- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- strongSwan on linux as IPSec VPN client
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
strongSwan on linux as IPSec VPN client
Hello.
I'm trying to connect to IPSec VPN on fortigate using strongSwan on linux OS.
My configuration on fortigate:
config vpn ipsec phase1-interface
edit "MAC"
set type dynamic
set interface "wan1"
set peertype any
set mode-cfg enable
set proposal aes256-md5 aes256-sha1
set dpd on-idle
set dhgrp 2
set wizard-type dialup-cisco
set xauthtype auto
set authusrgrp "VPN"
set net-device enable
set ipv4-start-ip 10.10.0.2
set ipv4-end-ip 10.10.0.254
set dns-mode auto
set psksecret ENC secure_enc_string
set dpd-retryinterval 5
next
config vpn ipsec phase2-interface
edit "MAC"
set phase1name "MAC"
set proposal aes256-md5 aes256-sha1
set pfs disable
set keepalive enable
set comments "VPN: MAC (Created by VPN wizard)"
next
edit "osx"
set phase1name "osx"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
set comments "VPN: osx (Created by VPN wizard)"
next
My strongSwan config on linux:
/etc/ipsec.conf
config setup
# strictcrlpolicy=yes
# uniqueids = no
charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc2, lib 2"
conn cisco
fragmentation = yes
keyexchange = ikev1
reauth = yes
forceencaps = no
mobike = no
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = restart
dpddelay = 10s
dpdtimeout = 60s
auto = add
left = 10.10.0.100
right = IP_OF_REMOTE_VPN_SERVER
leftid = vpnuser@local
ikelifetime = 14400s
lifetime = 3600s
ike = 3des-sha1-modp1024!
esp = 3des-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024!
leftauth = psk
leftauth2 = xauth
rightauth = psk
rightid = vpnuser@VPNSERVER
aggressive = no
xauth_identity=vpnuser
rightsubnet = 10.10.0.0/16
leftsourceip = %config
/etc/ipsec.secrets
vpnuser : XAUTH "vpnuser_password"
vpnuser@local pgrabowski@VPNSERVER : PSK "psk-preshared-passphrase"
When I try to UP this VPN connection on console I receive:
# ipsec up cisco
initiating Main Mode IKE_SA cisco[1] to IP_OF_REMOTE_VPN_SERVER
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
sending retransmit 2 of request message ID 0, seq 1
sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
In logs I see:
Oct 22 12:18:56 myHOST charon: 04[JOB] watched FD 16 ready to read
Oct 22 12:18:56 myHOST charon: 04[JOB] watcher going to poll() 3 fds
Oct 22 12:18:56 myHOST charon: 03[CFG] received stroke: initiate 'cisco'
Oct 22 12:18:56 myHOST charon: 05[MGR] checkout IKE_SA by config
Oct 22 12:18:56 myHOST charon: 04[JOB] watcher got notification, rebuilding
Oct 22 12:18:56 myHOST charon: 04[JOB] watcher going to poll() 4 fds
Oct 22 12:18:56 myHOST charon: 05[MGR] created IKE_SA (unnamed)[2]
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_VENDOR task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_CERT_PRE task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing MAIN_MODE task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_CERT_POST task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_NATD task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing QUICK_MODE task
Oct 22 12:18:56 myHOST charon: 05[IKE] activating new tasks
Oct 22 12:18:56 myHOST charon: 05[IKE] activating ISAKMP_VENDOR task
Oct 22 12:18:56 myHOST charon: 05[IKE] activating ISAKMP_CERT_PRE task
Oct 22 12:18:56 myHOST charon: 05[IKE] activating MAIN_MODE task
Oct 22 12:18:56 myHOST charon: 05[IKE] activating ISAKMP_CERT_POST task
Oct 22 12:18:56 myHOST charon: 05[IKE] activating ISAKMP_NATD task
Oct 22 12:18:56 myHOST charon: 05[IKE] sending XAuth vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending DPD vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending FRAGMENTATION vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending NAT-T (RFC 3947) vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] initiating Main Mode IKE_SA cisco[2] to IP_OF_REMOTE_VPN_SERVER
Oct 22 12:18:56 myHOST charon: 05[IKE] IKE_SA cisco[2] state change: CREATED => CONNECTING
Oct 22 12:18:56 myHOST charon: 05[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message
Oct 22 12:18:56 myHOST charon: 05[ENC] order payloads in message
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: message repeated 4 times: [ 05[ENC] added payload of type VENDOR_ID_V1 to message]
Oct 22 12:18:56 myHOST charon: 05[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Oct 22 12:18:56 myHOST charon: 05[ENC] not encrypting payloads
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type HEADER
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 0 IKE_SPI
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 1 IKE_SPI
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 2 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 3 U_INT_4
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 4 U_INT_4
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 5 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 8 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 9 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 10 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 11 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 12 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 13 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 14 U_INT_32
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 15 HEADER_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC] generating HEADER payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type SECURITY_ASSOCIATION_V1
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 1 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 10 U_INT_32
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 11 U_INT_32
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 12 (1259)
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type PROPOSAL_SUBSTRUCTURE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 1 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 2 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 3 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 4 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 5 SPI_SIZE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 6 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 7 SPI
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 8 (1261)
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 1 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 2 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 3 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 4 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 5 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 6 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 7 (1263)
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_SUBSTRUCTURE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating PROPOSAL_SUBSTRUCTURE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating SECURITY_ASSOCIATION_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC] generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
Oct 22 12:18:56 myHOST charon: 05[MGR] checkin IKE_SA cisco[2]
Oct 22 12:18:56 myHOST charon: 01[JOB] next event in 3s 999ms, waiting
Oct 22 12:18:56 myHOST charon: 05[MGR] checkin of IKE_SA successful
Oct 22 12:18:56 myHOST charon: 06[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500]
Oct 22 12:19:00 myHOST charon: 01[JOB] got event, queuing job for execution
Oct 22 12:19:00 myHOST charon: 01[JOB] no events, waiting
Oct 22 12:19:00 myHOST charon: 12[MGR] checkout IKEv1 SA with SPIs 323c3aef2f033c01_i 0000000000000000_r
Oct 22 12:19:00 myHOST charon: 12[MGR] IKE_SA cisco[2] successfully checked out
Oct 22 12:19:00 myHOST charon: 12[IKE] sending retransmit 1 of request message ID 0, seq 1
Oct 22 12:19:00 myHOST charon: 12[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
Oct 22 12:19:00 myHOST charon: 12[MGR] checkin IKE_SA cisco[2]
Oct 22 12:19:00 myHOST charon: 12[MGR] checkin of IKE_SA successful
Oct 22 12:19:00 myHOST charon: 01[JOB] next event in 7s 199ms, waiting
Oct 22 12:19:00 myHOST charon: 06[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500]
Oct 22 12:19:08 myHOST charon: 01[JOB] got event, queuing job for execution
Oct 22 12:19:08 myHOST charon: 01[JOB] no events, waiting
Oct 22 12:19:08 myHOST charon: 13[MGR] checkout IKEv1 SA with SPIs 323c3aef2f033c01_i 0000000000000000_r
Oct 22 12:19:08 myHOST charon: 13[MGR] IKE_SA cisco[2] successfully checked out
Oct 22 12:19:08 myHOST charon: 13[IKE] sending retransmit 2 of request message ID 0, seq 1
Oct 22 12:19:08 myHOST charon: 13[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
Oct 22 12:19:08 myHOST charon: 13[MGR] checkin IKE_SA cisco[2]
Oct 22 12:19:08 myHOST charon: 13[MGR] checkin of IKE_SA successful
Oct 22 12:19:08 myHOST charon: 06[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500]
Oct 22 12:19:08 myHOST charon: 01[JOB] next event in 12s 959ms, waiting
The question is: What I have wrong in this setup that connection can't be established?
Thanks for your help!
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apart from this being anything than trivial, methinks you
- use MD5 in phase1 on the FGT and SHA1 on Linux. (Avoid MD5 anyway, it's broken as a standard.)
- do not use PFS in phase2 on FGT but you do in SS
If I had to tackle this, I'd
- avoid mode config (unless SS would only support this)
- use only one single proposal where necessary
- in general, keep the config as simple as possible until the tunnel works
Of course, you will have thought of creating a policy on the FGT, the tunnel won't negotiate without.
IMHO Ken Felix (emnoc) has done this before, for sure. You might have a look at [link]http://socpuppet.blogspot.com/[/link]
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Every thing Ede stated ;
So your doing it right by mastering PSK b4 trying RSA. I would do a debug app ike -1 on the fortigate and analyze the debug.
e.g ( based on your cfg )
diag debug reset
diag debug enable
diag vpn ike filter name MACdiag debug app ike -1 That might give you the trace that you need, but your ciphers donot match in SSwan and FortiOS for starters.http://socpuppet.blogspot...to-strongswan-cfg.html http://socpuppet.blogspot...-eap-identity-vpn.html https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples http://socpuppet.blogspot.com/2014/05/openswan-to-fortigate-route-based-vpn.html I'm post a dynamic-strongswan diaup later this week but the above will give you some ideals on what you can do. I'm using the StrongSwan client on Android btw. but for starters get your ph1/2 proposal straighten out and I would need to see your phase1-id types and you will need to enable aggressive mode or use ikev2. Here's a EAP dynamic-cfg that goes with one of the earlier blog links config vpn ipsec phase1-interface edit "DYNAMIC" set type dynamic set interface "wan1" set ike-version 2 set authmethod signature set mode-cfg enable set ipv4-dns-server1 8.8.8.8 set ipv4-dns-server2 8.8.4.4 set ipv6-dns-server1 2001:db8:1::1 set ipv6-dns-server2 2001:db8:1::2 set proposal aes128-sha256 aes128-sha1 aes128-sha384 set localid-type address set dpd on-idle set comments "StrongSwan & NCP Users" set dhgrp 19 15 14 set eap enable set eap-identity send-request set authusrgrp "Guest-group" set idle-timeout enable set certificate "CERTWITHALTNAME_IP" set peer "mypeers" set ipv4-start-ip 10.11.11.88 set ipv4-end-ip 10.11.11.100 set ipv6-start-ip 2001:db8:30::11 set ipv6-end-ip 2001:db8:30::110 set ipv6-prefix 64 set dpd-retrycount 10 set dpd-retryinterval 120 nextendconfig vpn ipsec phase2-interface edit "DYNAMIC" set phase1name "DYNAMIC" set proposal aes128-sha256 aes128-sha1 aes128-sha384 aes256-sha256 set dhgrp 19 15 14 set replay disable set keepalive enable set comments "IKEv2" nextend Don't use des or 3des and avoid dhgrp 5 or lower imho Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
@ede_pfau, @emnoc - thanks for your's answers. It was very helpful. Now, my strongSwan on linux as a client to Fortigate, connecting with success. I will talk with the fortigate admin to change used crypto alghoritms in fortigate config to more secured.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What did you decide to use ( PSK or RSA ) and was the suggested strongswan link helpful?
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I keep use PSK after corrected my config file for strongSwan. I'm only read the post from socpuppet.blogspot.com.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Going to ahead, now i'm able to establish vpn tunnel from linux using strongswan as a client to fortigate (cisco IPsec VPN) but i'm not able to ping any hosts from local network behind this fortigate. What is wrong in my config? The second think - what I should change in my strongswan config file to put all traffic from client machine via VPN tunnel? When I using forticlient on Windows to the same IPsec VPN, everything works - I'm able to ping hosts from local network behind fortigate and all traffic goes via VPN tunnel.
#cat ipsec.conf
conn cisco
fragmentation = yes
keyexchange = ikev1
aggressive = no
reauth = yes
forceencaps = no
mobike = no
rekey = yes
installpolicy = yes
type = tunnel
#type = passthrough
dpdaction = restart
dpddelay = 10s
dpdtimeout = 60s
ikelifetime = 14400s
lifetime = 3600s
auto = add
left = %defaultroute
leftauth = psk
leftauth2 = xauth
leftsourceip = %config
leftid = vpnuser@local
xauth_identity=vpnuser
right = IP_OF_REMOTE_VPN_SERVER
rightid = IP_OF_REMOTE_VPN_SERVER
# route all trafic via this tunnel
rightsubnet = 0.0.0.0/0
rightauth = psk
ike = aes256-sha256-modp1536,aes256-sha1-modp1536!
esp = aes256-sha256,aes256-sha1!
# ipsec up cisco
initiating Main Mode IKE_SA cisco[11] to IP_OF_REMOTE_VPN_SERVER
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 172.20.10.2[500] to IP_OF_REMOTE_VPN_SERVER[500] (216 bytes)
received packet: from IP_OF_REMOTE_VPN_SERVER8[500] to 172.20.10.2[500] (200 bytes)
parsed ID_PROT response 0 [ SA V V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 172.20.10.2[500] to IP_OF_REMOTE_VPN_SERVER8[500] (332 bytes)
received packet: from IP_OF_REMOTE_VPN_SERVER8[500] to 172.20.10.2[500] (316 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (124 bytes)
received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH ]
received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (92 bytes)
parsed TRANSACTION request 766558789 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 766558789 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (108 bytes)
received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (92 bytes)
parsed TRANSACTION request 1026179008 [ HASH CPS(X_STATUS) ]
XAuth authentication of '' (myself) successful
IKE_SA cisco[11] established between 172.20.10.2[@local]...IP_OF_REMOTE_VPN_SERVER[IP_OF_REMOTE_VPN_SERVER]
scheduling reauthentication in 13685s
maximum IKE_SA lifetime 14225s
generating TRANSACTION response 1026179008 [ HASH CPA(X_STATUS) ]
sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (92 bytes)
generating TRANSACTION request 3583116127 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (92 bytes)
received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (108 bytes)
parsed TRANSACTION response 3583116127 [ HASH CPRP(ADDR DNS DNS) ]
installing DNS server 193.85.149.243 via resolvconf
installing DNS server 8.8.8.8 via resolvconf
installing new virtual IP 10.10.0.2
generating QUICK_MODE request 893811623 [ HASH SA No ID ID ]
sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (220 bytes)
received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (172 bytes)
parsed QUICK_MODE response 893811623 [ HASH SA No ID ID ]
CHILD_SA cisco{13} established with SPIs c877d2c0_i 9fbf289c_o and TS 10.10.0.2/32 === IP_OF_REMOTE_VPN_SERVER8/32
connection 'cisco' established successfully
# ipsec status
Security Associations (1 up, 0 connecting):
cisco[11]: ESTABLISHED 5 minutes ago, 172.20.10.2[@local]...IP_OF_REMOTE_VPN_SERVER8[IP_OF_REMOTE_VPN_SERVER8]
cisco{13}: INSTALLED, TUNNEL, reqid 11, ESP in UDP SPIs: c877d2c0_i 9fbf289c_o
cisco{13}: 10.10.0.2/32 === IP_OF_REMOTE_VPN_SERVER8/32
# ip ru s
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
# ip r s
default via 172.20.10.1 dev wlp2s0 proto dhcp metric 600
169.254.0.0/16 dev wlp2s0 scope link metric 1000
172.20.10.0/28 dev wlp2s0 proto kernel scope link src 172.20.10.2 metric 600
# ip r s t 220
IP_OF_REMOTE_VPN_SERVER8 via 172.20.10.1 dev wlp2s0 proto static src 10.10.0.2
# ping 10.10.0.1
PING 10.10.0.1 (10.10.0.1) 56(84) bytes of data.
^C
--- 10.10.0.1 ping statistics ---
52 packets transmitted, 0 received, 100% packet loss, time 52217ms
# ping 10.10.0.100
PING 10.10.0.100 (10.10.0.100) 56(84) bytes of data.
^C
--- 10.10.0.100 ping statistics ---
22 packets transmitted, 0 received, 100% packet loss, time 21480ms
10.10.0.0/16 is the local network behind the fortigate. 10.10.0.1 is the IP of fortigate in this local network.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a local firewall ? What does any traceroute shows ? Have you ran diag debug on the fortigate ? Can you diag-sniffer the interface that is the tunnel
e.g
diag sniffer packet <tunnel-interface-name-from-phase1-interface> " icmp and host x.x.x.x"
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, I haven't firewall on my linux machine. `iptables` are clear, default policy is set to ACCEPT. Traceroute shows that the traffic going out via the default gateway for local lan from which I'm trying to connect to the fortigate VPN concentrator. I use different IPs in this network than have network behind the fortigate. Sorry, but i haven't access to fortigate device.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the packet is gong out the default -lan that is your problem. I would look at the route table and confirm.
ip route show table <blah>
ip rule
tcpdump -i wlp2s0
NOTE: you should have had a vpn virtual adapter in the kernel. Typically it's called "ipsec0" or something to that degree.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- IPSec client is blocked by implicit... 422 Views
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 269 Views
- Fortclient VPN Client Linux - IPSEC... 390 Views
- No internet access the user when... 349 Views
- static route to L2TP client host... 497 Views
Labels
-
FortiGate
6,529 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.