[strongSwan] help with connection
Davide Zanon
davide.zanon at universiis.com
Mon May 9 10:45:17 CEST 2016
Hi everbody,
forgive me if I'm writing in the wrong list and please point me to the right one.
I'm having a bad time trying to set up a vpn between a Fortigate 200D and a strongswan linux box (ipfire):
what I'm trying to do is to translate the configuration I have on the Forticlient (windows application)
to make it work under Strongswan.
Forticlient configuration:
xauth disabled
mode aggressive
options mode config
phase 1:
ikev1
encryption aes256
auth sha256
DH group 5
key life 86400 sec
dead peer detection
nat traversal
phase 2:
ikev1
encryption aes256
auth sha256
DH group 5
key life 43200 sec
enable replay detection
enable PFS
DH Group 5
And this is the ipsec.conf file I tried to forge from the windows client:
version 2
conn %default
keyingtries=%forever
conn CSAP
left=MY_PLUBLIC_IP
leftsubnet=192.168.1.0/24
leftfirewall=yes
lefthostaccess=yes
right=PEER_IP
rightsubnet=192.168.100.1/24
ike=aes256,sha256,modp1536
esp=aes256,sha256,modp1536
keyexchange=ikev1
ikelifetime=86400s
keylife=43200s
#compress=yes
dpdaction=restart
dpddelay=30
dpdtimeout=120
authby=secret
auto=start
fragmentation=yes
But when I try to connect all I get is this from the console:
[root at firewall ~]# ipsec up CSAP
initiating Main Mode IKE_SA CSAP[3] to 151.11.136.132
generating ID_PROT request 0 [ SA V V V V V V ]
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 2 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 3 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 4 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 5 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
giving up after 5 retransmits
peer not responding, trying again (2/0)
initiating Main Mode IKE_SA CSAP[3] to PEER_IP
generating ID_PROT request 0 [ SA V V V V V V ]
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 2 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 3 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
destroying IKE_SA in state CONNECTING without notification
establishing connection 'CSAP' failed
(here I stopped it manually from another console)
In /var/log/messages all I see is this:
May 9 09:14:37 firewall charon: 06[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
May 9 09:14:37 firewall charon: 06[NET] sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
May 9 09:14:37 firewall charon: 03[NET] error writing to socket: Invalid argument
May 9 09:14:41 firewall charon: 07[IKE] sending retransmit 1 of request message ID 0, seq 1
May 9 09:14:41 firewall charon: 07[NET] sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
May 9 09:14:41 firewall charon: 03[NET] error writing to socket: Invalid argument
May 9 09:14:48 firewall charon: 10[IKE] sending retransmit 2 of request message ID 0, seq 1
May 9 09:14:48 firewall charon: 10[NET] sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
May 9 09:14:48 firewall charon: 03[NET] error writing to socket: Invalid argument
May 9 09:15:01 firewall charon: 05[IKE] sending retransmit 3 of request message ID 0, seq 1
May 9 09:15:01 firewall charon: 05[NET] sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
May 9 09:15:01 firewall charon: 03[NET] error writing to socket: Invalid argument
May 9 09:15:19 firewall charon: 15[CFG] received stroke: terminate 'CSAP'
May 9 09:15:19 firewall charon: 14[IKE] destroying IKE_SA in state CONNECTING without notification
May 9 09:15:19 firewall charon: 06[CFG] received stroke: terminate 'CSAP'
May 9 09:15:20 firewall charon: 06[CFG] no IKE_SA named 'CSAP' found
I'm obviously doing something wrong here, I think that message "error writing to socket: Invalid argument" in the
log might be the culprit but I don't know what does it mean, I can ping and reach via telnet the PEER so there is
no connection problem (also the windows client version is connecting correctly to the vpn).
Strongswan version is 5.3.5, kernel is 3.14.65, I already checked that all the required kernel modules are loaded.
Please advice in any way.
Thanks
More information about the Users
mailing list