[strongSwan] IKEv2 EAP identity between Strongswan and Fortigate 60C

Andreas Steffen andreas.steffen at strongswan.org
Wed Sep 16 16:21:39 CEST 2015 

Another reason might be that you didn't define an explicit EAP
identity with

   eap_identity=

As a default, leftid is used which in your case is the IP address
172.26.185.82. This is probably not what the Fortigate GW expects.
It is still strange that Fortigate does not abort the IKE_SA with
an error notification.

Regards

Andreas

On 16.09.2015 15:04, RICHARD, Denis (Denis)** CTR ** wrote:
> Hello all,
> I am trying to set a VPN between Strongswan on Linux and a Fortigate 60C
> (FortiOS 5.2.4), in IKEv2 EAP identity.
> The Fortigate sends the EAP_IDENTITY and Strongswan answers with
> EAP_IDENTITY,  and Fortigate does not answer any more (see traces below).
> Does anyone already use Fortigate 60C in IKEv2 EAP mode ?
> Thanks and regards
> Denis
> # ipsec.conf - strongSwan IPsec configuration file
> config setup
>          charondebug="cfg 2, chd 2, dmn 2, esp 2, ike 2, knl 2, mgr 2"
> # Add connections here.
> conn %default
>          keyexchange=ikev2
> # Sample VPN connections
> conn vpn_FGT
>          left=X.X.X.82
>          leftsourceip=%config
>          leftauth=psk
>          leftfirewall=yes
>          leftid=172.26.185.82
>          auto=start
>          ike=aes256-sha256-modp2048
>          esp=aes256-sha256-modp2048
>          right=X.X.X.50
>          rightsubnet=X.X.X.50/32
>          rightid=%any
>          rightauth=eap
> Sep 15 14:59:11 (none) charon: 09[CFG] configured proposals:
> ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> Sep 15 14:59:11 (none) charon: 09[KNL] got SPI c424fe4c
> Sep 15 14:59:11 (none) charon: 09[ENC] generating IKE_AUTH request 1 [
> IDi CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
> Sep 15 14:59:11 (none) charon: 09[NET] sending packet: from
> X.X.X.82[4500] to X.X.X.50[4500] (336 bytes)
> Sep 15 14:59:11 (none) charon: 09[MGR] checkin IKE_SA vpn_FGT[1]
> Sep 15 14:59:11 (none) charon: 10[MGR] checkout IKE_SA by message
> Sep 15 14:59:11 (none) charon: 09[MGR] check-in of IKE_SA successful.
> Sep 15 14:59:11 (none) charon: 10[MGR] IKE_SA vpn_FGT[1] successfully
> checked out
> Sep 15 14:59:11 (none) charon: 10[NET] received packet: from
> X.X.X.50[4500] to X.X.X.82[4500] (192 bytes)
> Sep 15 14:59:11 (none) charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr
> AUTH EAP/REQ/ID ]
> Sep 15 14:59:11 (none) charon: 10[IKE] authentication of 'X.X.X.50' with
> pre-shared key successful
> Sep 15 14:59:11 (none) charon: 10[IKE] server requested EAP_IDENTITY (id
> 0x95), sending 'X.X.X.82'
> Sep 15 14:59:11 (none) charon: 10[IKE] reinitiating already active tasks
> Sep 15 14:59:11 (none) charon: 10[IKE]   IKE_AUTH task
> Sep 15 14:59:11 (none) charon: 10[ENC] generating IKE_AUTH request 2 [
> EAP/RES/ID ]
> Sep 15 14:59:11 (none) charon: 10[NET] sending packet: from
> X.X.X.82[4500] to X.X.X.50[4500] (96 bytes)
> Sep 15 14:59:11 (none) charon: 10[MGR] checkin IKE_SA vpn_FGT[1]
> Sep 15 14:59:11 (none) charon: 10[MGR] check-in of IKE_SA successful.
> Sep 15 14:59:13 (none) charon: 11[CFG] proposing traffic selectors for us:
> Sep 15 14:59:13 (none) charon: 11[CFG]  dynamic
> Sep 15 14:59:13 (none) charon: 11[CFG] proposing traffic selectors for
> other:
> Sep 15 14:59:13 (none) charon: 11[CFG]  X.X.X.50/32
> Sep 15 14:59:15 (none) charon: 06[MGR] checkout IKE_SA
> Sep 15 14:59:15 (none) charon: 06[MGR] IKE_SA vpn_FGT[1] successfully
> checked out
> Sep 15 14:59:15 (none) charon: 06[MGR] checkin IKE_SA vpn_FGT[1]
> Sep 15 14:59:15 (none) charon: 06[MGR] check-in of IKE_SA successful.
> Sep 15 14:59:15 (none) charon: 08[MGR] checkout IKE_SA
> Sep 15 14:59:15 (none) charon: 08[MGR] IKE_SA vpn_FGT[1] successfully
> checked out
> Sep 15 14:59:15 (none) charon: 08[MGR] checkin IKE_SA vpn_FGT[1]
> Sep 15 14:59:15 (none) charon: 08[MGR] check-in of IKE_SA successful.
> Sep 15 14:59:15 (none) charon: 13[MGR] checkout IKE_SA
> Sep 15 14:59:15 (none) charon: 13[MGR] IKE_SA vpn_FGT[1] successfully
> checked out
> Sep 15 14:59:15 (none) charon: 13[IKE] retransmit 1 of request with
> message ID 2
> Sep 15 14:59:15 (none) charon: 13[NET] sending packet: from
> X.X.X.82[4500] to X.X.X.50[4500] (96 bytes)
> Sep 15 14:59:15 (none) charon: 13[MGR] checkin IKE_SA vpn_FGT[1]
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150916/d083ca4f/attachment-0001.bin>

More information about the Users mailing list