Hot!strongSwan on linux as IPSec VPN client

Author
mariaczi
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/22 03:04:52
  • Status: offline
2019/10/22 03:24:56 (permalink)
0

strongSwan on linux as IPSec VPN client

Hello.
I'm trying to connect to IPSec VPN on fortigate using strongSwan on linux OS.
My configuration on fortigate:
config vpn ipsec phase1-interface
    edit "MAC"
        set type dynamic
        set interface "wan1"
        set peertype any
        set mode-cfg enable
        set proposal aes256-md5 aes256-sha1
        set dpd on-idle
        set dhgrp 2
        set wizard-type dialup-cisco
        set xauthtype auto
        set authusrgrp "VPN"
        set net-device enable
        set ipv4-start-ip 10.10.0.2
        set ipv4-end-ip 10.10.0.254
        set dns-mode auto
        set psksecret ENC secure_enc_string
        set dpd-retryinterval 5
    next
config vpn ipsec phase2-interface
    edit "MAC"
        set phase1name "MAC"
        set proposal aes256-md5 aes256-sha1
        set pfs disable
        set keepalive enable
        set comments "VPN: MAC (Created by VPN wizard)"
    next
    edit "osx"
        set phase1name "osx"
        set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
        set comments "VPN: osx (Created by VPN wizard)"
    next
My strongSwan config on linux:
/etc/ipsec.conf
config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc2, lib 2"

conn cisco
    fragmentation = yes
    keyexchange = ikev1
    reauth = yes
    forceencaps = no
    mobike = no
    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = restart
    dpddelay = 10s
    dpdtimeout = 60s
    auto = add
    left = 10.10.0.100
    right = IP_OF_REMOTE_VPN_SERVER
    leftid = vpnuser@local
    ikelifetime = 14400s
    lifetime = 3600s
    ike = 3des-sha1-modp1024!
    esp = 3des-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024!
    leftauth = psk
    leftauth2 = xauth
    rightauth = psk
    rightid = vpnuser@VPNSERVER
    aggressive = no
    xauth_identity=vpnuser
    rightsubnet = 10.10.0.0/16
    leftsourceip = %config

/etc/ipsec.secrets
vpnuser : XAUTH "vpnuser_password"
vpnuser@local pgrabowski@VPNSERVER : PSK "psk-preshared-passphrase"
 
When I try to UP this VPN connection on console I receive:
 
# ipsec up cisco
initiating Main Mode IKE_SA cisco[1] to IP_OF_REMOTE_VPN_SERVER
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
sending retransmit 2 of request message ID 0, seq 1
sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
 
In logs I see:
 
Oct 22 12:18:56 myHOST charon: 04[JOB] watched FD 16 ready to read
Oct 22 12:18:56 myHOST charon: 04[JOB] watcher going to poll() 3 fds
Oct 22 12:18:56 myHOST charon: 03[CFG] received stroke: initiate 'cisco'
Oct 22 12:18:56 myHOST charon: 05[MGR] checkout IKE_SA by config
Oct 22 12:18:56 myHOST charon: 04[JOB] watcher got notification, rebuilding
Oct 22 12:18:56 myHOST charon: 04[JOB] watcher going to poll() 4 fds
Oct 22 12:18:56 myHOST charon: 05[MGR] created IKE_SA (unnamed)[2]
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_VENDOR task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_CERT_PRE task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing MAIN_MODE task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_CERT_POST task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_NATD task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing QUICK_MODE task
Oct 22 12:18:56 myHOST charon: 05[IKE] activating new tasks
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating ISAKMP_VENDOR task
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating ISAKMP_CERT_PRE task
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating MAIN_MODE task
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating ISAKMP_CERT_POST task
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating ISAKMP_NATD task
Oct 22 12:18:56 myHOST charon: 05[IKE] sending XAuth vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending DPD vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending FRAGMENTATION vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending NAT-T (RFC 3947) vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] initiating Main Mode IKE_SA cisco[2] to IP_OF_REMOTE_VPN_SERVER
Oct 22 12:18:56 myHOST charon: 05[IKE] IKE_SA cisco[2] state change: CREATED => CONNECTING
Oct 22 12:18:56 myHOST charon: 05[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message
Oct 22 12:18:56 myHOST charon: 05[ENC] order payloads in message
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: message repeated 4 times: [ 05[ENC] added payload of type VENDOR_ID_V1 to message]
Oct 22 12:18:56 myHOST charon: 05[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Oct 22 12:18:56 myHOST charon: 05[ENC] not encrypting payloads
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type HEADER
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 IKE_SPI
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 IKE_SPI
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 U_INT_4
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 U_INT_4
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 11 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 12 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 13 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 14 U_INT_32
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 15 HEADER_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC] generating HEADER payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type SECURITY_ASSOCIATION_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 U_INT_32
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 11 U_INT_32
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 12 (1259)
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type PROPOSAL_SUBSTRUCTURE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 SPI_SIZE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 SPI
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 (1261)
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 (1263)
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_SUBSTRUCTURE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating PROPOSAL_SUBSTRUCTURE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating SECURITY_ASSOCIATION_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
Oct 22 12:18:56 myHOST charon: 05[MGR] checkin IKE_SA cisco[2]
Oct 22 12:18:56 myHOST charon: 01[JOB] next event in 3s 999ms, waiting
Oct 22 12:18:56 myHOST charon: 05[MGR] checkin of IKE_SA successful
Oct 22 12:18:56 myHOST charon: 06[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500]
Oct 22 12:19:00 myHOST charon: 01[JOB] got event, queuing job for execution
Oct 22 12:19:00 myHOST charon: 01[JOB] no events, waiting
Oct 22 12:19:00 myHOST charon: 12[MGR] checkout IKEv1 SA with SPIs 323c3aef2f033c01_i 0000000000000000_r
Oct 22 12:19:00 myHOST charon: 12[MGR] IKE_SA cisco[2] successfully checked out
Oct 22 12:19:00 myHOST charon: 12[IKE] sending retransmit 1 of request message ID 0, seq 1
Oct 22 12:19:00 myHOST charon: 12[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
Oct 22 12:19:00 myHOST charon: 12[MGR] checkin IKE_SA cisco[2]
Oct 22 12:19:00 myHOST charon: 12[MGR] checkin of IKE_SA successful
Oct 22 12:19:00 myHOST charon: 01[JOB] next event in 7s 199ms, waiting
Oct 22 12:19:00 myHOST charon: 06[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500]
Oct 22 12:19:08 myHOST charon: 01[JOB] got event, queuing job for execution
Oct 22 12:19:08 myHOST charon: 01[JOB] no events, waiting
Oct 22 12:19:08 myHOST charon: 13[MGR] checkout IKEv1 SA with SPIs 323c3aef2f033c01_i 0000000000000000_r
Oct 22 12:19:08 myHOST charon: 13[MGR] IKE_SA cisco[2] successfully checked out
Oct 22 12:19:08 myHOST charon: 13[IKE] sending retransmit 2 of request message ID 0, seq 1
Oct 22 12:19:08 myHOST charon: 13[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
Oct 22 12:19:08 myHOST charon: 13[MGR] checkin IKE_SA cisco[2]
Oct 22 12:19:08 myHOST charon: 13[MGR] checkin of IKE_SA successful
Oct 22 12:19:08 myHOST charon: 06[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500]
Oct 22 12:19:08 myHOST charon: 01[JOB] next event in 12s 959ms, waiting
 
The question is: What I have wrong in this setup that connection can't be established?
 
Thanks for your help!
#1

11 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 6097
    • Scores: 490
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/22 10:36:34 (permalink)
    0
    Apart from this being anything than trivial, methinks you
    - use MD5 in phase1 on the FGT and SHA1 on Linux. (Avoid MD5 anyway, it's broken as a standard.)
    - do not use PFS in phase2 on FGT but you do in SS
     
    If I had to tackle this, I'd
    - avoid mode config (unless SS would only support this)
    - use only one single proposal where necessary
    - in general, keep the config as simple as possible until the tunnel works
     
    Of course, you will have thought of creating a policy on the FGT, the tunnel won't negotiate without.
     
    IMHO Ken Felix (emnoc) has done this before, for sure. You might have a look at http://socpuppet.blogspot.com/

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    emnoc
    Expert Member
    • Total Posts : 5366
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/22 12:31:19 (permalink)
    0
    Every thing Ede stated ;
     
    So your doing it right by mastering PSK b4 trying RSA. I would do a debug app ike -1 on the fortigate and analyze the debug.
     
    e.g ( based on your cfg )
     
    diag debug reset 
    diag debug enable
    diag vpn ike  filter name  MAC
    diag debug app ike -1 
     
    That might give you the trace that you need, but your ciphers donot match in SSwan and FortiOS for starters.
     
     
     
    http://socpuppet.blogspot...to-strongswan-cfg.html
     
    http://socpuppet.blogspot...-eap-identity-vpn.html
     
    https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples
     
    http://socpuppet.blogspot.com/2014/05/openswan-to-fortigate-route-based-vpn.html
     
     
    I'm post a dynamic-strongswan diaup later this week but the above will give you some ideals on what you can do. I'm using the StrongSwan client on Android btw.
     
    but for starters get your ph1/2 proposal straighten out and I would need to see your phase1-id types and you will need to enable aggressive mode or use ikev2.
     
    Here's a EAP dynamic-cfg  that goes with one of the earlier blog links
     
    config vpn ipsec phase1-interface
        edit "DYNAMIC"
            set type dynamic
            set interface "wan1"
            set ike-version 2
            set authmethod signature
            set mode-cfg enable
            set ipv4-dns-server1 8.8.8.8
            set ipv4-dns-server2 8.8.4.4
            set ipv6-dns-server1 2001:db8:1::1
            set ipv6-dns-server2 2001:db8:1::2
            set proposal aes128-sha256 aes128-sha1 aes128-sha384
            set localid-type address
            set dpd on-idle
            set comments "StrongSwan & NCP Users"
            set dhgrp 19 15 14
            set eap enable
            set eap-identity send-request
            set authusrgrp "Guest-group"
            set idle-timeout enable
            set certificate "CERTWITHALTNAME_IP"
            set peer "mypeers"
            set ipv4-start-ip 10.11.11.88
            set ipv4-end-ip 10.11.11.100
            set ipv6-start-ip 2001:db8:30::11
            set ipv6-end-ip 2001:db8:30::110
            set ipv6-prefix 64
            set dpd-retrycount 10
            set dpd-retryinterval 120
        next
    end
    config vpn ipsec phase2-interface
        edit "DYNAMIC"
            set phase1name "DYNAMIC"
            set proposal aes128-sha256 aes128-sha1 aes128-sha384 aes256-sha256
            set dhgrp 19 15 14
            set replay disable
            set keepalive enable
            set comments "IKEv2"
        next
    end
     
    Don't use des or 3des and avoid dhgrp  5 or lower imho
     
     
    Ken Felix
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #3
    mariaczi
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/10/22 03:04:52
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/28 03:04:35 (permalink)
    0
    Hello.
    @ede_pfau, @emnoc - thanks for your's answers. It was very helpful. Now, my strongSwan on linux as a client to Fortigate, connecting with success. I will talk with the fortigate admin to change used crypto alghoritms in fortigate config to more secured.
    #4
    emnoc
    Expert Member
    • Total Posts : 5366
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/28 04:59:07 (permalink)
    0
    What did you decide to use ( PSK or RSA ) and was the  suggested strongswan link helpful?
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #5
    mariaczi
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/10/22 03:04:52
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/28 05:09:14 (permalink)
    0
    I keep use PSK after corrected my config file for strongSwan. I'm only read the post from socpuppet.blogspot.com.
    #6
    mariaczi
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/10/22 03:04:52
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/31 02:35:26 (permalink)
    0
    Going to ahead, now i'm able to establish vpn tunnel from linux using strongswan as a client to fortigate (cisco IPsec VPN) but i'm not able to ping any hosts from local network behind this fortigate. What is wrong in my config?
    The second think - what I should change in my strongswan config file to put all traffic from client machine via VPN tunnel?
    When I using forticlient on Windows to the same IPsec VPN, everything works - I'm able to ping hosts from local network behind fortigate and all traffic goes via VPN tunnel.
    #cat ipsec.conf
    conn cisco
        fragmentation = yes
        keyexchange = ikev1
        aggressive = no
        reauth = yes
        forceencaps = no
        mobike = no
        rekey = yes
        installpolicy = yes
        type = tunnel
        #type = passthrough
        dpdaction = restart
        dpddelay = 10s
        dpdtimeout = 60s
        ikelifetime = 14400s
        lifetime = 3600s
        auto = add
        left = %defaultroute
        leftauth = psk
        leftauth2 = xauth
        leftsourceip = %config
        leftid = vpnuser@local
        xauth_identity=vpnuser
        right = IP_OF_REMOTE_VPN_SERVER
        rightid = IP_OF_REMOTE_VPN_SERVER
        # route all trafic via this tunnel
        rightsubnet = 0.0.0.0/0
        rightauth = psk
        ike = aes256-sha256-modp1536,aes256-sha1-modp1536!
        esp = aes256-sha256,aes256-sha1!

    # ipsec up cisco
    initiating Main Mode IKE_SA cisco[11] to IP_OF_REMOTE_VPN_SERVER
    generating ID_PROT request 0 [ SA V V V V V ]
    sending packet: from 172.20.10.2[500] to IP_OF_REMOTE_VPN_SERVER[500] (216 bytes)
    received packet: from IP_OF_REMOTE_VPN_SERVER8[500] to 172.20.10.2[500] (200 bytes)
    parsed ID_PROT response 0 [ SA V V V V V V ]
    received NAT-T (RFC 3947) vendor ID
    received DPD vendor ID
    received XAuth vendor ID
    received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
    received FRAGMENTATION vendor ID
    received FRAGMENTATION vendor ID
    generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    sending packet: from 172.20.10.2[500] to IP_OF_REMOTE_VPN_SERVER8[500] (332 bytes)
    received packet: from IP_OF_REMOTE_VPN_SERVER8[500] to 172.20.10.2[500] (316 bytes)
    parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    local host is behind NAT, sending keep alives
    generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (124 bytes)
    received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (92 bytes)
    parsed ID_PROT response 0 [ ID HASH ]
    received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (92 bytes)
    parsed TRANSACTION request 766558789 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
    generating TRANSACTION response 766558789 [ HASH CPRP(X_USER X_PWD) ]
    sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (108 bytes)
    received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (92 bytes)
    parsed TRANSACTION request 1026179008 [ HASH CPS(X_STATUS) ]
    XAuth authentication of '' (myself) successful
    IKE_SA cisco[11] established between 172.20.10.2[@local]...IP_OF_REMOTE_VPN_SERVER[IP_OF_REMOTE_VPN_SERVER]
    scheduling reauthentication in 13685s
    maximum IKE_SA lifetime 14225s
    generating TRANSACTION response 1026179008 [ HASH CPA(X_STATUS) ]
    sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (92 bytes)
    generating TRANSACTION request 3583116127 [ HASH CPRQ(ADDR DNS) ]
    sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (92 bytes)
    received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (108 bytes)
    parsed TRANSACTION response 3583116127 [ HASH CPRP(ADDR DNS DNS) ]
    installing DNS server 193.85.149.243 via resolvconf
    installing DNS server 8.8.8.8 via resolvconf
    installing new virtual IP 10.10.0.2
    generating QUICK_MODE request 893811623 [ HASH SA No ID ID ]
    sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (220 bytes)
    received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (172 bytes)
    parsed QUICK_MODE response 893811623 [ HASH SA No ID ID ]
    CHILD_SA cisco{13} established with SPIs c877d2c0_i 9fbf289c_o and TS 10.10.0.2/32 === IP_OF_REMOTE_VPN_SERVER8/32
    connection 'cisco' established successfully


    # ipsec status
    Security Associations (1 up, 0 connecting):
           cisco[11]: ESTABLISHED 5 minutes ago, 172.20.10.2[@local]...IP_OF_REMOTE_VPN_SERVER8[IP_OF_REMOTE_VPN_SERVER8]
           cisco{13}:  INSTALLED, TUNNEL, reqid 11, ESP in UDP SPIs: c877d2c0_i 9fbf289c_o
           cisco{13}:   10.10.0.2/32 === IP_OF_REMOTE_VPN_SERVER8/32

    # ip ru s
    0: from all lookup local
    220: from all lookup 220
    32766: from all lookup main
    32767: from all lookup default

    # ip r s
    default via 172.20.10.1 dev wlp2s0 proto dhcp metric 600
    169.254.0.0/16 dev wlp2s0 scope link metric 1000
    172.20.10.0/28 dev wlp2s0 proto kernel scope link src 172.20.10.2 metric 600

    # ip r s t 220
    IP_OF_REMOTE_VPN_SERVER8 via 172.20.10.1 dev wlp2s0 proto static src 10.10.0.2

    # ping 10.10.0.1
    PING 10.10.0.1 (10.10.0.1) 56(84) bytes of data.
    ^C
    --- 10.10.0.1 ping statistics ---
    52 packets transmitted, 0 received, 100% packet loss, time 52217ms

    # ping 10.10.0.100
    PING 10.10.0.100 (10.10.0.100) 56(84) bytes of data.
    ^C
    --- 10.10.0.100 ping statistics ---
    22 packets transmitted, 0 received, 100% packet loss, time 21480ms

    10.10.0.0/16 is the local network behind the fortigate. 10.10.0.1 is the IP of fortigate in this local network.
    #7
    emnoc
    Expert Member
    • Total Posts : 5366
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/31 03:55:33 (permalink)
    0
    Do you have a local firewall ? What does any traceroute shows ? Have you ran diag debug on the fortigate ? Can you diag-sniffer the interface that is the tunnel
     
    e.g
     
    diag sniffer packet <tunnel-interface-name-from-phase1-interface> " icmp and host x.x.x.x"
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #8
    mariaczi
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/10/22 03:04:52
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/31 04:04:53 (permalink)
    0
    No, I haven't firewall on my linux machine. `iptables` are clear, default policy is set to ACCEPT.  Traceroute shows that the traffic going out via the default gateway for local lan from which I'm trying to connect to the fortigate VPN concentrator. I use different IPs in this network than have network behind the fortigate.
    Sorry, but i haven't access to fortigate device.
    #9
    emnoc
    Expert Member
    • Total Posts : 5366
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/31 04:14:22 (permalink)
    0
    If the packet is gong out the default -lan that is your problem. I would look at the route table and confirm.
     
      ip route show table <blah>
      ip rule 
     
    tcpdump -i wlp2s0
     
    NOTE: you should have had a vpn virtual adapter in the kernel. Typically it's called "ipsec0" or something to that degree.
     
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #10
    mariaczi
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/10/22 03:04:52
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/31 05:06:32 (permalink)
    0
    routes and rules you can find in my earlier post (https://forum.fortinet.com/FindPost/180023) - 3rd block of code.
    I haven't virtual adapter in kernel after established VPN tunnel on Ubuntu 18.04 (kernel 4.15) and 19.10 (kernel 5.3) too. The IP address from VPN server is assigned to the network interface which is connected to the local network.
    #11
    emnoc
    Expert Member
    • Total Posts : 5366
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/31 05:25:30 (permalink)
    0
    So you need to do tcpdump against the parent interface and ensure the packets are going out enccrypted, if you set the ping and see it in the clear , than that is a tell-tell sign they are not encrypted.
     
    if you do a pcap and see ESP and spi { i.e . 
    c877d2c0_i 9fbf289c_o
    }
     
    in and out, than would be a clue they are encrypted. You can adjust the ping size and confirm the  ESP datagram size increase/decreases as required.
     
    /* bash shell
      
       ping -s 166 10.10.0.111
     
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #12
    Jump to:
    © 2019 APG vNext Commercial Version 5.5