[strongSwan] IKEv2 EAP identity between Strongswan and Fortigate 60C

Andreas Steffen andreas.steffen at strongswan.org
Wed Sep 16 16:11:43 CEST 2015 

Hi Denis,

the problem lies on the Fortigate Side. The Fortigate VPN gateway
should send an IKE_AUTH response containing an EAP request for
a given EAP method. What EAP method is the VPN GW or the RADIUS
server connected to it supposed to propose?

Regards

Andreas

On 16.09.2015 15:04, RICHARD, Denis (Denis)** CTR ** wrote:
> Hello all,
> I am trying to set a VPN between Strongswan on Linux and a Fortigate 60C
> (FortiOS 5.2.4), in IKEv2 EAP identity.
> The Fortigate sends the EAP_IDENTITY and Strongswan answers with
> EAP_IDENTITY,  and Fortigate does not answer any more (see traces below).
> Does anyone already use Fortigate 60C in IKEv2 EAP mode ?
> Thanks and regards
> Denis
> # ipsec.conf - strongSwan IPsec configuration file
> config setup
>          charondebug="cfg 2, chd 2, dmn 2, esp 2, ike 2, knl 2, mgr 2"
> # Add connections here.
> conn %default
>          keyexchange=ikev2
> # Sample VPN connections
> conn vpn_FGT
>          left=X.X.X.82
>          leftsourceip=%config
>          leftauth=psk
>          leftfirewall=yes
>          leftid=172.26.185.82
>          auto=start
>          ike=aes256-sha256-modp2048
>          esp=aes256-sha256-modp2048
>          right=X.X.X.50
>          rightsubnet=X.X.X.50/32
>          rightid=%any
>          rightauth=eap
> Sep 15 14:59:11 (none) charon: 09[CFG] configured proposals:
> ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> Sep 15 14:59:11 (none) charon: 09[KNL] got SPI c424fe4c
> Sep 15 14:59:11 (none) charon: 09[ENC] generating IKE_AUTH request 1 [
> IDi CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
> Sep 15 14:59:11 (none) charon: 09[NET] sending packet: from
> X.X.X.82[4500] to X.X.X.50[4500] (336 bytes)
> Sep 15 14:59:11 (none) charon: 09[MGR] checkin IKE_SA vpn_FGT[1]
> Sep 15 14:59:11 (none) charon: 10[MGR] checkout IKE_SA by message
> Sep 15 14:59:11 (none) charon: 09[MGR] check-in of IKE_SA successful.
> Sep 15 14:59:11 (none) charon: 10[MGR] IKE_SA vpn_FGT[1] successfully
> checked out
> Sep 15 14:59:11 (none) charon: 10[NET] received packet: from
> X.X.X.50[4500] to X.X.X.82[4500] (192 bytes)
> Sep 15 14:59:11 (none) charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr
> AUTH EAP/REQ/ID ]
> Sep 15 14:59:11 (none) charon: 10[IKE] authentication of 'X.X.X.50' with
> pre-shared key successful
> Sep 15 14:59:11 (none) charon: 10[IKE] server requested EAP_IDENTITY (id
> 0x95), sending 'X.X.X.82'
> Sep 15 14:59:11 (none) charon: 10[IKE] reinitiating already active tasks
> Sep 15 14:59:11 (none) charon: 10[IKE]   IKE_AUTH task
> Sep 15 14:59:11 (none) charon: 10[ENC] generating IKE_AUTH request 2 [
> EAP/RES/ID ]
> Sep 15 14:59:11 (none) charon: 10[NET] sending packet: from
> X.X.X.82[4500] to X.X.X.50[4500] (96 bytes)
> Sep 15 14:59:11 (none) charon: 10[MGR] checkin IKE_SA vpn_FGT[1]
> Sep 15 14:59:11 (none) charon: 10[MGR] check-in of IKE_SA successful.
> Sep 15 14:59:13 (none) charon: 11[CFG] proposing traffic selectors for us:
> Sep 15 14:59:13 (none) charon: 11[CFG]  dynamic
> Sep 15 14:59:13 (none) charon: 11[CFG] proposing traffic selectors for
> other:
> Sep 15 14:59:13 (none) charon: 11[CFG]  X.X.X.50/32
> Sep 15 14:59:15 (none) charon: 06[MGR] checkout IKE_SA
> Sep 15 14:59:15 (none) charon: 06[MGR] IKE_SA vpn_FGT[1] successfully
> checked out
> Sep 15 14:59:15 (none) charon: 06[MGR] checkin IKE_SA vpn_FGT[1]
> Sep 15 14:59:15 (none) charon: 06[MGR] check-in of IKE_SA successful.
> Sep 15 14:59:15 (none) charon: 08[MGR] checkout IKE_SA
> Sep 15 14:59:15 (none) charon: 08[MGR] IKE_SA vpn_FGT[1] successfully
> checked out
> Sep 15 14:59:15 (none) charon: 08[MGR] checkin IKE_SA vpn_FGT[1]
> Sep 15 14:59:15 (none) charon: 08[MGR] check-in of IKE_SA successful.
> Sep 15 14:59:15 (none) charon: 13[MGR] checkout IKE_SA
> Sep 15 14:59:15 (none) charon: 13[MGR] IKE_SA vpn_FGT[1] successfully
> checked out
> Sep 15 14:59:15 (none) charon: 13[IKE] retransmit 1 of request with
> message ID 2
> Sep 15 14:59:15 (none) charon: 13[NET] sending packet: from
> X.X.X.82[4500] to X.X.X.50[4500] (96 bytes)
> Sep 15 14:59:15 (none) charon: 13[MGR] checkin IKE_SA vpn_FGT[1]

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150916/21d92080/attachment.bin>

More information about the Users mailing list