[strongSwan] help with connection

Davide Zanon davide.zanon at universiis.com
Mon May 9 10:45:17 CEST 2016


Hi everbody,
forgive me if I'm writing in the wrong list and please point me to the right one.
I'm having a bad time trying to set up a vpn between a Fortigate 200D and a strongswan linux box (ipfire):
what I'm trying to do is to translate the configuration I have on the Forticlient (windows application)
to make it work under Strongswan.

Forticlient configuration:

xauth disabled
mode aggressive
options mode config

phase 1:
ikev1
encryption aes256
auth sha256
DH group 5
key life 86400 sec
dead peer detection
nat traversal

phase 2:
ikev1
encryption aes256
auth sha256
DH group 5
key life 43200 sec
enable replay detection
enable PFS
DH Group 5


And this is the ipsec.conf file I tried to forge from the windows client:

version 2

conn %default
	keyingtries=%forever


conn CSAP
	left=MY_PLUBLIC_IP
	leftsubnet=192.168.1.0/24
	leftfirewall=yes
	lefthostaccess=yes
	right=PEER_IP
	rightsubnet=192.168.100.1/24
	ike=aes256,sha256,modp1536
	esp=aes256,sha256,modp1536
	keyexchange=ikev1
	ikelifetime=86400s
	keylife=43200s
	#compress=yes
	dpdaction=restart
	dpddelay=30
	dpdtimeout=120
	authby=secret
	auto=start
	fragmentation=yes


But when I try to connect all I get is this from the console:

[root at firewall ~]# ipsec up CSAP
initiating Main Mode IKE_SA CSAP[3] to 151.11.136.132
generating ID_PROT request 0 [ SA V V V V V V ]
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 2 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 3 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 4 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 5 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
giving up after 5 retransmits
peer not responding, trying again (2/0)
initiating Main Mode IKE_SA CSAP[3] to PEER_IP
generating ID_PROT request 0 [ SA V V V V V V ]
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 2 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 3 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
destroying IKE_SA in state CONNECTING without notification
establishing connection 'CSAP' failed
(here I stopped it manually from another console)


In /var/log/messages all I see is this:

May  9 09:14:37 firewall charon: 06[ENC] generating ID_PROT request 0 [ SA V V V V V V ] 
May  9 09:14:37 firewall charon: 06[NET] sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes) 
May  9 09:14:37 firewall charon: 03[NET] error writing to socket: Invalid argument 
May  9 09:14:41 firewall charon: 07[IKE] sending retransmit 1 of request message ID 0, seq 1 
May  9 09:14:41 firewall charon: 07[NET] sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes) 
May  9 09:14:41 firewall charon: 03[NET] error writing to socket: Invalid argument 
May  9 09:14:48 firewall charon: 10[IKE] sending retransmit 2 of request message ID 0, seq 1 
May  9 09:14:48 firewall charon: 10[NET] sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes) 
May  9 09:14:48 firewall charon: 03[NET] error writing to socket: Invalid argument 
May  9 09:15:01 firewall charon: 05[IKE] sending retransmit 3 of request message ID 0, seq 1 
May  9 09:15:01 firewall charon: 05[NET] sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes) 
May  9 09:15:01 firewall charon: 03[NET] error writing to socket: Invalid argument 
May  9 09:15:19 firewall charon: 15[CFG] received stroke: terminate 'CSAP' 
May  9 09:15:19 firewall charon: 14[IKE] destroying IKE_SA in state CONNECTING without notification 
May  9 09:15:19 firewall charon: 06[CFG] received stroke: terminate 'CSAP' 
May  9 09:15:20 firewall charon: 06[CFG] no IKE_SA named 'CSAP' found


I'm obviously doing something wrong here, I think that message "error writing to socket: Invalid argument" in the
log might be the culprit but I don't know what does it mean, I can ping and reach via telnet the PEER so there is
no connection problem (also the windows client version is connecting correctly to the vpn).
Strongswan version is 5.3.5, kernel is 3.14.65, I already checked that all the required kernel modules are loaded.

Please advice in any way.

Thanks


More information about the Users mailing list