Strongswan - Fortigate

Author
traposama
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/01/23 13:08:23
  • Status: offline
2019/09/12 07:59:57 (permalink)
0

Strongswan - Fortigate

Hi!
 
i read a lot about that but in this moment dont work.
 
in the fortigate have this:
 
config vpn ipsec phase1-interface
    edit "OpenSWAN"
        set type dynamic
        set interface "port4"
        set peertype any
        set proposal aes128-sha1
        set dpd disable
        set psksecret ENC encoded_PSK
    next
end
config vpn ipsec phase2-interface
    edit "OpenSWAN"
        set phase1name "OpenSWAN"
        set proposal aes128-sha1
        set pfs disable
        set keepalive enable
        set keylifeseconds 3600
        set src-subnet 192.168.10.0 255.255.255.0
        set dst-subnet 192.168.1.0 255.255.255.0
    next
end
 
and ipsec.secret
 
IP_WAN_FGT : PSK "thestrongpassword"
 
and ipsec.conf
 
conn FGT
     type=tunnel
     authby=secret
     left=%any
#     leftnexthop=%defaultroute
     leftsubnet=192.168.1.0/24
     right=IP_WAN_FGT
     rightsubnet=192.168.2.0/24
#     ike=aes128
     ike=3des-sha1-modp2048
     esp=aes128-sha1
     ikelifetime=28800s
     keyexchange=ikev1
     auto=start
     keyingtries=%forever


 
can somebody giveme a hand for this?
 
thx :)
 
 
#1

5 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5239
    • Scores: 347
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: Strongswan - Fortigate 2019/09/12 08:15:03 (permalink)
    0
    A few items
    You have dhgrp14 and 3des. Set the proposals on the FGT so you know what is defined for these values IKE/IPSEC/Integrity
     
     
         ike=3des-sha1-modp2048
         esp=aes128-sha1
     
    I think you want ike=aes128-sha1-modp2048 and in the fortigate you defined the group as 14. 
     
      set dhgrp 14 5 
     
     
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #2
    traposama
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/23 13:08:23
    • Status: offline
    Re: Strongswan - Fortigate 2019/09/12 08:26:52 (permalink)
    0
    Hi Emnoc!
     
    Added the both phase, the cli dont show any change and still dont connect phase1. Another idea?
     
    Thx
    #3
    emnoc
    Expert Member
    • Total Posts : 5239
    • Scores: 347
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: Strongswan - Fortigate 2019/09/12 09:40:11 (permalink)
    0
    diag sniffer packet port4 'host x.x.x.x"
     
    # x.x.x.x = strongswan
     
    diag debug en
    diag debug app ike 10 
     
    What do you see? PSK mismatch? No proposal ? peer-ids looks good?
     
     
    Strongswan :
     
    ipsec statusall
    ipsec restart
    # these might come in handy
    lsof -Pni :500
    lsof -Pni :4500
    tcpdump -nnnvvv -i <internet facing inft>  host y.y.y.y and udp 
    # y.y.y.y == fgt port4 local-address
     
     
     
     
    Ken

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #4
    traposama
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/23 13:08:23
    • Status: offline
    Re: Strongswan - Fortigate 2019/09/12 10:36:18 (permalink)
    0
    Hi Emnoc!
     
    after changet ikev1 for ikev2 connect without problem! the previous error is No proposal.
     
    Now i have the tunnel but dont have traffic, something are missing in the side of strongswan
     
    Have some tip for this?
    #5
    traposama
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/23 13:08:23
    • Status: offline
    Re: Strongswan - Fortigate 2019/09/12 14:29:10 (permalink)
    0
    Hi!!
     
    finally is working!!
     
    in the box(openwrt) is necessary declare a Zone like VPN and put into ipsec0 interface. Permit forward into LAN and VPN and is done!
     
    :)
    #6
    Jump to:
    © 2019 APG vNext Commercial Version 5.5