FBB3CB63EA1E1EE0C80ECE75BBD2A7AC9DFEBF116E13E420852BB70BE4136B3F3BC894816071459D52CC0D31567F0BA9A2401582862D434B9DAC347DF5FAF1AE0C015E715F5B7D4F24883CC958763B0D64D6D60062F1420493D958537E407EF830B9FEF20A0DFD21E560F700040944EDFF8801D1F792C76D3E054077E4B0F9622775B4EFE2815B29BD1CCC9D700185B114FBA2F505E728147532CB1E8278972A2A5F6100581B98FFAAFAC32BCD159310194E7ADDBE906BCF45EC8C96D62303903785B452320927054BFC231D1520B33BF4998F37FB8866758C9B3A598E736A5EF3C60E8B2BDD8236A62718D0690FDD5870DCAAE44873CCBAC0E798A5541DC0D26DB5298B35B1CCD8659753D7D165E9A7E3B3405CD9E6615FC7E4799415D903
ike 7:L2TP_0:408: peer has not completed Configuration Method

x_member · ‎11-21-2016

Can you post your configuration please?

Are you trying to achieve the VPN using LDAP authentication, local user authentication, or ?

schmil · ‎11-21-2016

If i disable mode-cfg, everythings fine, except DNS.

config vpn l2tp
    set eip 3.4.5.199
    set sip 3.4.5.190
    set status enable
    set usrgrp "VPN_Users"
end

config vpn ipsec phase1-interface
    edit "L2TP"
        set type dynamic
        set interface "port13"
        set mode-cfg enable
        set ipv4-dns-server1 3.4.5.1
        set proposal aes256-md5 3des-sha1 aes192-sha1
        set dhgrp 14 5 2
        set ipv4-start-ip 3.4.5.191
        set ipv4-end-ip 3.4.5.199
        set psksecret ENC .......
    next
end

config vpn ipsec phase2-interface
    edit "L2TP"
        set phase1name "L2TP"
        set proposal aes256-md5 3des-sha1 aes192-sha1
        set pfs disable
        set keylife-type both
        set encapsulation transport-mode
        set l2tp enable
        set keylifeseconds 3600
        set keylifekbs 250000
    next
end

x_member · ‎11-21-2016

Okay (are you running an older FortiOS?)

When you say "except DNS.":

- what exactly do you mean by that?

- what are you trying to achieve?

schmil · ‎11-21-2016

I'm running v5.2.7,build718 (GA)

When I use 'mode-cfg disable' my L2TP Clients connect successfully, but get a DNS server pushed that is used by the fortigate itself, but is not accessible from the clients!

With 'mode-cfg enable' I can either push a DNS server which works for the clients and can enable split-tunnling (not that important).

Authentication via Username Password from the local Fortigate User-DB (no LDAP, no Certs for now, no Token).

L2TP is very charming because it seemed to work with all embedded clients.

x_member · ‎11-21-2016

Ah ok.

We use external DNS and split-tunnel with mode-cfg enable.

schmil · ‎11-21-2016

But your config won't work on my machine (not 1:1 copy paste :-).

x_member · ‎11-22-2016

schmil wrote:
But your config won't work on my machine (not 1:1 copy paste :-).

I was trying to provide settings and encryption proposal information as originally requested; I'm not sure I'd ever want to simply copy and paste someone else's configuration into our network.

schmil wrote:
When I use 'mode-cfg disable' my L2TP Clients connect successfully, but get a DNS server pushed that is used by the fortigate itself, but is not accessible from the clients! With 'mode-cfg enable' I can either push a DNS server which works for the clients and can enable split-tunnling (not that important).

So you do have it working?