<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div><div><div><div><div><div><div>Hello,<br><br></div><div>My problem is the following:<br></div><div>I can't use ikev2 in an environment with a roadwarrior with virtual IP.<br>
</div><div>It works perfectly with ikev1 without changing any other parameters.<br>
</div><div><br></div>My setup is the following:<br><br></div>- roadwarrior on an Ubuntu 12.04 64 bits using Strongswan 4.5.2-1.5ubuntu2<br></div>- VPN Gateway: Fortigate 60D with the latest version - v5.0,build0252 (GA Patch 5)<br>
<br></div>Using ikev1 it works perfectly but when I change to ikev2 it doesn't finish well:<br>- phase 1 and 2 are correctly negotiated<br>- a dynamic tunnel is created (SPI c07d9c83)<br>but immediately after that, the VPN gateway deletes the SA and tells the roadwarrior to do the same.<br>
I'm getting the following error: "internal address failure" (see line 87 in the fortigate log)<br><br></div>What's wrong? Does ikev2 need a specific configuration? Can't I just change from ikev1 to ikev2 "like that"?<br>
<br></div><div>Below is my configuration from strongswan and Fortigate.<br></div><div>Attached the logs.<br></div><div><br></div>Thanks in advance!<br><br><br><font face="courier new,monospace">config setup<br> charonstart=yes<br>
plutostart=no<br> charondebug=none<br> nat_traversal=yes<br> plutostderrlog=/logIPSEC<br><br>ca mi<br> cacert=IGC-SPAN_cacert.pem<br><br>conn %default<br> keyingtries=2<br> authby=secret<br><br>conn nomade-frontal<br>
type=tunnel<br> ike=aes256-sha512-modp2048!<br> esp=aes256-sha512-modp2048!<br> dpddelay = 30s<br> dpdaction=restart<br> left=%defaultroute<br> leftsourceip=172.16.69.69<br> keyexchange=ikev2<br>
pfs=yes<br>
leftfirewall=yes<br> right=10.237.4.183<br> rightsubnet=<a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a><br> auto=start<br><br>include /var/lib/strongswan/ipsec.conf.inc<br><br><br></font></div><div>
<font face="courier new,monospace"><span style="font-family:arial,helvetica,sans-serif">The fortigate conf:</span><br>
<br><br>config vpn ipsec phase1<br> edit "test PSK"<br> set type dynamic<br> set interface "dmz"<br> set ike-version 2<br> set local-gw 0.0.0.0<br> set nattraversal enable<br>
set dhgrp 14<br> set keylife 28800<br> set authmethod psk<br> set peertype any<br> set xauthtype disable<br> set mode main<br> set autoconfig disable<br> set proposal aes256-sha512<br>
set localid ''<br> set localid-type auto<br> set negotiate-timeout 30<br> set fragmentation enable<br> set dpd enable<br> set forticlient-enforcement disable<br> set npu-offload enable<br>
set psksecret ENC Qj0KcxVdRLqoYcJbWNPsjyI12nLO1y8x8arjsTQHVMr6XIt/oNgTJ/yoKapZ8zhX+Y1Dag6xgH1TuYWIliBr+otHSgO8OeU3x4JkGWVtVmLWXxGHqSlpEMddJMlevTjH2fdmFuMUnH7UhSVis2s6OoMfSMVghYO+6mKsIj5x/XHzHtYxBpkmucsldhOlFaqpVOhUiw==<br>
set keepalive 10<br> set distance 1<br> set priority 0<br> set auto-negotiate enable<br> set dpd-retrycount 3<br> set dpd-retryinterval 5<br> next<br>end<br>config vpn ipsec phase2<br>
edit "test PSK"<br> set phase1name "test PSK"<br> set use-natip enable<br> set add-route disable<br> set proposal aes256-sha512<br> set pfs enable<br> set replay enable<br>
set keepalive disable<br> set keylife-type seconds<br> set single-source disable<br> set route-overlap use-new<br> set encapsulation tunnel-mode<br> set protocol 0<br> set src-addr-type subnet<br>
set src-port 0<br> set dst-addr-type subnet<br> set dst-port 0<br> set dhcp-ipsec disable<br> set dhgrp 14<br> set keylifeseconds 1800<br> set src-subnet 0.0.0.0 0.0.0.0<br>
set dst-subnet 172.0.0.0 255.0.0.0<br> next<br>end<br></font></div><font face="courier new,monospace"></font><div><font face="courier new,monospace"><br><br></font></div></div>
</div><br></div>