[strongSwan] IKEv2 EAP identity between Strongswan and Fortigate 60C
RICHARD, Denis (Denis)** CTR **
Denis.Richard at alcatel-lucent.com
Wed Sep 16 15:04:37 CEST 2015
Hello all,
I am trying to set a VPN between Strongswan on Linux and a Fortigate 60C (FortiOS 5.2.4), in IKEv2 EAP identity.
The Fortigate sends the EAP_IDENTITY and Strongswan answers with EAP_IDENTITY, and Fortigate does not answer any more (see traces below).
Does anyone already use Fortigate 60C in IKEv2 EAP mode ?
Thanks and regards
Denis
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="cfg 2, chd 2, dmn 2, esp 2, ike 2, knl 2, mgr 2"
# Add connections here.
conn %default
keyexchange=ikev2
# Sample VPN connections
conn vpn_FGT
left=X.X.X.82
leftsourceip=%config
leftauth=psk
leftfirewall=yes
leftid=172.26.185.82
auto=start
ike=aes256-sha256-modp2048
esp=aes256-sha256-modp2048
right=X.X.X.50
rightsubnet=X.X.X.50/32
rightid=%any
rightauth=eap
Sep 15 14:59:11 (none) charon: 09[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Sep 15 14:59:11 (none) charon: 09[KNL] got SPI c424fe4c
Sep 15 14:59:11 (none) charon: 09[ENC] generating IKE_AUTH request 1 [ IDi CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
Sep 15 14:59:11 (none) charon: 09[NET] sending packet: from X.X.X.82[4500] to X.X.X.50[4500] (336 bytes)
Sep 15 14:59:11 (none) charon: 09[MGR] checkin IKE_SA vpn_FGT[1]
Sep 15 14:59:11 (none) charon: 10[MGR] checkout IKE_SA by message
Sep 15 14:59:11 (none) charon: 09[MGR] check-in of IKE_SA successful.
Sep 15 14:59:11 (none) charon: 10[MGR] IKE_SA vpn_FGT[1] successfully checked out
Sep 15 14:59:11 (none) charon: 10[NET] received packet: from X.X.X.50[4500] to X.X.X.82[4500] (192 bytes)
Sep 15 14:59:11 (none) charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
Sep 15 14:59:11 (none) charon: 10[IKE] authentication of 'X.X.X.50' with pre-shared key successful
Sep 15 14:59:11 (none) charon: 10[IKE] server requested EAP_IDENTITY (id 0x95), sending 'X.X.X.82'
Sep 15 14:59:11 (none) charon: 10[IKE] reinitiating already active tasks
Sep 15 14:59:11 (none) charon: 10[IKE] IKE_AUTH task
Sep 15 14:59:11 (none) charon: 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Sep 15 14:59:11 (none) charon: 10[NET] sending packet: from X.X.X.82[4500] to X.X.X.50[4500] (96 bytes)
Sep 15 14:59:11 (none) charon: 10[MGR] checkin IKE_SA vpn_FGT[1]
Sep 15 14:59:11 (none) charon: 10[MGR] check-in of IKE_SA successful.
Sep 15 14:59:13 (none) charon: 11[CFG] proposing traffic selectors for us:
Sep 15 14:59:13 (none) charon: 11[CFG] dynamic
Sep 15 14:59:13 (none) charon: 11[CFG] proposing traffic selectors for other:
Sep 15 14:59:13 (none) charon: 11[CFG] X.X.X.50/32
Sep 15 14:59:15 (none) charon: 06[MGR] checkout IKE_SA
Sep 15 14:59:15 (none) charon: 06[MGR] IKE_SA vpn_FGT[1] successfully checked out
Sep 15 14:59:15 (none) charon: 06[MGR] checkin IKE_SA vpn_FGT[1]
Sep 15 14:59:15 (none) charon: 06[MGR] check-in of IKE_SA successful.
Sep 15 14:59:15 (none) charon: 08[MGR] checkout IKE_SA
Sep 15 14:59:15 (none) charon: 08[MGR] IKE_SA vpn_FGT[1] successfully checked out
Sep 15 14:59:15 (none) charon: 08[MGR] checkin IKE_SA vpn_FGT[1]
Sep 15 14:59:15 (none) charon: 08[MGR] check-in of IKE_SA successful.
Sep 15 14:59:15 (none) charon: 13[MGR] checkout IKE_SA
Sep 15 14:59:15 (none) charon: 13[MGR] IKE_SA vpn_FGT[1] successfully checked out
Sep 15 14:59:15 (none) charon: 13[IKE] retransmit 1 of request with message ID 2
Sep 15 14:59:15 (none) charon: 13[NET] sending packet: from X.X.X.82[4500] to X.X.X.50[4500] (96 bytes)
Sep 15 14:59:15 (none) charon: 13[MGR] checkin IKE_SA vpn_FGT[1]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150916/0e2149ac/attachment.html>
More information about the Users
mailing list