[strongSwan] INVALID_MAJOR_VERSION with Ikev1 and Fortigate
André Cruz
andre at cabine.org
Thu May 10 23:11:19 CEST 2018
Hello.
I’m trying to establish a VPN (IKEv1) with a Fortigate peer and I’m having some difficulties. I’m sure this has worked in the past, however now I’m getting a strange error back.
This is the StringSwan log:
ipsec_starter[5409]: Starting strongSwan 5.6.2 IPsec [starter]…
…
charon[5424]: 06[IKE] queueing ISAKMP_VENDOR task
charon[5424]: 06[IKE] queueing ISAKMP_CERT_PRE task
charon[5424]: 06[IKE] queueing MAIN_MODE task
charon[5424]: 06[IKE] queueing ISAKMP_CERT_POST task
charon[5424]: 06[IKE] queueing ISAKMP_NATD task
charon[5424]: 06[IKE] queueing QUICK_MODE task
charon[5424]: 06[IKE] activating new tasks
charon[5424]: 06[IKE] activating ISAKMP_VENDOR task
charon[5424]: 06[IKE] activating ISAKMP_CERT_PRE task
charon[5424]: 06[IKE] activating MAIN_MODE task
charon[5424]: 06[IKE] activating ISAKMP_CERT_POST task
charon[5424]: 06[IKE] activating ISAKMP_NATD task
charon[5424]: 06[IKE] sending XAuth vendor ID
charon[5424]: 06[IKE] sending DPD vendor ID
charon[5424]: 06[IKE] sending FRAGMENTATION vendor ID
charon[5424]: 06[IKE] sending NAT-T (RFC 3947) vendor ID
charon[5424]: 06[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon[5424]: 06[IKE] initiating Main Mode IKE_SA ama[1] to (FORTIGATE)
charon[5424]: 06[IKE] initiating Main Mode IKE_SA ama[1] to (FORTIGATE)
charon[5424]: 06[IKE] IKE_SA ama[1] state change: CREATED => CONNECTING
charon[5424]: 06[ENC] generating ID_PROT request 0 [ SA V V V V V ]
charon[5424]: 06[NET] sending packet: from 10.132.0.2[500] to (FORTIGATE)[500] (184 bytes)
charon[5424]: 03[ENC] generating INFORMATIONAL response 0 [ N(INVAL_MAJOR) ]
charon[5424]: 03[NET] sending packet: from 10.132.0.2[500] to (FORTIGATE)[4500] (36 bytes)
charon[5424]: 03[NET] received unsupported IKE version 9.9 from (FORTIGATE), sending INVALID_MAJOR_VERSION
This is a pcap interpretation of the first 3 packets of the VPN attempt:
SSwan port 500 -> Fortigate port 500
Internet Security Association and Key Management Protocol
Initiator SPI: 15fdb0398dcc1262
Responder SPI: 0000000000000000
Next payload: Security Association (1)
Version: 1.0
0001 .... = MjVer: 0x1
.... 0000 = MnVer: 0x0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Encryption: Not encrypted
.... ..0. = Commit: No commit
.... .0.. = Authentication: No authentication
Message ID: 0x00000000
Length: 184
Type Payload: Security Association (1)
Next payload: Vendor ID (13)
Payload length: 60
Domain of interpretation: IPSEC (1)
Situation: 00000001
.... .... .... .... .... .... .... ...1 = Identity Only: True
.... .... .... .... .... .... .... ..0. = Secrecy: False
.... .... .... .... .... .... .... .0.. = Integrity: False
Type Payload: Proposal (2) # 0
Next payload: NONE / No Next Payload (0)
Payload length: 48
Proposal number: 0
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 1
Type Payload: Transform (3) # 1
Next payload: NONE / No Next Payload (0)
Payload length: 40
Transform number: 1
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Encryption-Algorithm (1)
Value: 0007
Encryption Algorithm: AES-CBC (7)
Transform IKE Attribute Type (t=14,l=2) Key-Length : 256
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Key-Length (14)
Value: 0100
Key Length: 256
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA2-256
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Hash-Algorithm (2)
Value: 0004
HASH Algorithm: SHA2-256 (4)
Transform IKE Attribute Type (t=4,l=2) Group-Description : 2048 bit MODP group
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Group-Description (4)
Value: 000e
Group Description: 2048 bit MODP group (14)
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : PSK
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Authentication-Method (3)
Value: 0001
Authentication Method: PSK (1)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Life-Type (11)
Value: 0001
Life Type: Seconds (1)
Transform IKE Attribute Type (t=12,l=4) Life-Duration : 86400
0... .... .... .... = Transform IKE Format: Type/Length/Value (TLV)
Transform IKE Attribute Type: Life-Duration (12)
Length: 4
Value: 00015180
Life Duration: 86400
Type Payload: Vendor ID (13) : XAUTH
Next payload: Vendor ID (13)
Payload length: 12
Vendor ID: 09002689dfd6b712
Vendor ID: XAUTH
Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: afcad71368a1f1c96b8696fc77570100
Vendor ID: RFC 3706 DPD (Dead Peer Detection)
Type Payload: Vendor ID (13) : Cisco Fragmentation
Next payload: Vendor ID (13)
Payload length: 24
Vendor ID: 4048b7d56ebce88525e7de7f00d6c2d380000000
Vendor ID: Cisco Fragmentation
Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: 4a131c81070358455c5728f20e95452f
Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
Next payload: NONE / No Next Payload (0)
Payload length: 20
Vendor ID: 90cb80913ebb696e086381b5ec427b1f
Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
Fortigate port 4500 -> SSwan 500
Internet Security Association and Key Management Protocol
Initiator SPI: 15fdb0398dcc1262
Responder SPI: 88f25e0e3299ec3c
Next payload: Security Association (1)
Version: 1.0
0001 .... = MjVer: 0x1
.... 0000 = MnVer: 0x0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Encryption: Not encrypted
.... ..0. = Commit: No commit
.... .0.. = Authentication: No authentication
Message ID: 0x00000000
Length: 148
Type Payload: Security Association (1)
Next payload: Vendor ID (13)
Payload length: 60
Domain of interpretation: IPSEC (1)
Situation: 00000001
.... .... .... .... .... .... .... ...1 = Identity Only: True
.... .... .... .... .... .... .... ..0. = Secrecy: False
.... .... .... .... .... .... .... .0.. = Integrity: False
Type Payload: Proposal (2) # 0
Next payload: NONE / No Next Payload (0)
Payload length: 48
Proposal number: 0
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 1
Type Payload: Transform (3) # 1
Next payload: NONE / No Next Payload (0)
Payload length: 40
Transform number: 1
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Encryption-Algorithm (1)
Value: 0007
Encryption Algorithm: AES-CBC (7)
Transform IKE Attribute Type (t=14,l=2) Key-Length : 256
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Key-Length (14)
Value: 0100
Key Length: 256
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA2-256
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Hash-Algorithm (2)
Value: 0004
HASH Algorithm: SHA2-256 (4)
Transform IKE Attribute Type (t=4,l=2) Group-Description : 2048 bit MODP group
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Group-Description (4)
Value: 000e
Group Description: 2048 bit MODP group (14)
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : PSK
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Authentication-Method (3)
Value: 0001
Authentication Method: PSK (1)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Life-Type (11)
Value: 0001
Life Type: Seconds (1)
Transform IKE Attribute Type (t=12,l=4) Life-Duration : 86400
0... .... .... .... = Transform IKE Format: Type/Length/Value (TLV)
Transform IKE Attribute Type: Life-Duration (12)
Length: 4
Value: 00015180
Life Duration: 86400
Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: 4a131c81070358455c5728f20e95452f
Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
Next payload: Vendor ID (13)
Payload length: 20
Vendor ID: afcad71368a1f1c96b8696fc77570100
Vendor ID: RFC 3706 DPD (Dead Peer Detection)
Type Payload: Vendor ID (13) : Unknown Vendor ID
Next payload: NONE / No Next Payload (0)
Payload length: 20
Vendor ID: 8299031757a36082c6a621de000402b6
Vendor ID: Unknown Vendor ID
SSwan port 500 -> Fortigate port 4500
Internet Security Association and Key Management Protocol
Initiator SPI: 0000000015fdb039
Responder SPI: 8dcc126288f25e0e
Next payload: Notify (41)
Version: 2.0
0010 .... = MjVer: 0x2
.... 0000 = MnVer: 0x0
Exchange type: INFORMATIONAL (37)
Flags: 0x20 (Responder, No higher version, Response)
.... 0... = Initiator: Responder
...0 .... = Version: No higher version
..1. .... = Response: Response
Message ID: 0x00000000
Length: 36
Type Payload: Notify (41) - INVALID_MAJOR_VERSION
Next payload: NONE / No Next Payload (0)
0... .... = Critical Bit: Not Critical
Payload length: 8
Protocol ID: RESERVED (0)
SPI Size: 0
Notify Message Type: INVALID_MAJOR_VERSION (5)
Notification DATA: <MISSING>
Can anyone explain why the INVALID_MAJOR_VERSION error?
This is the config I’m using:
config setup
charondebug="ike 2, knl 3, cfg 0"
uniqueids = yes
conn ama
keyexchange = ikev1
right = (FORTIGATE)
rightid = (FORTIGATE)
rightsubnet = 172.31.200.0/23
rightauth = psk
left = 10.132.0.2
leftid = (MYIP)
leftsubnet = 172.31.229.240/29
leftauth = psk
auto = start
esp = aes256-sha256-modp2048!
ike = aes256-sha256-modp2048!
type = tunnel
ikelifetime = 24h
lifetime = 1h
dpdaction = restart
forceencaps = yes
Thank you for the help!
Best regards,
André
More information about the Users
mailing list