Hot!strongSwan on linux as IPSec VPN client

Author
mariaczi
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/22 03:04:52
  • Status: offline
2019/10/22 03:24:56 (permalink)
0

strongSwan on linux as IPSec VPN client

Hello.
I'm trying to connect to IPSec VPN on fortigate using strongSwan on linux OS.
My configuration on fortigate:
config vpn ipsec phase1-interface
    edit "MAC"
        set type dynamic
        set interface "wan1"
        set peertype any
        set mode-cfg enable
        set proposal aes256-md5 aes256-sha1
        set dpd on-idle
        set dhgrp 2
        set wizard-type dialup-cisco
        set xauthtype auto
        set authusrgrp "VPN"
        set net-device enable
        set ipv4-start-ip 10.10.0.2
        set ipv4-end-ip 10.10.0.254
        set dns-mode auto
        set psksecret ENC secure_enc_string
        set dpd-retryinterval 5
    next
config vpn ipsec phase2-interface
    edit "MAC"
        set phase1name "MAC"
        set proposal aes256-md5 aes256-sha1
        set pfs disable
        set keepalive enable
        set comments "VPN: MAC (Created by VPN wizard)"
    next
    edit "osx"
        set phase1name "osx"
        set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
        set comments "VPN: osx (Created by VPN wizard)"
    next
My strongSwan config on linux:
/etc/ipsec.conf
config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc2, lib 2"

conn cisco
    fragmentation = yes
    keyexchange = ikev1
    reauth = yes
    forceencaps = no
    mobike = no
    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = restart
    dpddelay = 10s
    dpdtimeout = 60s
    auto = add
    left = 10.10.0.100
    right = IP_OF_REMOTE_VPN_SERVER
    leftid = vpnuser@local
    ikelifetime = 14400s
    lifetime = 3600s
    ike = 3des-sha1-modp1024!
    esp = 3des-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024!
    leftauth = psk
    leftauth2 = xauth
    rightauth = psk
    rightid = vpnuser@VPNSERVER
    aggressive = no
    xauth_identity=vpnuser
    rightsubnet = 10.10.0.0/16
    leftsourceip = %config

/etc/ipsec.secrets
vpnuser : XAUTH "vpnuser_password"
vpnuser@local pgrabowski@VPNSERVER : PSK "psk-preshared-passphrase"
 
When I try to UP this VPN connection on console I receive:
 
# ipsec up cisco
initiating Main Mode IKE_SA cisco[1] to IP_OF_REMOTE_VPN_SERVER
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
sending retransmit 2 of request message ID 0, seq 1
sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
 
In logs I see:
 
Oct 22 12:18:56 myHOST charon: 04[JOB] watched FD 16 ready to read
Oct 22 12:18:56 myHOST charon: 04[JOB] watcher going to poll() 3 fds
Oct 22 12:18:56 myHOST charon: 03[CFG] received stroke: initiate 'cisco'
Oct 22 12:18:56 myHOST charon: 05[MGR] checkout IKE_SA by config
Oct 22 12:18:56 myHOST charon: 04[JOB] watcher got notification, rebuilding
Oct 22 12:18:56 myHOST charon: 04[JOB] watcher going to poll() 4 fds
Oct 22 12:18:56 myHOST charon: 05[MGR] created IKE_SA (unnamed)[2]
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_VENDOR task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_CERT_PRE task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing MAIN_MODE task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_CERT_POST task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_NATD task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing QUICK_MODE task
Oct 22 12:18:56 myHOST charon: 05[IKE] activating new tasks
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating ISAKMP_VENDOR task
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating ISAKMP_CERT_PRE task
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating MAIN_MODE task
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating ISAKMP_CERT_POST task
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating ISAKMP_NATD task
Oct 22 12:18:56 myHOST charon: 05[IKE] sending XAuth vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending DPD vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending FRAGMENTATION vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending NAT-T (RFC 3947) vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] initiating Main Mode IKE_SA cisco[2] to IP_OF_REMOTE_VPN_SERVER
Oct 22 12:18:56 myHOST charon: 05[IKE] IKE_SA cisco[2] state change: CREATED => CONNECTING
Oct 22 12:18:56 myHOST charon: 05[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message
Oct 22 12:18:56 myHOST charon: 05[ENC] order payloads in message
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: message repeated 4 times: [ 05[ENC] added payload of type VENDOR_ID_V1 to message]
Oct 22 12:18:56 myHOST charon: 05[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Oct 22 12:18:56 myHOST charon: 05[ENC] not encrypting payloads
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type HEADER
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 IKE_SPI
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 IKE_SPI
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 U_INT_4
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 U_INT_4
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 11 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 12 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 13 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 14 U_INT_32
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 15 HEADER_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC] generating HEADER payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type SECURITY_ASSOCIATION_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 U_INT_32
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 11 U_INT_32
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 12 (1259)
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type PROPOSAL_SUBSTRUCTURE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 SPI_SIZE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 SPI
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 (1261)
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 (1263)
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_SUBSTRUCTURE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating PROPOSAL_SUBSTRUCTURE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating SECURITY_ASSOCIATION_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
Oct 22 12:18:56 myHOST charon: 05[MGR] checkin IKE_SA cisco[2]
Oct 22 12:18:56 myHOST charon: 01[JOB] next event in 3s 999ms, waiting
Oct 22 12:18:56 myHOST charon: 05[MGR] checkin of IKE_SA successful
Oct 22 12:18:56 myHOST charon: 06[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500]
Oct 22 12:19:00 myHOST charon: 01[JOB] got event, queuing job for execution
Oct 22 12:19:00 myHOST charon: 01[JOB] no events, waiting
Oct 22 12:19:00 myHOST charon: 12[MGR] checkout IKEv1 SA with SPIs 323c3aef2f033c01_i 0000000000000000_r
Oct 22 12:19:00 myHOST charon: 12[MGR] IKE_SA cisco[2] successfully checked out
Oct 22 12:19:00 myHOST charon: 12[IKE] sending retransmit 1 of request message ID 0, seq 1
Oct 22 12:19:00 myHOST charon: 12[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
Oct 22 12:19:00 myHOST charon: 12[MGR] checkin IKE_SA cisco[2]
Oct 22 12:19:00 myHOST charon: 12[MGR] checkin of IKE_SA successful
Oct 22 12:19:00 myHOST charon: 01[JOB] next event in 7s 199ms, waiting
Oct 22 12:19:00 myHOST charon: 06[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500]
Oct 22 12:19:08 myHOST charon: 01[JOB] got event, queuing job for execution
Oct 22 12:19:08 myHOST charon: 01[JOB] no events, waiting
Oct 22 12:19:08 myHOST charon: 13[MGR] checkout IKEv1 SA with SPIs 323c3aef2f033c01_i 0000000000000000_r
Oct 22 12:19:08 myHOST charon: 13[MGR] IKE_SA cisco[2] successfully checked out
Oct 22 12:19:08 myHOST charon: 13[IKE] sending retransmit 2 of request message ID 0, seq 1
Oct 22 12:19:08 myHOST charon: 13[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
Oct 22 12:19:08 myHOST charon: 13[MGR] checkin IKE_SA cisco[2]
Oct 22 12:19:08 myHOST charon: 13[MGR] checkin of IKE_SA successful
Oct 22 12:19:08 myHOST charon: 06[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500]
Oct 22 12:19:08 myHOST charon: 01[JOB] next event in 12s 959ms, waiting
 
The question is: What I have wrong in this setup that connection can't be established?
 
Thanks for your help!
#1

19 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 6340
    • Scores: 533
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/22 10:36:34 (permalink)
    0
    Apart from this being anything than trivial, methinks you
    - use MD5 in phase1 on the FGT and SHA1 on Linux. (Avoid MD5 anyway, it's broken as a standard.)
    - do not use PFS in phase2 on FGT but you do in SS
     
    If I had to tackle this, I'd
    - avoid mode config (unless SS would only support this)
    - use only one single proposal where necessary
    - in general, keep the config as simple as possible until the tunnel works
     
    Of course, you will have thought of creating a policy on the FGT, the tunnel won't negotiate without.
     
    IMHO Ken Felix (emnoc) has done this before, for sure. You might have a look at http://socpuppet.blogspot.com/

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    emnoc
    Expert Member
    • Total Posts : 5734
    • Scores: 371
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/22 12:31:19 (permalink)
    0
    Every thing Ede stated ;
     
    So your doing it right by mastering PSK b4 trying RSA. I would do a debug app ike -1 on the fortigate and analyze the debug.
     
    e.g ( based on your cfg )
     
    diag debug reset 
    diag debug enable
    diag vpn ike  filter name  MAC
    diag debug app ike -1 
     
    That might give you the trace that you need, but your ciphers donot match in SSwan and FortiOS for starters.
     
     
     
    http://socpuppet.blogspot...to-strongswan-cfg.html
     
    http://socpuppet.blogspot...-eap-identity-vpn.html
     
    https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples
     
    http://socpuppet.blogspot.com/2014/05/openswan-to-fortigate-route-based-vpn.html
     
     
    I'm post a dynamic-strongswan diaup later this week but the above will give you some ideals on what you can do. I'm using the StrongSwan client on Android btw.
     
    but for starters get your ph1/2 proposal straighten out and I would need to see your phase1-id types and you will need to enable aggressive mode or use ikev2.
     
    Here's a EAP dynamic-cfg  that goes with one of the earlier blog links
     
    config vpn ipsec phase1-interface
        edit "DYNAMIC"
            set type dynamic
            set interface "wan1"
            set ike-version 2
            set authmethod signature
            set mode-cfg enable
            set ipv4-dns-server1 8.8.8.8
            set ipv4-dns-server2 8.8.4.4
            set ipv6-dns-server1 2001:db8:1::1
            set ipv6-dns-server2 2001:db8:1::2
            set proposal aes128-sha256 aes128-sha1 aes128-sha384
            set localid-type address
            set dpd on-idle
            set comments "StrongSwan & NCP Users"
            set dhgrp 19 15 14
            set eap enable
            set eap-identity send-request
            set authusrgrp "Guest-group"
            set idle-timeout enable
            set certificate "CERTWITHALTNAME_IP"
            set peer "mypeers"
            set ipv4-start-ip 10.11.11.88
            set ipv4-end-ip 10.11.11.100
            set ipv6-start-ip 2001:db8:30::11
            set ipv6-end-ip 2001:db8:30::110
            set ipv6-prefix 64
            set dpd-retrycount 10
            set dpd-retryinterval 120
        next
    end
    config vpn ipsec phase2-interface
        edit "DYNAMIC"
            set phase1name "DYNAMIC"
            set proposal aes128-sha256 aes128-sha1 aes128-sha384 aes256-sha256
            set dhgrp 19 15 14
            set replay disable
            set keepalive enable
            set comments "IKEv2"
        next
    end
     
    Don't use des or 3des and avoid dhgrp  5 or lower imho
     
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #3
    mariaczi
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/10/22 03:04:52
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/28 03:04:35 (permalink)
    0
    Hello.
    @ede_pfau, @emnoc - thanks for your's answers. It was very helpful. Now, my strongSwan on linux as a client to Fortigate, connecting with success. I will talk with the fortigate admin to change used crypto alghoritms in fortigate config to more secured.
    #4
    emnoc
    Expert Member
    • Total Posts : 5734
    • Scores: 371
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/28 04:59:07 (permalink)
    0
    What did you decide to use ( PSK or RSA ) and was the  suggested strongswan link helpful?
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #5
    mariaczi
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/10/22 03:04:52
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/28 05:09:14 (permalink)
    0
    I keep use PSK after corrected my config file for strongSwan. I'm only read the post from socpuppet.blogspot.com.
    #6
    mariaczi
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/10/22 03:04:52
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/31 02:35:26 (permalink)
    0
    Going to ahead, now i'm able to establish vpn tunnel from linux using strongswan as a client to fortigate (cisco IPsec VPN) but i'm not able to ping any hosts from local network behind this fortigate. What is wrong in my config?
    The second think - what I should change in my strongswan config file to put all traffic from client machine via VPN tunnel?
    When I using forticlient on Windows to the same IPsec VPN, everything works - I'm able to ping hosts from local network behind fortigate and all traffic goes via VPN tunnel.
    #cat ipsec.conf
    conn cisco
        fragmentation = yes
        keyexchange = ikev1
        aggressive = no
        reauth = yes
        forceencaps = no
        mobike = no
        rekey = yes
        installpolicy = yes
        type = tunnel
        #type = passthrough
        dpdaction = restart
        dpddelay = 10s
        dpdtimeout = 60s
        ikelifetime = 14400s
        lifetime = 3600s
        auto = add
        left = %defaultroute
        leftauth = psk
        leftauth2 = xauth
        leftsourceip = %config
        leftid = vpnuser@local
        xauth_identity=vpnuser
        right = IP_OF_REMOTE_VPN_SERVER
        rightid = IP_OF_REMOTE_VPN_SERVER
        # route all trafic via this tunnel
        rightsubnet = 0.0.0.0/0
        rightauth = psk
        ike = aes256-sha256-modp1536,aes256-sha1-modp1536!
        esp = aes256-sha256,aes256-sha1!

    # ipsec up cisco
    initiating Main Mode IKE_SA cisco[11] to IP_OF_REMOTE_VPN_SERVER
    generating ID_PROT request 0 [ SA V V V V V ]
    sending packet: from 172.20.10.2[500] to IP_OF_REMOTE_VPN_SERVER[500] (216 bytes)
    received packet: from IP_OF_REMOTE_VPN_SERVER8[500] to 172.20.10.2[500] (200 bytes)
    parsed ID_PROT response 0 [ SA V V V V V V ]
    received NAT-T (RFC 3947) vendor ID
    received DPD vendor ID
    received XAuth vendor ID
    received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
    received FRAGMENTATION vendor ID
    received FRAGMENTATION vendor ID
    generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    sending packet: from 172.20.10.2[500] to IP_OF_REMOTE_VPN_SERVER8[500] (332 bytes)
    received packet: from IP_OF_REMOTE_VPN_SERVER8[500] to 172.20.10.2[500] (316 bytes)
    parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    local host is behind NAT, sending keep alives
    generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (124 bytes)
    received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (92 bytes)
    parsed ID_PROT response 0 [ ID HASH ]
    received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (92 bytes)
    parsed TRANSACTION request 766558789 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
    generating TRANSACTION response 766558789 [ HASH CPRP(X_USER X_PWD) ]
    sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (108 bytes)
    received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (92 bytes)
    parsed TRANSACTION request 1026179008 [ HASH CPS(X_STATUS) ]
    XAuth authentication of '' (myself) successful
    IKE_SA cisco[11] established between 172.20.10.2[@local]...IP_OF_REMOTE_VPN_SERVER[IP_OF_REMOTE_VPN_SERVER]
    scheduling reauthentication in 13685s
    maximum IKE_SA lifetime 14225s
    generating TRANSACTION response 1026179008 [ HASH CPA(X_STATUS) ]
    sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (92 bytes)
    generating TRANSACTION request 3583116127 [ HASH CPRQ(ADDR DNS) ]
    sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (92 bytes)
    received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (108 bytes)
    parsed TRANSACTION response 3583116127 [ HASH CPRP(ADDR DNS DNS) ]
    installing DNS server 193.85.149.243 via resolvconf
    installing DNS server 8.8.8.8 via resolvconf
    installing new virtual IP 10.10.0.2
    generating QUICK_MODE request 893811623 [ HASH SA No ID ID ]
    sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (220 bytes)
    received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (172 bytes)
    parsed QUICK_MODE response 893811623 [ HASH SA No ID ID ]
    CHILD_SA cisco{13} established with SPIs c877d2c0_i 9fbf289c_o and TS 10.10.0.2/32 === IP_OF_REMOTE_VPN_SERVER8/32
    connection 'cisco' established successfully


    # ipsec status
    Security Associations (1 up, 0 connecting):
           cisco[11]: ESTABLISHED 5 minutes ago, 172.20.10.2[@local]...IP_OF_REMOTE_VPN_SERVER8[IP_OF_REMOTE_VPN_SERVER8]
           cisco{13}:  INSTALLED, TUNNEL, reqid 11, ESP in UDP SPIs: c877d2c0_i 9fbf289c_o
           cisco{13}:   10.10.0.2/32 === IP_OF_REMOTE_VPN_SERVER8/32

    # ip ru s
    0: from all lookup local
    220: from all lookup 220
    32766: from all lookup main
    32767: from all lookup default

    # ip r s
    default via 172.20.10.1 dev wlp2s0 proto dhcp metric 600
    169.254.0.0/16 dev wlp2s0 scope link metric 1000
    172.20.10.0/28 dev wlp2s0 proto kernel scope link src 172.20.10.2 metric 600

    # ip r s t 220
    IP_OF_REMOTE_VPN_SERVER8 via 172.20.10.1 dev wlp2s0 proto static src 10.10.0.2

    # ping 10.10.0.1
    PING 10.10.0.1 (10.10.0.1) 56(84) bytes of data.
    ^C
    --- 10.10.0.1 ping statistics ---
    52 packets transmitted, 0 received, 100% packet loss, time 52217ms

    # ping 10.10.0.100
    PING 10.10.0.100 (10.10.0.100) 56(84) bytes of data.
    ^C
    --- 10.10.0.100 ping statistics ---
    22 packets transmitted, 0 received, 100% packet loss, time 21480ms

    10.10.0.0/16 is the local network behind the fortigate. 10.10.0.1 is the IP of fortigate in this local network.
    #7
    emnoc
    Expert Member
    • Total Posts : 5734
    • Scores: 371
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/31 03:55:33 (permalink)
    0
    Do you have a local firewall ? What does any traceroute shows ? Have you ran diag debug on the fortigate ? Can you diag-sniffer the interface that is the tunnel
     
    e.g
     
    diag sniffer packet <tunnel-interface-name-from-phase1-interface> " icmp and host x.x.x.x"
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #8
    mariaczi
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/10/22 03:04:52
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/31 04:04:53 (permalink)
    0
    No, I haven't firewall on my linux machine. `iptables` are clear, default policy is set to ACCEPT.  Traceroute shows that the traffic going out via the default gateway for local lan from which I'm trying to connect to the fortigate VPN concentrator. I use different IPs in this network than have network behind the fortigate.
    Sorry, but i haven't access to fortigate device.
    #9
    emnoc
    Expert Member
    • Total Posts : 5734
    • Scores: 371
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/31 04:14:22 (permalink)
    0
    If the packet is gong out the default -lan that is your problem. I would look at the route table and confirm.
     
      ip route show table <blah>
      ip rule 
     
    tcpdump -i wlp2s0
     
    NOTE: you should have had a vpn virtual adapter in the kernel. Typically it's called "ipsec0" or something to that degree.
     
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #10
    mariaczi
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/10/22 03:04:52
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/31 05:06:32 (permalink)
    0
    routes and rules you can find in my earlier post (https://forum.fortinet.com/FindPost/180023) - 3rd block of code.
    I haven't virtual adapter in kernel after established VPN tunnel on Ubuntu 18.04 (kernel 4.15) and 19.10 (kernel 5.3) too. The IP address from VPN server is assigned to the network interface which is connected to the local network.
    #11
    emnoc
    Expert Member
    • Total Posts : 5734
    • Scores: 371
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2019/10/31 05:25:30 (permalink)
    0
    So you need to do tcpdump against the parent interface and ensure the packets are going out enccrypted, if you set the ping and see it in the clear , than that is a tell-tell sign they are not encrypted.
     
    if you do a pcap and see ESP and spi { i.e . 
    c877d2c0_i 9fbf289c_o
    }
     
    in and out, than would be a clue they are encrypted. You can adjust the ping size and confirm the  ESP datagram size increase/decreases as required.
     
    /* bash shell
      
       ping -s 166 10.10.0.111
     
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #12
    ealburez
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/31 07:18:57
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2020/04/01 05:21:08 (permalink)
    0
    Hello all. 
     
    I have a similar problem, the ipsec tunnel is up but no traffic is passing.
    I am running strongSwan running on Linux OS (client) and connecting to a Fortigate (server) to access a remote network behind it. 
     
    I have other devices all of them using Forticlient(v 6.0) and i can ping any computer behind the Fortigate. 
     
    Strongswan version: U5.7.2/K4.19.97-v7+
    Linux OS= Raspbian 10 (Buster)
    FortiOS= 6.2.
     
    In the fortigate I have following configuration (phase 1 & 2): 
      
    config vpn ipsec phase1-interface
        edit "VPN_LICS"
            set type dynamic
            set interface "wan"
            set mode aggressive
            set peertype any
            set net-device disable
            set mode-cfg enable
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set dpd on-idle
            set comments "VPN: VPN_LICS (Created by VPN wizard)"
            set wizard-type dialup-forticlient
            set xauthtype auto
            set authusrgrp "VPN"
            set ipv4-start-ip 10.172.31.230
            set ipv4-end-ip 10.172.31.249
            set dns-mode auto
            set ipv4-split-include "VPN_LICS_split"
            set save-password enable
            set client-keep-alive enable
            set psksecret ENC secure_string
            set dpd-retryinterval 60
        next

    config vpn ipsec phase2-interface
        edit "VPN_LICS"
            set phase1name "VPN_LICS"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
            set comments "VPN: VPN_LICS (Created by VPN wizard)"
        next

     
    In my linux machine (client)
     
    cat /etc/ipsec.conf

     
    config setup

    conn fortiOfi

            keyexchange = ikev1

            ike = aes256-sha256-modp2048!
            esp = aes256-sha256-modp2048!

            #added
            dpddelay = 30
            dpdtimeout = 60
            dpdaction = clear

            aggressive = yes

            ikelifetime = 28800s

            right = serverIP
            rightsubnet = 10.72.31.0/24
            rightid = serverIP
            rightauth = psk
            rightdns = 208.67.222.222,208.67.220.220,8.8.8.8

            left = %any
            leftauth = psk
            leftauth2 = xauth
            leftid="anyID"
            leftsourceip = %config
            leftfirewall = yes
            xauth_identity = user

            auto = start
            type = tunnel

            forceencaps = yes
            eap_identity = "me"

     
     
    After connecting I get the following in my linux (client)
     
    ipsec statusall

     
    Security Associations (1 up, 0 connecting):
        fortiOfi[2]: ESTABLISHED 16 seconds ago, 192.168.43.105[anyID]...serverIP[serverIP]
        fortiOfi{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: espSentence
        fortiOfi{1}: 10.172.31.230/32 === 10.72.31.0/24

     
    On the Fortigate I get: 
     
    diagnose vpn tunnel list
     
     
    name=VPN_LICS_0 ver=1 serial=4b serverIP:4500->clientIP:22519 dst_mtu=0
    bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/896 options[0380]=rgwy-chg rport-chg frag-rfc run_state=1 accept_traffic=1
     
    parent=VPN_LICS index=0
    proxyid_num=1 child_num=0 refcnt=5 ilast=5 olast=5 ad=/0
    stat: rxp=0 txp=0 rxb=0 txb=0
    dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
    natt: mode=silent draft=32 interval=10 remote_port=22519
    proxyid=VPN_LICS proto=0 sa=1 ref=2 serial=1 add-route
      src: 0:10.72.31.0-10.72.31.255:0
      dst: 0:10.172.31.230-10.172.31.230:0
      SA: ref=3 options=282 type=00 soft=0 mtu=1280 expire=3280/0B replaywin=1024
           seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
      life: type=01 bytes=0/0 timeout=3587/3600
      dec: spi=f59110aa esp=aes key=32 key#
           ah=sha256 key=32 key#
      enc: spi=cd65379b esp=aes key=32 key#
           ah=sha256 key=32 key#
      dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

     
     The IP table on my linux machine look as follow:
     

    #$ ip ru s
    0: from all lookup local
    220: from all lookup 220
    32766: from all lookup main
    32767: from all lookup default

    #$ ip r s
    default via 192.168.43.1 dev wlan0 proto dhcp src 192.168.43.105 metric 303
    169.254.0.0/16 dev eth0 scope link src 169.254.148.45 metric 202
    192.168.43.0/24 dev wlan0 proto dhcp scope link src 192.168.43.105 metric 303

    #$ ip r s t 220
    10.72.31.0/24 via 192.168.43.1 dev wlan0 proto static src 10.172.31.230

     
    When I try to ping the server I get no traffic: 
     
    $ ping 10.172.31.1
    PING 10.172.31.1 (10.172.31.1) 56(84) bytes of data.
    ^C
    --- 10.172.31.1 ping statistics ---
    3 packets transmitted, 0 received, 100% packet loss, time 109ms

     
    Any ideas what could be going wrong? Any help is higly appreciated!
     
    Thanks 
    Enio
     
    #13
    emnoc
    Expert Member
    • Total Posts : 5734
    • Scores: 371
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2020/04/01 07:14:56 (permalink)
    0
    Your route does not look correct and is missing, what does " ip a " or " ifconfig -a " show for the virtual-interface.
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #14
    ealburez
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/31 07:18:57
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2020/04/01 10:18:06 (permalink)
    0
    Hi emnoc,
     
    when I run those command I don't really see a virtual interface (I believe it should be something like tun0, right?).
     
    Any idea what the reason for that could be. Bellow the output:
     
    for 
    ip a
    I get the following:
     
    $ ip a
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
        link/ether b8:27:eb:7e:f9:f5 brd ff:ff:ff:ff:ff:ff
    3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether 16:7f:36:d1:09:4d brd ff:ff:ff:ff:ff:ff
        inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic noprefixroute wlan0
           valid_lft 599251sec preferred_lft 523651sec
        inet 10.172.31.230/32 scope global wlan0
           valid_lft forever preferred_lft forever
        inet6 2a01:c23:6001:2d00:3af7:8f3f:a9ed:1cd9/64 scope global dynamic mngtmpaddr noprefixroute
           valid_lft 201601sec preferred_lft 115201sec
        inet6 fe80::18aa:4502:1a9f:b6c/64 scope link
           valid_lft forever preferred_lft forever


     and for 
    ifconfig -a
    I get:

    $ ifconfig -a
    eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
            ether b8:27:eb:7e:f9:f5 txqueuelen 1000 (Ethernet)
            RX packets 0 bytes 0 (0.0 B)
            RX errors 0 dropped 0 overruns 0 frame 0
            TX packets 0 bytes 0 (0.0 B)
            TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
            inet 127.0.0.1 netmask 255.0.0.0
            inet6 ::1 prefixlen 128 scopeid 0x10<host>
            loop txqueuelen 1000 (Local Loopback)
            RX packets 76 bytes 6036 (5.8 KiB)
            RX errors 0 dropped 0 overruns 0 frame 0
            TX packets 76 bytes 6036 (5.8 KiB)
            TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
            inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255
            inet6 fe80::18aa:4502:1a9f:b6c prefixlen 64 scopeid 0x20<link>
            inet6 2a01:c23:6001:2d00:3af7:8f3f:a9ed:1cd9 prefixlen 64 scopeid 0x0<global>
            ether 16:7f:36:d1:09:4d txqueuelen 1000 (Ethernet)
            RX packets 1978 bytes 214033 (209.0 KiB)
            RX errors 0 dropped 0 overruns 0 frame 0
            TX packets 1448 bytes 247697 (241.8 KiB)
            TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0


     
    Thanks!
    #15
    emnoc
    Expert Member
    • Total Posts : 5734
    • Scores: 371
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2020/04/01 13:34:47 (permalink)
    0
    Yes that is correct tun0 or ipsec0 something times, but let's go backward
     
    When you connect can you get a diag vpn ike gateway output ?
     
    Also if you tcpdump on the wan interfaces of the FGT or Linux host do you see your client address
     
     
    e.g 
       # linux
       tcpdump -nnnvvv -i eth0 udp port 500 or 4500
     
       #fortiOS
       diag sniffer packet  any "host <your public address for linux client>"
     
     
    I would check that if you see no output from diag vpn ike gateway
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #16
    ealburez
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/31 07:18:57
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2020/04/02 02:30:37 (permalink)
    0
    Hi, 
     
    there seems to be some information going back and forth. Looks like some keep-alive exchange but I don't really understand what it is. 
     
    Any idea of what could be going wrong?
     
    Thanksa lot for the help!
     
     
    On the Fortigate I get: 
     
    FortigateOfi # diag sniffer packet any "host clientPublicIP"
    interfaces=[any]
    filters=[host clientPublicIP]
    5.709784 clientPublicIP.9470 -> serverIP.4500: udp 1
    16.010401 clientPublicIP.9470 -> serverIP.4500: udp 112
    16.010707 serverIP.4500 -> clientPublicIP.9470: udp 112
    35.709253 clientPublicIP.9470 -> serverIP.4500: udp 1
    46.145160 clientPublicIP.9470 -> serverIP.4500: udp 112
    46.145510 serverIP.4500 -> clientPublicIP.9470: udp 112
    ^C
    6 packets received by filter
    0 packets dropped by kernel

     
    On the linux client: 
     
    $ sudo tcpdump -nnnvvv -i wlan0 udp port 4500
    tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
    11:03:02.397459 IP (tos 0x0, ttl 64, id 52139, offset 0, flags [DF], proto UDP (17), length 29)
    192.168.43.42.4500 > serverIP.4500: [udp sum ok] isakmp-nat-keep-alive
    11:03:12.758009 IP (tos 0x0, ttl 64, id 52899, offset 0, flags [DF], proto UDP (17), length 140)
    192.168.43.42.4500 > serverIP.4500: [udp sum ok] NONESP-encap: isakmp 1.0 msgid 7814c631 cookie <cookie1> -><cookie2>: phase 2/others ? inf[E]: [encrypted hash]
    11:03:12.989897 IP (tos 0x0, ttl 43, id 12999, offset 0, flags [none], proto UDP (17), length 140)
    serverIP.4500 > 192.168.43.42.4500: [udp sum ok] NONESP-encap: isakmp 1.0 msgid 8281d6a1 cookie <cookie1> -><cookie2>: phase 2/others ? inf[E]: [encrypted hash]
    11:03:32.398684 IP (tos 0x0, ttl 64, id 54615, offset 0, flags [DF], proto UDP (17), length 29)
    192.168.43.42.4500 > serverIP.4500: [udp sum ok] isakmp-nat-keep-alive
    11:03:42.758928 IP (tos 0x0, ttl 64, id 55065, offset 0, flags [DF], proto UDP (17), length 140)
    192.168.43.42.4500 > serverIP.4500: [udp sum ok] NONESP-encap: isakmp 1.0 msgid dbb42cab cookie <cookie1> -><cookie2>: phase 2/others ? inf[E]: [encrypted hash]
    11:03:43.128081 IP (tos 0x0, ttl 43, id 13000, offset 0, flags [none], proto UDP (17), length 140)
    serverIP.4500 > 192.168.43.42.4500: [udp sum ok] NONESP-encap: isakmp 1.0 msgid 39e4d3ba cookie <cookie1> -><cookie2>: phase 2/others ? inf[E]: [encrypted hash]
    ^C
    6 packets captured
    6 packets received by filter
    0 packets dropped by kernel

    #17
    pv081079
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/05/08 14:57:33
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2020/05/08 15:29:00 (permalink)
    0
    Hello,
     
    I am trying to set up Strongswan -> Fortigate IPsec VPN with Certificate Auth and Xauth:
     
     
    #Fortigate Configuration:
     
    IDCFW_BE01 (phase1-interface) # show
    config vpn ipsec phase1-interface
    edit "REMOTE_AT"
    set type dynamic
    set interface "VPN_870"
    set authmethod signature
    set mode aggressive
    set peertype peergrp
    set net-device disable
    set mode-cfg enable
    set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
    set dpd on-idle
    set comments "VPN: REMOTE_AT"
    set wizard-type dialup-forticlient
    set xauthtype auto
    set certificate "AGOC_SSL_RSA4096"
    set peergrp "remotegrp"
    set ipv4-start-ip 10.184.16.1
    set ipv4-end-ip 10.184.16.254
    set dns-mode auto
    set ipv4-split-include "REMOTE_AT_split"
    set domain "ritta.local"
    set save-password enable
    set client-auto-negotiate enable
    set client-keep-alive enable
    set dpd-retryinterval 60
    next
    end
    config vpn ipsec phase2-interface
    edit "REMOTE_AT"
    set phase1name "REMOTE_AT"
    set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    set comments "VPN: REMOTE_AT (Created by VPN wizard)"
    next
    end
     
    #Strongswan configs:
     
    -> ipsec.conf

    config setup
    ca strongswan
          cacert=AGOC_NLC_CA.crt

    conn AT 
            fragmentation = yes
            keyexchange = ikev1
            aggressive = yes 
            reauth = yes
            forceencaps = no
            mobike = no
            rekey = yes
            installpolicy = yes
            type = tunnel
            #type = passthrough
            dpdaction = restart
            dpddelay = 10s
            dpdtimeout = 60s
            ikelifetime = 14400s
            lifetime = 3600s

            left = %any
            leftcert=ple1764Cert.pem
            leftauth=pubkey
            leftauth2=xauth
            xauth_identity = ple1764
            leftid ="C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=ple1764, E=xx@xx.xx.xx"
            #leftsourceip = %config
            right=X.X.X.X
            rightsubnet=10.0.0.0/8
            rightid="C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=X.X.X.X, E=xx@xx.xx.xx"
            rightauth=pubkey
            rightdns = 10.191.191.191
            auto=start
            type=tunnel
            #eap_identity="ple1764"
           
            ike = aes128-sha1-modp2048 
            esp = aes128-sha1 
     
    -> ipsec.secrets
    # This file holds shared secrets or RSA private keys for authentication.
    # RSA private key for this host, authenticating it to any other host
    # which knows the public part.
    : RSA ple1764Key.pem
    ple1764 : XAUTH "password"
     
    -> strongswan.conf
    charon {
      load = aes sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown 
    }
     
    -> command "ipsec start --nofork"
    Starting strongSwan 5.8.4 IPsec [starter]...
    !! Your strongswan.conf contains manual plugin load options for charon.
    !! This is recommended for experts only, see
    !! http://wiki.strongswan.or...ngswan/wiki/PluginLoad
    00[DMN] Starting IKE charon daemon (strongSwan 5.8.4, Linux 5.5.0-kali2-amd64, x86_64)
    00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
    00[CFG] loaded ca certificate "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, E=xx@xx.xx.xx" from '/etc/ipsec.d/cacerts/AGOC_NLC_CA.crt'
    00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
    00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
    00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
    00[CFG] loading crls from '/etc/ipsec.d/crls'
    00[CFG] loading secrets from '/etc/ipsec.secrets'
    00[CFG] loaded RSA private key from '/etc/ipsec.d/private/ple1764Key.pem'
    00[CFG] loaded EAP secret for ple1764
    00[LIB] loaded plugins: charon aes sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
    00[LIB] dropped capabilities, running as uid 0, gid 0
    00[JOB] spawning 16 worker threads
    charon (4795) started after 40 ms
    05[CFG] received stroke: add connection 'AT'
    05[CFG] loaded certificate "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=ple1764, E=xx@xx.xx.xx" from 'ple1764Cert.pem'
    05[CFG] added configuration 'AT'
    07[CFG] received stroke: initiate 'AT'
    07[IKE] sending cert request for "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, E=xx@xx.xx.xx"
    07[IKE] initiating Aggressive Mode IKE_SA AT[1] to xx.xx.xx.xx
    07[ENC] generating AGGRESSIVE request 0 [ SA KE No ID CERTREQ V V V V V ]
    07[NET] sending packet: from 192.168.1.104[500] to xx.xx.xx.xx[500] (788 bytes)
    09[NET] received packet: from xx.xx.xx.xx[500] to 192.168.1.104[500] (4111 bytes)
    09[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID CERT CERT SIG V NAT-D NAT-D V V V V V ]
    09[IKE] received NAT-T (RFC 3947) vendor ID
    09[IKE] received DPD vendor ID
    09[IKE] received XAuth vendor ID
    09[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
    09[IKE] received FRAGMENTATION vendor ID
    09[IKE] received FRAGMENTATION vendor ID
    09[IKE] received end entity cert "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=xx.xx.xx.xx, E=xx@xx.xx.xx"
    09[IKE] received issuer cert "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, E=xx@xx.xx.xx"
    09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    09[CFG] using certificate "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=xx.xx.xx.xx, E=xx@xx.xx.xx"
    09[CFG] using trusted ca certificate "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, E=xx@xx.xx.xx"
    09[CFG] checking certificate status of "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=xx.xx.xx.xx, E=xx@xx.xx.xx"
    09[CFG] certificate status is not available
    09[CFG] reached self-signed root ca with a path length of 0
    09[IKE] authentication of 'C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=xx.xx.xx.xx, E=xx@xx.xx.xx' with RSA_EMSA_PKCS1_NULL successful
    09[IKE] local host is behind NAT, sending keep alives
    09[IKE] authentication of 'C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=ple1764, E=xx@xx.xx.xx' (myself) successful
    09[ENC] generating AGGRESSIVE request 0 [ NAT-D NAT-D SIG ]
    09[NET] sending packet: from 192.168.1.104[4500] to xx.xx.xx.xx[4500] (604 bytes)
    12[IKE] sending keep alive to xx.xx.xx.xx[4500]
    13[JOB] peer did not initiate expected exchange, reestablishing IKE_SA
    13[IKE] reinitiating IKE_SA AT[1]
    13[IKE] sending cert request for "C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, E=xx@xx.xx.xx"
    13[IKE] initiating Aggressive Mode IKE_SA AT[1] to xx.xx.xx.xx
    13[ENC] generating AGGRESSIVE request 0 [ SA KE No ID CERTREQ V V V V V ]
    13[NET] sending packet: from 192.168.1.104[4500] to xx.xx.xx.xx[4500] (788 bytes)
    ^C00[DMN] signal of type SIGINT received. Shutting down
    charon stopped after 200 ms
    ipsec starter stopped
     
     
    What could be wrong with configuration?
    Thank you
    #18
    pv081079
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/05/08 14:57:33
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2020/05/09 15:05:24 (permalink)
    0
    Its Working Now, Here My Configs:
     
    -> ipsec.conf
     
    conn AT
    fragmentation = yes
    keyexchange = ikev1
    aggressive = yes
    reauth = yes
    forceencaps = yes
    mobike = no
    rekey = yes
    installpolicy = yes
    type = tunnel
    pfs=yes
    pfsgroup=5
    xauth_identity=ple1764
    left = %any
    leftcert=ple1764Cert.pem
    leftauth=pubkey
    leftauth2=xauth
    leftid ="C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=ple1764, E=xx@xx.xx.xx"
    leftsendcert=always
    leftsourceip=%config
    right=xx.xx.xx.xx
    rightsubnet=10.0.0.0/8
    rightid="C=PT, ST=Lisboa, L=Lisboa, O=AGOC NLC, OU=AGOC NLC, CN=xx.xx.xx.xx, E=xx@xx.xx.xx"
    rightauth=pubkey
    rightsendcert=always
    auto=start
    type=tunnel

    ike = aes256-sha256-modp1536
    esp = aes256-sha256-modp1536
     
     
    -> strongswan.conf
     
    # strongswan.conf - strongSwan configuration file
    #
    # Refer to the strongswan.conf(5) manpage for details
    #
    # Configuration changes should be made in the included files
    #charon {
    # load_modular = yes
    # plugins {
    # include strongswan.d/charon/*.conf
    # }
    #}
    #include strongswan.d/*.confi
    charon {
    load = aes sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown xauth-generic
    }
     
    -> ipsec.secrets
     
    # This file holds shared secrets or RSA private keys for authentication.
    # RSA private key for this host, authenticating it to any other host
    # which knows the public part.
    : RSA ple1764Key.pem
    ple1764 : XAUTH "password"
     
    I hope This Helps someone else.
     
    Cheers.
    #19
    sw2090
    Platinum Member
    • Total Posts : 680
    • Scores: 42
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: strongSwan on linux as IPSec VPN client 2020/07/11 08:36:16 (permalink)
    0
    yeah after trying shrewsoft and vpnc on linux with no success I turned back to strongswan and this time I got it to run. While shrewsoft is difficult to compile on a current linux due to its age (last rease is from out of 2013) and even though it compiled and runs keeps segfaulting upon connecting a vpn, I couldn't get vpnc to work at all. The network manager plugin of strongswan als didn't work out. So I finally get back to strongswan :)
     
    It now does obtain an ip from my FGT and it does do split tunneling via ipsec. However with ikev1 strongswan is limited to one remote (right) subnet - that's a limit in strongswan not the Fortigate. If one needs more then one you have to do ikev2.
    Works fine now here with strongswan. I might change the tunnel to do ikev2 to be able to access more than one subnet ;)
    What still does not work is that strongswan obtains dns servers (but maybe that is due to my settings on the FGT. Still have to check this. What also does not work is obtaining the list subnets to be accessible via the tunnel from the FGT like shrewsoft or forticlient do on windows and osx. I still have to manually enter them as right subnet(s) in my ipsec.conf connection settings.
    But so far I can live with that ;)
    #20
    Jump to:
    © 2020 APG vNext Commercial Version 5.5