Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
maxxer
New Contributor

Unable to establish connection to strongswan server

Hi.

I've a strongswan server and a Fortigate 50E device running v6.0.9. 

 

This is the configuration on the fortinet side

 

 

In strongswan I have:

config setup
        charondebug="ike 3, knl 3, cfg 3, net 3, esp 3, dmn 3, mgr 3"
        uniqueids=yes
        strictcrlpolicy=no

 


conn sts-base
    fragmentation=yes
    dpdaction=restart
    ike=aes256-sha256-modp3072
    esp=aes256-sha256
    keyingtries=%forever
    leftsubnet=172.16.12.0/24
    lifetime=86400

conn site-3-legacy-base
    keyexchange=ikev1
    rightid=L***
    also=sts-base
    ike=aes256-sha256-modp3072
    esp=aes256-sha256
    rightsubnet=192.168.4.0/24,192.168.5.0/24
    right=95.x.x.x
    leftauth=psk
    auto=start

 

In debug I have:

 

FGT-FgtIdentifier # ike 0:to VpnTunnelName:378: out 8AD3789557DB282D9AA1D56EDDD9184605100201000000000000006C6EFC8335B133C6267388C1A0BEB63B6A2CC4E120DE7627C9166D99AFF9EAE094E5368631BB2626D86B31FFED37F29DB6CC4E5D6B2E8B9A6FA79DF8FC03531CB7EB476EC1CE6240D586943E6A675E4695
ike 0:to VpnTunnelName:378: sent IKE msg (P1_RETRANSMIT): 192.168.1.2:4500->95.x.x.x:4500, len=108, id=8ad3789557db282d/9aa1d56eddd91846
ike 0: comes 62.11.245.232:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=fc70f37fa6c9ee8d/0000000000000000 len=452
ike 0: in FC70F37FA6C9EE8D00000000000000000110020000000000000001C40D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: responder: main mode get 1st message...
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: incoming proposal:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_GROUP, val=MODP2048.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_GROUP, val=MODP1536.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_GROUP, val=MODP2048.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_GROUP, val=MODP1536.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_GROUP, val=MODP2048.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_GROUP, val=MODP1536.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_GROUP, val=MODP2048.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_GROUP, val=MODP1536.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:fc70f37fa6c9ee8d/0000000000000000:383: no SA proposal chosen
ike 0:to VpnTunnelName:378: negotiation timeout, deleting
ike 0:to VpnTunnelName: connection expiring due to phase1 down
ike 0:to VpnTunnelName: deleting
ike 0:to VpnTunnelName: deleted
ike 0:to VpnTunnelName: schedule auto-negotiate
ike 0:to VpnTunnelName: auto-negotiate connection
ike 0:to VpnTunnelName: created connection: 0x424aff8 4 192.168.1.2->95.x.x.x:500.
ike 0:to VpnTunnelName:384: initiator: main mode is sending 1st message...
ike 0:to VpnTunnelName:384: cookie c10b9be64dc0d904/0000000000000000
ike 0:to VpnTunnelName:384: out C10B9BE64DC0D90400000000000000000110020000000000000001240D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E010080030001800200048004000F0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:to VpnTunnelName:384: sent IKE msg (ident_i1send): 192.168.1.2:500->95.x.x.x:500, len=292, id=c10b9be64dc0d904/0000000000000000
ike 0: comes 95.x.x.x:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=c10b9be64dc0d904/589d6282b4f462c9 len=164
ike 0: in C10B9BE64DC0D904589D6282B4F462C90110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200048004000F80030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F
ike 0:to VpnTunnelName:384: initiator: main mode get 1st response...
ike 0:to VpnTunnelName:384: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:to VpnTunnelName:384: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:to VpnTunnelName:384: DPD negotiated
ike 0:to VpnTunnelName:384: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:to VpnTunnelName:384: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:to VpnTunnelName:384: selected NAT-T version: RFC 3947
ike 0:to VpnTunnelName:384: negotiation result
ike 0:to VpnTunnelName:384: proposal id = 1:
ike 0:to VpnTunnelName:384:   protocol id = ISAKMP:
ike 0:to VpnTunnelName:384:      trans_id = KEY_IKE.
ike 0:to VpnTunnelName:384:      encapsulation = IKE/none
ike 0:to VpnTunnelName:384:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:to VpnTunnelName:384:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:to VpnTunnelName:384:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:to VpnTunnelName:384:         type=OAKLEY_GROUP, val=MODP3072.
ike 0:to VpnTunnelName:384: ISAKMP SA lifetime=86400
ike 0:to VpnTunnelName:384: out C10B9BE64DC0D904589D6282B4F462C90410020000000000000001FC0A000184FD41F812E5C6DE946C198E07D71ED83CA1AB034F7AC7EA9C9DB184B2B0D2C35C8C2BEB7E6B298B87A5736D8344DDA782E3D813DE08FA8FD8423892B18F10E9DD24C23C81AB9C0BF5A56DEE1D0577CB4B0161A7CB88832FB484C4433B3FB20386EEFABCFCF0B862C61EA21EB6783EAE9A2C11156BC929113D2A5A9FB9D4DF7D8B09B26EC447FAA35219E95CF5D6436F68379BA3CA42E10C06B9924EF3CAF6EEACB95EFC2781FBBD4AC29C4C11426BCB28AFCF87D0B448A2B265322612526B56AED5192548CD958565FB5DC7036E6A953B7A99BDC5DB3DEE1A1E4008EA20E44BAF8C2BDB4DEC62DFADF29B1587A1C42429711694EA0F6E702DB541C08D3E40A1A7D089EF57A1CCBD6AC286D79927306533A2DB587990C0FCE20010A12A826218CEDA95EEBE08AB4623479C0A699284D4EF602EB8855B88040F117E10AB3F18A065759DBF31C359622F2A52500988D7F9FE1D3569CC49070387B05A289B3DA8443F7DAFFF248064B2687503E81E4DDA38478659A53DD15D35EA326B4F90AC7821DC14000014659CD5B151F1779BA7C8D21003510EB6140000247CA2BC74DD9D1E4D89993957656B637ECB524C9E69117E86ED55949C6C3DB0260000002488B2BA8589F1C3AE72E9E5EEC659F89AE235D2451581D4A6820F1E1FC73EB8BE
ike 0:to VpnTunnelName:384: sent IKE msg (ident_i2send): 192.168.1.2:500->95.x.x.x:500, len=508, id=c10b9be64dc0d904/589d6282b4f462c9
ike 0: comes 95.x.x.x:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=c10b9be64dc0d904/589d6282b4f462c9 len=524
ike 0: in C10B9BE64DC0D904589D6282B4F462C904100200000000000000020C0A00018494E5DE50E190B4D173E52E36616C64FEF471C0F85ACB206E8A76B32B425E35326F27ACF0C57CA5E6F50951E72E67F0798CEFA5525A40D6B4EBBCD7BD028EDF39A72DAA9B0D0D274A9DF0B21D37D72E03B9E188F08FD3C56E33CC1772AEF96B809CA4372FA9D1B3D0815722035722C85DC7B7CCDB96FF7D713A30327FAF173D8934B9D484D4F009A458A48A943D7B1A49F056E25E398A43832474F776339AB55D9298F0E15F79B14619882B8AD3B86094F04507A06FC651256ABEF72F090E5579EE9D138314A7F8C2184EBB68526149F2F375224B825CD78553E2089F00D60460A36F76EC46FE8B5B17EA07E15AC4FB8F79D3221ABD2FA47F0524AF025DB15A32B67EBC1D07996E62FE0FA1379DC320D54AFF6A0DA4EFE2EEAE112529F3103B8F49A524DBB9C9C4D72194E6B4CC002067F79337B46B365F5C95CD537EE18C4F41A947D641516023D7A705159BC61D109710FA6A5B20C99F87CC9CC0BE736EAA178E0D07B3282D669901298B40CD24C7EBBA64A72989441A9CE1E33DAFC57915A414000024965FEDABF0477240EAEA804FF51B9AE8ED87EF3B4C689DC2A192836D98440226140000241DC24402C80C6E7F1EA2A5EFACD8CD9684DDB75D14C9608C931254AF4D6A8E73000000247CA2BC74DD9D1E4D89993957656B637ECB524C9E69117E86ED55949C6C3DB026
ike 0:to VpnTunnelName:384: initiator: main mode get 2nd response...
ike 0:to VpnTunnelName:384: received NAT-D payload type 20
ike 0:to VpnTunnelName:384: received NAT-D payload type 20
ike 0:to VpnTunnelName:384: NAT detected: ME
ike 0:to VpnTunnelName:384: NAT-T float port 4500
ike 0:to VpnTunnelName:384: ISAKMP SA c10b9be64dc0d904/589d6282b4f462c9 key 32:A14C8EA6DCB45DD9A940941BDB0342AFB8D00E8153BC9EEABB117532FE53E6D0
ike 0:to VpnTunnelName:384: add INITIAL-CONTACT
ike 0:to VpnTunnelName:384: enc C10B9BE64DC0D904589D6282B4F462C905100201000000000000006B0800000F020000004C6F63616E64610B0000240E2C5E431EDC18A1A71432A2D63F3A735CF38FF3B15088600EA1C4DFA8DBAE540000001C0000000101106002C10B9BE64DC0D904589D6282B4F462C9
ike 0:to VpnTunnelName:384: out C10B9BE64DC0D904589D6282B4F462C905100201000000000000006C0A9523A71AA4D181655F68680E687AAE143646431BCF52A9AAE986F371BD20D0165F406F6525CE7BD4E99E87756AE721C2EA71E8B0D76B6DDAA3BAE63545FE806E4DABC6DBF23D09165665B8EBA17F4B
ike 0:to VpnTunnelName:384: sent IKE msg (ident_i3send): 192.168.1.2:4500->95.x.x.x:4500, len=108, id=c10b9be64dc0d904/589d6282b4f462c9
ike 0: comes 95.x.x.x:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Informational id=c10b9be64dc0d904/589d6282b4f462c9:3401b0f7 len=108
ike 0: in C10B9BE64DC0D904589D6282B4F462C9081005013401B0F70000006CCBD929F01609C09C15FB168C6027327324BD1D6560143B39C69FF01070831099C7520EDB88EBF51AC8CF9AFF5A8649CECE18DADC661F7EB7698D90A5ECEC8DB81EC258089F8E48EEBB2313BE63C33FF5

 

 

 

 

I don't get why I get all proposals with id = 0.

Also those combinations are not offered by the server... Why? thanks

7 REPLIES 7
emnoc
Esteemed Contributor III

Okay my observations;

 

1:I would not use modulus3072. It's rarely supported or even used . DHGRP 14 would be much better supported

 

2: I would not do your "conn"s like what you. I'm even surprised that would work but here's what I would do.

 

# move the common stuff to base

#

conn sts-base

    keyexchange=ikev1

    fragmentation=yes

    dpdaction=restart

    ike=aes256-sha256-modp3072

    esp=aes256-sha256

    keyingtries=%forever

    leftsubnet=172.16.12.0/24

    lifetime=86400

    leftauth=psk

    righid=L****

    auto=start

    right=95.x.x.x

 

# define your phase2 and associate to base 

#

#

conn site-3-1

    also=sts-base

    leftsubnet=172.16.12.0/24

    rightsubnet=192.168.4.0/24

 

conn site-3-2

    also=sts-base

    leftsubnet=172.16.12.0/24

    rightsubnet=192.168.5.0/24

 

make sure if iptables  or firewalld is used to have a policy   in the IN/OUT chain and for IKE

 

Now your gui screen shot is not showing the whole picture so here's a cli format of the match 

fortios cfg

 

 

config vpn ipsec phase1-interface

    edit "sts-base"

        set interface "wan1". # put the correct public facing interfaces here

        set peertype any

        set net-device disable

        set proposal aes256-sha256

        set dhgrp 16

        set remote remote-gw "strongswan public-ip"

        set psksecret   "match ipsec.secrets    x.x.x.x  : PSK "

    next

end

config vpn ipsec phase2-interface

    edit "site-3-1"

        set phase1name "sts-base"

        set keylifeseconds 3600

        set keepalive enable

        set src-subnet 192.168.4.0/24

        set dst-subnet 172.16.12.0/24

    next

    edit "site-3-2"

        set phase1name "sts-base"

        set keepalive enable

        set keylifeseconds 3600

        set src-subnet 192.168.5.0/24

        set dst-subnet 172.16.12.0/24

    next

end

 

Make sure to have a route and policy 

 

 

Try that and if you still get errors, change dhgrp16 to dhgrp14 ( mod2048 )  , and see if that cleans up the connection.

 

strongswan

/*  or strongswan status  statusall */

 

 ipsec status

 ipsec statusall

 

fortios

 

 diag vpn ike gateway

 dag vpn tunnel list

 

Also, I would look at Fortios6.2 as an upgrade direction at some future time.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
maxxer
New Contributor

Thank you very much for your reply.

 

I picked the configuration from Strongswan examples. Also I found there are these limitations, that's why I did a single ipsec config with both subnets.

 

I will try a fresh config based on your suggestions, will let you know.

Thanks again

 

P.S. yes I am going to update to 6.2 as soon as I can get a timeslot for it

maxxer
New Contributor

I finally was able to have a look at this again... Unfortunately without success.

 

I did some minor changes to your config:

* used rightid and set the corresponding on the firewall

* had to omit set net-device disable because the device I'm currently testing on runs 6.0.2 (not upgraded yet)

* if I got it correctly there's a mismatch between the two dh key groups. Anyway I tried all from 14 to 16 (modp2048 to modp4096)

* for failsafe I added both IP and ID in the secrets file... As I often had messages of secret not found on strongswan

 

Anyway I'm still stuck and unable to figure out what's wrong.

 

Thanks again for your feedback and support.

 

I'm posting all the relevant debug info.

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-123-generic, x86_64):
  uptime: 42 seconds, since May 04 17:17:19 2021
  malloc: sbrk 2342912, mmap 532480, used 1437152, free 905760
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Listening IP addresses:
  STRONGSWAN_IP
  172.32.1.5
Connections:
    sts-base:  %any...FORTINET_PUBLIC_IP  IKEv1, dpddelay=30s
    sts-base:   local:  [STRONGSWAN_IP] uses pre-shared key authentication
    sts-base:   remote: [FORTINET_PUBLIC_IP] uses pre-shared key authentication
    sts-base:   child:  172.32.1.0/24 === dynamic TUNNEL, dpdaction=restart
    site-3-1:   child:  172.32.1.0/24 === 192.168.8.0/24 TUNNEL, dpdaction=restart
    site-3-2:   child:  172.32.1.0/24 === 192.168.9.0/24 TUNNEL, dpdaction=restart
Security Associations (0 up, 0 connecting):
  none

# cat /etc/ipsec.conf
conn sts-base
    keyexchange=ikev1
    fragmentation=yes
    dpdaction=restart
    ike=aes256-sha256-modp3072
    esp=aes256-sha256
    keyingtries=%forever
    leftsubnet=172.32.1.0/24
    lifetime=86400
    leftauth=psk
    rightauth=psk
    righid=Identifier01
    auto=start
    right=FORTINET_PUBLIC_IP

# define your phase2 and associate to base
conn site-3-1
    also=sts-base
    leftsubnet=172.32.1.0/24
    rightsubnet=192.168.8.0/24

conn site-3-2
    also=sts-base
    leftsubnet=172.32.1.0/24
    rightsubnet=192.168.9.0/24

# cat /etc/ipsec.secrets
FORTINET_PUBLIC_IP : PSK 'abc#qk!'
Identifier01 : PSK 'abc#qk!'


# syslog
May  4 17:17:20 vpn01 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
May  4 17:17:20 vpn01 charon: 10[NET] received packet: from FORTINET_PUBLIC_IP[500] to STRONGSWAN_IP[500] (292 bytes)
May  4 17:17:20 vpn01 charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V ]
May  4 17:17:20 vpn01 charon: 10[IKE] received NAT-T (RFC 3947) vendor ID
May  4 17:17:20 vpn01 charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
May  4 17:17:20 vpn01 charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
May  4 17:17:20 vpn01 charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May  4 17:17:20 vpn01 charon: 10[ENC] received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
May  4 17:17:20 vpn01 charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
May  4 17:17:20 vpn01 charon: 10[IKE] received DPD vendor ID
May  4 17:17:20 vpn01 charon: 10[IKE] received FRAGMENTATION vendor ID
May  4 17:17:20 vpn01 charon: 10[IKE] received FRAGMENTATION vendor ID
May  4 17:17:20 vpn01 charon: 10[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
May  4 17:17:20 vpn01 charon: 10[IKE] FORTINET_PUBLIC_IP is initiating a Main Mode IKE_SA
May  4 17:17:20 vpn01 charon: 10[ENC] generating ID_PROT response 0 [ SA V V V V ]
May  4 17:17:20 vpn01 charon: 10[NET] sending packet: from STRONGSWAN_IP[500] to FORTINET_PUBLIC_IP[500] (164 bytes)
May  4 17:17:20 vpn01 charon: 09[NET] received packet: from FORTINET_PUBLIC_IP[500] to STRONGSWAN_IP[500] (508 bytes)
May  4 17:17:20 vpn01 charon: 09[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
May  4 17:17:20 vpn01 charon: 09[IKE] remote host is behind NAT
May  4 17:17:20 vpn01 charon: 09[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
May  4 17:17:20 vpn01 charon: 09[NET] sending packet: from STRONGSWAN_IP[500] to FORTINET_PUBLIC_IP[500] (524 bytes)
May  4 17:17:20 vpn01 charon: 12[NET] received packet: from FORTINET_PUBLIC_IP[4500] to STRONGSWAN_IP[4500] (108 bytes)
May  4 17:17:20 vpn01 charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
May  4 17:17:20 vpn01 charon: 12[CFG] looking for pre-shared key peer configs matching STRONGSWAN_IP...FORTINET_PUBLIC_IP[Identifier01]
May  4 17:17:20 vpn01 charon: 12[IKE] no peer config found
May  4 17:17:20 vpn01 charon: 12[ENC] generating INFORMATIONAL_V1 request 3067967679 [ HASH N(AUTH_FAILED) ]
May  4 17:17:20 vpn01 charon: 12[NET] sending packet: from STRONGSWAN_IP[4500] to FORTINET_PUBLIC_IP[4500] (108 bytes)


# config
config vpn ipsec phase1-interface
    edit "sts-base"
        set interface "wan1"
        set peertype any
        set proposal aes256-sha256
        set localid "Identifier01"
        set dhgrp 15
        set remote-gw STRONGSWAN_IP
        set psksecret ENC X+abc==
    next
end
config vpn ipsec phase2-interface
    edit "site-3-1"
        set phase1name "sts-base"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set keepalive enable
        set keylifeseconds 3600
        set src-subnet 192.168.8.0 255.255.255.0
        set dst-subnet 172.32.1.0 255.255.255.0
    next
    edit "site-3-2"
        set phase1name "sts-base"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set keepalive enable
        set keylifeseconds 3600
        set src-subnet 192.168.9.0 255.255.255.0
        set dst-subnet 172.32.1.0 255.255.255.0
    next
end

# get vpn ipsec tunnel summary
'sts-base' STRONGSWAN_IP:0  selectors(total,up): 2/0  rx(pkt,err): 0/0  tx(pkt,err): 0/1


# Fortinet debug

FGT-Identifier01 # ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=2761fa9214821b47/0000000000000000 len=240
ike 0: in 2761FA9214821B4700000000000000000110020000000000000000F00D00007400000001000000010000006800010003030000240101000080010007800E0100800200048004000F80030001800B0001800C2A30030000240201000080010007800E0080800200048004001380030001800B0001800C2A3000000018030100008004001380030001800B0001800C2A300D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D3800000000D0000144A131C81070358455C5728F20E95452F0000001490CB80913EBB696E086381B5EC427B1F
ike 0:2761fa9214821b47/0000000000000000:2778: responder: main mode get 1st message...
ike 0:2761fa9214821b47/0000000000000000:2778: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:2761fa9214821b47/0000000000000000:2778: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:2761fa9214821b47/0000000000000000:2778: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:2761fa9214821b47/0000000000000000:2778: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:2761fa9214821b47/0000000000000000:2778: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:2761fa9214821b47/0000000000000000:2778: negotiation result
ike 0:2761fa9214821b47/0000000000000000:2778: proposal id = 1:
ike 0:2761fa9214821b47/0000000000000000:2778:   protocol id = ISAKMP:
ike 0:2761fa9214821b47/0000000000000000:2778:      trans_id = KEY_IKE.
ike 0:2761fa9214821b47/0000000000000000:2778:      encapsulation = IKE/none
ike 0:2761fa9214821b47/0000000000000000:2778:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:2761fa9214821b47/0000000000000000:2778:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:2761fa9214821b47/0000000000000000:2778:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:2761fa9214821b47/0000000000000000:2778:         type=OAKLEY_GROUP, val=MODP3072.
ike 0:2761fa9214821b47/0000000000000000:2778: ISAKMP SA lifetime=86400
ike 0:2761fa9214821b47/0000000000000000:2778: SA proposal chosen, matched gateway sts-base
ike 0: found sts-base 192.168.1.2 4 -> STRONGSWAN_IP:500
ike 0:sts-base:2778: selected NAT-T version: RFC 3947
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=2761fa9214821b47/afc986d6414ec9a6 len=524
ike 0: in 2761FA9214821B47AFC986D6414EC9A604100200000000000000020C0A0001843D54D76780834DE893553E821E8361BA6BE1E595E353DFAA2DBF4350965D69007FA402C0E89C215179F0893E0B5B0A8ED54FE3C785EC56BC598BF9DFD6536357B2612DAD10027EA897704D7E25F4874CF611C76C439996CA19001F1A4E40A7D013151BD064A4907B2875E77E50A2850A8633E6460AD31B23B83D94368D4DB67FD214C2AF6A7E1CBBB4B663BD662EF01D6F13BCE04674E1A9E231206CE114953D9A2B9A8A08D6214BFE629766884D761032914496BB121FEED5761B8C00DD97482013B4FB339C045FBABF0C2854640625AB94716298245D98157F97C34489D2EAB7A7B6DA32FA3613C04DFCDF4D8B1BF10CAE946DF4E4455972BA2F5232E8BAC7ECFE528BEA7D2EEA3BD383DE25156D2C6ED6195A0AAE8945D79ACC0E695C093E583CF52F743D5A237B57089BF8E5B502CE99140BAE2D0D2065169CBC108A4A96252B66F588BF953ADE308A22E3A4978AD034DB9F2AC370445EAA2F6ED2A29FBF314EF804C3452C75C64DF1E68B407965F278D309BB4E48593888B8EC5F7CCDC1140000248BB8E738AA6817004D681761AF4C75F433BC57EA0FF22FAA283D025C3CEB940D140000243C61D277D269F273784438A2C09D1885B1FA2BDB61B973EA0C546385F44788FF000000244C928931AECAC3D95620C9F351040AD13467D00F6FD1CCFEF8693A92D9B86426
ike 0: comes STRONGSWAN_IP:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=2761fa9214821b47/afc986d6414ec9a6 len=108
ike 0: in 2761FA9214821B47AFC986D6414EC9A605100201000000000000006C0447B06DBEF21E97290F734027CFD481273710E21D9DB94136BED68A3B9A9DE5F78C82CF2543B94AD13C80C9370B94F184FD2463CAAFBCE575CD68564C8D33F278D203D6C2F1F9028A9C628665751DAA
ike 0:sts-base: carrier up
ike 0: comes STRONGSWAN_IP:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Informational id=2761fa9214821b47/afc986d6414ec9a6:3168e506 len=108
ike 0: in 2761FA9214821B47AFC986D6414EC9A6081005013168E5060000006C53E0BF94246E8A781E8AFFAB109D1E03190B8F91471F39CE2965023CFA102248C36E77963E693866442BEC56550C52A982B1C49DA6DA4BF40020316C8687BD84652B56B101CA1F5FAF06AE36A6096BCD
ike 0:sts-base: carrier down
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=52ee2e43b9d233cc/aa83ea66bf3f46b3 len=164
ike 0: in 52EE2E43B9D233CCAA83EA66BF3F46B30110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200048004000F80030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=52ee2e43b9d233cc/aa83ea66bf3f46b3 len=524
ike 0: in 52EE2E43B9D233CCAA83EA66BF3F46B304100200000000000000020C0A0001842A606D3EC584B8DEED2D2D0AEE5CCCB4C79765065B9D5A785718DDC0F65A8C0202869924CEF9821A5592C121F2BCB041292EE8FB535D7F90C5127FB9083B3ADEA3AA781378804A5CFFEBD9AC291A2F25C222C6F88FA9CF34F2E389F34AD0AD1D05296F11D518B6FFD4515C1BDBFC0B7DDB6368561B1483256C93446E8037156F7DF25DB52C1C2438DEBE1080BFC6036FBC9F14AE909F7B88D0E62821D48AC8989D0B2C2818EE0758D07B68AC73A8343F9CB14B3F94B027CE24E6EA0348DC9B03B5A25CBC891454FE4C86963E44E0CC7EA22E1E06AB138678713BBF7A3BC21B031346F5754E96F032EE2811C20B2E973F5C80E92B3F6C3067DAE94CE1EEBEE84458BEE2DEE662D0C4BFE13D5D87A6BEC9C7601C6BD4460D8690C8849C0E6DE3BAFF50C82CBCE4A39FB4C0EFC010FB7F220C65C7B54FE493E933176C6EDF1D65A37B86E5C8B8385AE4A7EA3242A99420421810D55AD74B4F9975E355F230BFF784F038B11710F7725E3E1C03E8127BF1D891D94A34C83F69F958B23E74FB25BFD814000024C6B35B611576DD0863B652897E8736DD0B2BE054E44B57524B30FD1ABC468B791400002440FCC410B275922E2EA93AE307E68EBC56C9CE92C27DC46B65FF6D4C6DCA141D0000002489A69CD4B2309AA9A5B9DFEA6C94186D2AFB3100B1788173B9CBA965E1BF3142
ike 0: comes STRONGSWAN_IP:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Informational id=52ee2e43b9d233cc/aa83ea66bf3f46b3:b6dd78bf len=108
ike 0: in 52EE2E43B9D233CCAA83EA66BF3F46B308100501B6DD78BF0000006CBFE53268A6CC52F6C88E7CF954624FF512A38B6211012D2DD6E0F88B4F2B8EAA8D1D69B86C45D8DCCE2D474ABBB7DCEBE63C8F66F2D14BAA862B84DD76761BEF708F912A5A4B2EBE73E8B50C2BF4B156
ike shrank heap by 126976 bytes
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=38a5b41bfa29f04e/a41b8884f4e89d6a len=164
ike 0: in 38A5B41BFA29F04EA41B8884F4E89D6A0110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200048004000F80030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=38a5b41bfa29f04e/a41b8884f4e89d6a len=524
ike 0: in 38A5B41BFA29F04EA41B8884F4E89D6A04100200000000000000020C0A000184D698447D928913E530494E0935AE4266268A6A80731D3CE62C41FA9D233C17EB3941A8EFEA435BF4FCDA37E302E93372CACB3770F16C8981866690539806A8B135EEF7C0FAF7A65874CF02E3A8438C7A969188A11EE5086BE0ADEFF3145880F6CA3C7EF1D1912470F31B81DCE483B3A20632089D510BEA4AA955801CFAECD3B28F733B954E51D75309C1B0DCCB95BDF873979A7EA580486B1326646656B61AD2D764857F3834A39EC56823C5F765171CB38B1BBB333C85D25831C50D0A37FC0BB016838ACC83454B6E6B0D0CF42110AD81E94B2D42FB58AC203654768A70AA7CBF5208973DB50A8D0A0A3ECBF2734D43636819AD2692D3538E6AC698E23A416D07C4EF9BB2D9130F92B95938157EA90CDDB609D315BDA61326D37914E8100DC8FE7B248C52A1187C4CC1BB7D47EA47E74AD14B0C007E3BC106FD704AA64F30D29CA16BE6ED952FB6E6E95DB7CDB3C35344CC3D3B9E7EF8583DAFF2CB949B16B915FB6587321151A1A5143C139ECFE0AB7713A805485D4A0153022F78F34D64AB140000247E717AE82180E48827DD375194B620813E1DEC07E33653ABD142180EB229B8EF140000247584901C074A7A306E0D0FFD6F1C02B68AA4A6A8767CED00C43BA3C8DD2BD1F2000000243358CE1CC6ADE045B3D4832B923682F702E30893844A10E32603A77848D2F746
ike 0: comes STRONGSWAN_IP:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Informational id=38a5b41bfa29f04e/a41b8884f4e89d6a:8f8dece2 len=108
ike 0: in 38A5B41BFA29F04EA41B8884F4E89D6A081005018F8DECE20000006CDB395C20A27369C90BCC862D20257E46D57CC77E22B3CBF47D7EECFB8115158989169C001E50B182249500233F4DCEFC929555E0D53150A84F8C192646F84C5EA2D848CE2029B90E4BABCBDF55CBAFDE
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=dd22d4d8e3e615ad/a764fe7b215be79b len=164
ike 0: in DD22D4D8E3E615ADA764FE7B215BE79B0110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200048004000F80030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=dd22d4d8e3e615ad/a764fe7b215be79b len=524
ike 0: in DD22D4D8E3E615ADA764FE7B215BE79B04100200000000000000020C0A000184E928C51D373B739956D2E58A80754D87B63926E167780EEB3A0588A4DE97537321134A022043189663FFA3D54ECAB6F2B04079164C5557A72422F2BFFD0D7F88B075BFE54BC06B722AFA67A1C1216A96A0320B0C03D324E799DE7ED23B455F21D18D3BFAB2033C9533D0E4E599E57F3CD18055EE45422D844590A040A3D27174C1FF742F5C712D525B652B3507FA7C6A94D50C4A90A92005CA9D7990AC76930C0B04CA43104DE074DC5FA8BED124235EF7DFE374E19C74F59C4E6763E1CF43FE8E3930F98BC31895D83C79F9E87A635EB83FBAF8CAD8AE2FD11CC702786A16A3AE9F7A98E5A134C68EDC8AE7ED4212E9D1A3E443EE6B06835457BD658C9FA23926F2579FA1672B093D17C5827CA85A87F7833F0FDA6D0E4B84EA23E08F5BC1816A62D4EC2D871438FE14CEE6138E6B1338282DA280684838772279893EABC14BBA2C890009745077882EDE3D6E5C37B8B96F1E32AA26473151FD569994E67627397F095CC97D2BF6B1F4D26D71CF207C2AABEDF4381DED43A62248339BD2C8E714000024194E6CAE3CF25FF7026DBFB0584CD758302827A9A1B2D2EE4FD735F09CBB49C31400002455EB83D915DCBE62F857EE90BD7E0150B00D21A0109E9C83216190B7809200B3000000241CF888C525D70D445322785726C3513E271BEBD8288C1BB0627F64236F32C601
ike 0: comes STRONGSWAN_IP:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Informational id=dd22d4d8e3e615ad/a764fe7b215be79b:bdacbbe6 len=108
ike 0: in DD22D4D8E3E615ADA764FE7B215BE79B08100501BDACBBE60000006C029416414DB3DB915970AFD1967D1F08C303529FE2587D4057FCE113639024FAD4CCFCD5B9B27EC1FA75215027C757D3E874D90207868B383AD838E8EA8454377C492923D7C2AB517D19A270DA2831FA
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=4c829109074c5d68/7600779e229a9719 len=164
ike 0: in 4C829109074C5D687600779E229A97190110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200048004000F80030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=4c829109074c5d68/7600779e229a9719 len=524
ike 0: in 4C829109074C5D687600779E229A971904100200000000000000020C0A00018400E0065CBBDD60889126B647A229478D85500A9BB315BA24298F45D0C22F0285E18B7A3D70CC627B735A80D7DD8EDC0B586D7FEF79BA9E3C5726DDA3B5F70561A4F9FB2F887E25F6A3A9C8B11C93174B3287479A0F0F66EF14E810E0D059F2DC78F86601F12405E39DC92A445159D102403DF3B73024389B6EE9AFBBDBD85F81C0BB1DABF7F24F9AAA676059093DEA0C08A6B95DC6F05A41B687AF541A50CF085C1002B6BEA682A0475C4509F75FBAD5E317359246D95D0654C8263B657BE30499731BC217234C502289617B8A38F19E785E9780CE516DE151A066FEF43F7B6E1AED6C1A5502AA2D3605EBB2D59977B5B9D5D21EA09B46E8645AE420427B231A6706E03F1D6AC97D7FBA53E1A1AAA4E5BFAC4924481C0B18D85A365AE2AF36313A20D652BA94867720C44BF6797AB537FE6E58A6A01562194A72A7F9DB6D2F04648A1BCE0D94B0535D0AB75BF6FB2076598F747E8827840CCBC6D5CD3A34B7CF49B72CA60FE345B320F0E4CBFEB36786AA2412622A0281E4775AE7D417FD40BF14000024B052A17B6026C487DA5259AB3161B95D274F076FE1B21EB2C4F64667671FD418140000247D02CCF72035BEEA9E42A44B81D29567D18DAFA09C24DF119C799711582B2A5B00000024444F7CA0F2821C191424D786289772F219EBDC5D756692DBCF01A5195FC731BF
ike 0: comes STRONGSWAN_IP:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Informational id=4c829109074c5d68/7600779e229a9719:070f32a5 len=108
ike 0: in 4C829109074C5D687600779E229A971908100501070F32A50000006C69771E04AB6DAB20CB042C65E7175228021CB49892566C9E6C6708D9086873925E1D41362C59785D9C0C26F8691BF19EBEDED75A20547B861E5CC40F1F3D6FE5A0F903C4003BE64985ED64E50AC40CBB
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=98475cd064d39e86/8f8caccf85271506 len=164
ike 0: in 98475CD064D39E868F8CACCF852715060110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200048004000F80030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=98475cd064d39e86/8f8caccf85271506 len=524
ike 0: in 98475CD064D39E868F8CACCF8527150604100200000000000000020C0A0001840B90F73080457F6CC0C1AC47812D6590739364259B4E47687863C6433A7C23EA8AF5554CFEFC8429C432E496B71E163D01C7D53EED1927BEC0C81BA2D85BEF693DED68CF4B7B70EDCBF1C4F11F6DF13BCE0C74BEAA249E4051122C330022215F75BF853EED6213E1D3A896B5FE8AE689E175B596EDF24FE17D15847ED3506F900896DDE70DF3CB69286C902DF4975AA631DF7327153B92DBF5D1DDABFF0F346DD715B1FFD851B1A0ABA42FACE84DCF84D97B6F88750FF7D233D7DAD735FB0FE79FA77AF330AC3C71F3B60B312ED06644C3AD4034244417F3416F8B13B93A64E00FB7F68F975FC427660FA5ED01C56746E58EBBF036FC97137E20FD76B56273696A727C8C7492A6E9B37AFFB608E031BEC8F8BDC7C76BD03BB9ADC6C5B183E3A837C19CD7BD43C4F7F13D674A471A15A9F4C2C3D0EFD3B576CB58C8C599801C44C806393CCA1F64D197C01878AD72C4BF97D02218AE34360002D3EE9793542A96BE47B386E9D8E6DA207AFEFCD6862B716F6BA5F4BF8ED370D39DE503C5D2337614000024E5611363F7DC41FCB846DEDA48C81C6427DE3A277B2F998EE20A769DCFBECD6B14000024913E75C90C4D9455FBED7AC95BCA0BF446849B9FA3D7A9BE5725695C01B877180000002401A6C6496CC769454448B184423B2E9A22BDB67B25EE559A007EE27DE434DCAA
ike 0: comes STRONGSWAN_IP:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Informational id=98475cd064d39e86/8f8caccf85271506:3ea3779e len=108
ike 0: in 98475CD064D39E868F8CACCF85271506081005013EA3779E0000006C0D3ED58B1271FC88583F7BFE5D08D9B16A781DF3F2F15C2F427515291C2B2E474A08F05F3833716C44CDE01FE79E9DB937BCD55863E34481891100A2869F7D072CBA93AC7BB0C2371FF602C6B5D7441E

maxxer
New Contributor

I've upgraded to 6.2 but things seems to be worse now: strongswan is unable to find PSK.

I tried different formats of ipsec.secrets but it's unable to find it:

 

53:74:65:6c:cc:bc : PSK "abc"
@forti_public_ip : PSK "abc"
Stelle : PSK "abc"
%any : PSK "abc"

 

Also I don't understand why the peer remote is being identified by ID_FQDN while in Fortigate I've set a custom identifier (Stelle).

 

May 26 12:23:03 vpn01 charon: 03[NET] received packet: from forti_public_ip[4500] to strongswan_public_ip[4500] 
May 26 12:23:03 vpn01 charon: 03[NET] waiting for data on sockets
May 26 12:23:03 vpn01 charon: 10[MGR] checkout IKEv1 SA by message with SPIs 09bd61cae4af6a6e_i e07c927aff4aa389_r
May 26 12:23:03 vpn01 charon: 10[MGR] IKE_SA (unnamed)[17] successfully checked out
May 26 12:23:03 vpn01 charon: 10[NET] received packet: from forti_public_ip[4500] to strongswan_public_ip[4500] (108 bytes)
May 26 12:23:03 vpn01 charon: 10[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
May 26 12:23:03 vpn01 charon: 10[CFG] looking for pre-shared key peer configs matching strongswan_public_ip...forti_public_ip[Stelle]
May 26 12:23:03 vpn01 charon: 10[CFG] peer config match local: 1 (ID_ANY)
May 26 12:23:03 vpn01 charon: 10[CFG] peer config match remote: 0 (ID_FQDN -> 53:74:65:6c:cc:bc)
May 26 12:23:03 vpn01 charon: 10[CFG] ike config match: 2076 (strongswan_public_ip forti_public_ip IKEv1)
May 26 12:23:03 vpn01 charon: 10[IKE] no peer config found
May 26 12:23:03 vpn01 charon: 10[IKE] queueing INFORMATIONAL task
May 26 12:23:03 vpn01 charon: 10[IKE] activating new tasks
May 26 12:23:03 vpn01 charon: 10[IKE] activating INFORMATIONAL task
May 26 12:23:03 vpn01 charon: 10[IKE] Hash => 32 bytes @ 0x7fba6c001d60
May 26 12:23:03 vpn01 charon: 10[IKE] 0: 4F D8 8E DB FC 7B 54 CF 2C 9A C5 BF 44 66 44 07 O....{T.,...DfD.
May 26 12:23:03 vpn01 charon: 10[IKE] 16: D5 D2 CD DD D8 A6 15 06 F6 C2 D5 77 1E 87 A0 B5 ...........w....
May 26 12:23:03 vpn01 charon: 10[ENC] generating INFORMATIONAL_V1 request 3749617615 [ HASH N(AUTH_FAILED) ]
May 26 12:23:03 vpn01 charon: 10[NET] sending packet: from strongswan_public_ip[4500] to forti_public_ip[4500] (108 bytes)

 

Fortinet config:

config vpn ipsec phase1-interface
    edit "sts-base"
        set interface "wan1"
        set peertype any
        set net-device disable
        set proposal aes256-sha256
        set localid "Stelle"
        set dhgrp 15
        set remote-gw strongswan_public_ip
        set psksecret "abc"
    next
end
config vpn ipsec phase2-interface
    edit "site-3-1"
        set phase1name "sts-base"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set keepalive enable
        set keylifeseconds 3600
        set src-subnet 192.168.8.0 255.255.255.0
        set dst-subnet 172.32.1.0 255.255.255.0
    next
    edit "site-3-2"
        set phase1name "sts-base"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set keepalive enable
        set keylifeseconds 3600
        set src-subnet 192.168.9.0 255.255.255.0
        set dst-subnet 172.32.1.0 255.255.255.0
    next
end

I omitted Fortinet is NATted behind a modem, but apparently NAT-T is correctly detected and implemented.

emnoc
Esteemed Contributor III

Play it safe and 1st set the leftid to be "leftid=%any" for starter and restart the ipsec and monitor? Does the vpn come up? Did you do diag debug app ike -1 ? if yes what does the fortigate see or say ? On fortigate on linux/unix host did you run any pcap dumps. 

 

i.e

 

    tcpdump -nnnnvvv -i eth0 "udp and port 500 or 4500" 

 

What address do you see coming in? The nat'd address of the FGT ? Is the udp datagrams two-way traffic? Are you sending anything back? Does the fortigate complain on IKE-AUTH or psk-mismatch or what ?

 

 

On the PSK, your ipsec secrets is wrong typo or missing space the format is similar to

 

 

#

#

#

x.x.x.x  : PSK "abc123"

#

# that spaces is required x.x.x.x:PSK is wrong and will not work but does not give immediate errors in the logs

#

#

 

I would rekey the file for the address and then give it a spin.

 

tip on the secrets and if you suspect issues using ipsec.secrets and want to simplify use "%any" for now and then lock it in once you work the bugs out.

 

e.g 

 

%any : PSK "abc123"

 

tip2,

 

On the fortigate I would use a localid of fqdn in the phase1 vrs simple strings ascii. A lot of firewall seems not recognize that and or it causes issues. So use fdqn  if you can't user ipv4-identity and in your case ipv4 identity will not working or should be not used unless you do %any on strongswan.

 

So I would do mine in this example

 

# example fqdn

config vpn ipsec phase1-interface

    edit "strongswanServerOCP"

        set interface "wan1"

        set peertype any

        set net-device disable

        set proposal aes128-sha256 aes256-sha256  

        set localid "vpn1.yourdomain.com"

        set localid-type fqdn

        set remote-gw  222.222.222.222

        set psksecret  abc123ItIsmeI'mSoFree

    next

end

 

 

Hope that helps and get's you further down the line. Make sure you run pcap at least on the strongswan for IKE and you can always diagnose pcap for IKEv1 for mismatch proposal, improper  ike-identity format, or just for looking for two-traffic etc....

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
sw2090
Honored Contributor

I've only done strongswan dialling into a FGT up to now with success. But if that coul dbe of any help let me know...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
maxxer
New Contributor

I managed to get it working by creating a new secret and pasting it directly into the GUI and in ipsec.secrets. After that P1 was up, still mismatch for P2.

 

I changed

esp=aes256-sha256-modp3072

and finally both P2s were up.

 

Thanks again for the help

Labels
Top Kudoed Authors