[strongSwan] INVALID_MAJOR_VERSION with Ikev1 and Fortigate
André Cruz
andre at cabine.org
Fri May 11 12:14:29 CEST 2018
Hello.
I've managed to fix the problem which was related to the usage of different ports. StrongSwan was sending a request from port 500 to port 500, Fortigate is answering from port 4500 which has an ESP marker, and so StrognSwan was reading the protocol version in the wrong place.
leftikeport = 4500
rightikeport = 4500
managed to fix this.
Best regards,
André
> On 10 May 2018, at 22:11, André Cruz <andre at cabine.org> wrote:
>
> Hello.
>
> I’m trying to establish a VPN (IKEv1) with a Fortigate peer and I’m having some difficulties. I’m sure this has worked in the past, however now I’m getting a strange error back.
>
> This is the StringSwan log:
>
> ipsec_starter[5409]: Starting strongSwan 5.6.2 IPsec [starter]…
> …
> charon[5424]: 06[IKE] queueing ISAKMP_VENDOR task
> charon[5424]: 06[IKE] queueing ISAKMP_CERT_PRE task
> charon[5424]: 06[IKE] queueing MAIN_MODE task
> charon[5424]: 06[IKE] queueing ISAKMP_CERT_POST task
> charon[5424]: 06[IKE] queueing ISAKMP_NATD task
> charon[5424]: 06[IKE] queueing QUICK_MODE task
> charon[5424]: 06[IKE] activating new tasks
> charon[5424]: 06[IKE] activating ISAKMP_VENDOR task
> charon[5424]: 06[IKE] activating ISAKMP_CERT_PRE task
> charon[5424]: 06[IKE] activating MAIN_MODE task
> charon[5424]: 06[IKE] activating ISAKMP_CERT_POST task
> charon[5424]: 06[IKE] activating ISAKMP_NATD task
> charon[5424]: 06[IKE] sending XAuth vendor ID
> charon[5424]: 06[IKE] sending DPD vendor ID
> charon[5424]: 06[IKE] sending FRAGMENTATION vendor ID
> charon[5424]: 06[IKE] sending NAT-T (RFC 3947) vendor ID
> charon[5424]: 06[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> charon[5424]: 06[IKE] initiating Main Mode IKE_SA ama[1] to (FORTIGATE)
> charon[5424]: 06[IKE] initiating Main Mode IKE_SA ama[1] to (FORTIGATE)
> charon[5424]: 06[IKE] IKE_SA ama[1] state change: CREATED => CONNECTING
> charon[5424]: 06[ENC] generating ID_PROT request 0 [ SA V V V V V ]
> charon[5424]: 06[NET] sending packet: from 10.132.0.2[500] to (FORTIGATE)[500] (184 bytes)
> charon[5424]: 03[ENC] generating INFORMATIONAL response 0 [ N(INVAL_MAJOR) ]
> charon[5424]: 03[NET] sending packet: from 10.132.0.2[500] to (FORTIGATE)[4500] (36 bytes)
> charon[5424]: 03[NET] received unsupported IKE version 9.9 from (FORTIGATE), sending INVALID_MAJOR_VERSION
>
>
> This is a pcap interpretation of the first 3 packets of the VPN attempt:
>
>
> SSwan port 500 -> Fortigate port 500
> Internet Security Association and Key Management Protocol
> Initiator SPI: 15fdb0398dcc1262
> Responder SPI: 0000000000000000
> Next payload: Security Association (1)
> Version: 1.0
> 0001 .... = MjVer: 0x1
> .... 0000 = MnVer: 0x0
> Exchange type: Identity Protection (Main Mode) (2)
> Flags: 0x00
> .... ...0 = Encryption: Not encrypted
> .... ..0. = Commit: No commit
> .... .0.. = Authentication: No authentication
> Message ID: 0x00000000
> Length: 184
> Type Payload: Security Association (1)
> Next payload: Vendor ID (13)
> Payload length: 60
> Domain of interpretation: IPSEC (1)
> Situation: 00000001
> .... .... .... .... .... .... .... ...1 = Identity Only: True
> .... .... .... .... .... .... .... ..0. = Secrecy: False
> .... .... .... .... .... .... .... .0.. = Integrity: False
> Type Payload: Proposal (2) # 0
> Next payload: NONE / No Next Payload (0)
> Payload length: 48
> Proposal number: 0
> Protocol ID: ISAKMP (1)
> SPI Size: 0
> Proposal transforms: 1
> Type Payload: Transform (3) # 1
> Next payload: NONE / No Next Payload (0)
> Payload length: 40
> Transform number: 1
> Transform ID: KEY_IKE (1)
> Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC
> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
> Transform IKE Attribute Type: Encryption-Algorithm (1)
> Value: 0007
> Encryption Algorithm: AES-CBC (7)
> Transform IKE Attribute Type (t=14,l=2) Key-Length : 256
> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
> Transform IKE Attribute Type: Key-Length (14)
> Value: 0100
> Key Length: 256
> Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA2-256
> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
> Transform IKE Attribute Type: Hash-Algorithm (2)
> Value: 0004
> HASH Algorithm: SHA2-256 (4)
> Transform IKE Attribute Type (t=4,l=2) Group-Description : 2048 bit MODP group
> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
> Transform IKE Attribute Type: Group-Description (4)
> Value: 000e
> Group Description: 2048 bit MODP group (14)
> Transform IKE Attribute Type (t=3,l=2) Authentication-Method : PSK
> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
> Transform IKE Attribute Type: Authentication-Method (3)
> Value: 0001
> Authentication Method: PSK (1)
> Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
> Transform IKE Attribute Type: Life-Type (11)
> Value: 0001
> Life Type: Seconds (1)
> Transform IKE Attribute Type (t=12,l=4) Life-Duration : 86400
> 0... .... .... .... = Transform IKE Format: Type/Length/Value (TLV)
> Transform IKE Attribute Type: Life-Duration (12)
> Length: 4
> Value: 00015180
> Life Duration: 86400
> Type Payload: Vendor ID (13) : XAUTH
> Next payload: Vendor ID (13)
> Payload length: 12
> Vendor ID: 09002689dfd6b712
> Vendor ID: XAUTH
> Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
> Next payload: Vendor ID (13)
> Payload length: 20
> Vendor ID: afcad71368a1f1c96b8696fc77570100
> Vendor ID: RFC 3706 DPD (Dead Peer Detection)
> Type Payload: Vendor ID (13) : Cisco Fragmentation
> Next payload: Vendor ID (13)
> Payload length: 24
> Vendor ID: 4048b7d56ebce88525e7de7f00d6c2d380000000
> Vendor ID: Cisco Fragmentation
> Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE
> Next payload: Vendor ID (13)
> Payload length: 20
> Vendor ID: 4a131c81070358455c5728f20e95452f
> Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
> Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
> Next payload: NONE / No Next Payload (0)
> Payload length: 20
> Vendor ID: 90cb80913ebb696e086381b5ec427b1f
> Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
>
>
> Fortigate port 4500 -> SSwan 500
> Internet Security Association and Key Management Protocol
> Initiator SPI: 15fdb0398dcc1262
> Responder SPI: 88f25e0e3299ec3c
> Next payload: Security Association (1)
> Version: 1.0
> 0001 .... = MjVer: 0x1
> .... 0000 = MnVer: 0x0
> Exchange type: Identity Protection (Main Mode) (2)
> Flags: 0x00
> .... ...0 = Encryption: Not encrypted
> .... ..0. = Commit: No commit
> .... .0.. = Authentication: No authentication
> Message ID: 0x00000000
> Length: 148
> Type Payload: Security Association (1)
> Next payload: Vendor ID (13)
> Payload length: 60
> Domain of interpretation: IPSEC (1)
> Situation: 00000001
> .... .... .... .... .... .... .... ...1 = Identity Only: True
> .... .... .... .... .... .... .... ..0. = Secrecy: False
> .... .... .... .... .... .... .... .0.. = Integrity: False
> Type Payload: Proposal (2) # 0
> Next payload: NONE / No Next Payload (0)
> Payload length: 48
> Proposal number: 0
> Protocol ID: ISAKMP (1)
> SPI Size: 0
> Proposal transforms: 1
> Type Payload: Transform (3) # 1
> Next payload: NONE / No Next Payload (0)
> Payload length: 40
> Transform number: 1
> Transform ID: KEY_IKE (1)
> Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC
> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
> Transform IKE Attribute Type: Encryption-Algorithm (1)
> Value: 0007
> Encryption Algorithm: AES-CBC (7)
> Transform IKE Attribute Type (t=14,l=2) Key-Length : 256
> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
> Transform IKE Attribute Type: Key-Length (14)
> Value: 0100
> Key Length: 256
> Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA2-256
> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
> Transform IKE Attribute Type: Hash-Algorithm (2)
> Value: 0004
> HASH Algorithm: SHA2-256 (4)
> Transform IKE Attribute Type (t=4,l=2) Group-Description : 2048 bit MODP group
> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
> Transform IKE Attribute Type: Group-Description (4)
> Value: 000e
> Group Description: 2048 bit MODP group (14)
> Transform IKE Attribute Type (t=3,l=2) Authentication-Method : PSK
> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
> Transform IKE Attribute Type: Authentication-Method (3)
> Value: 0001
> Authentication Method: PSK (1)
> Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
> Transform IKE Attribute Type: Life-Type (11)
> Value: 0001
> Life Type: Seconds (1)
> Transform IKE Attribute Type (t=12,l=4) Life-Duration : 86400
> 0... .... .... .... = Transform IKE Format: Type/Length/Value (TLV)
> Transform IKE Attribute Type: Life-Duration (12)
> Length: 4
> Value: 00015180
> Life Duration: 86400
> Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE
> Next payload: Vendor ID (13)
> Payload length: 20
> Vendor ID: 4a131c81070358455c5728f20e95452f
> Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
> Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
> Next payload: Vendor ID (13)
> Payload length: 20
> Vendor ID: afcad71368a1f1c96b8696fc77570100
> Vendor ID: RFC 3706 DPD (Dead Peer Detection)
> Type Payload: Vendor ID (13) : Unknown Vendor ID
> Next payload: NONE / No Next Payload (0)
> Payload length: 20
> Vendor ID: 8299031757a36082c6a621de000402b6
> Vendor ID: Unknown Vendor ID
>
>
> SSwan port 500 -> Fortigate port 4500
> Internet Security Association and Key Management Protocol
> Initiator SPI: 0000000015fdb039
> Responder SPI: 8dcc126288f25e0e
> Next payload: Notify (41)
> Version: 2.0
> 0010 .... = MjVer: 0x2
> .... 0000 = MnVer: 0x0
> Exchange type: INFORMATIONAL (37)
> Flags: 0x20 (Responder, No higher version, Response)
> .... 0... = Initiator: Responder
> ...0 .... = Version: No higher version
> ..1. .... = Response: Response
> Message ID: 0x00000000
> Length: 36
> Type Payload: Notify (41) - INVALID_MAJOR_VERSION
> Next payload: NONE / No Next Payload (0)
> 0... .... = Critical Bit: Not Critical
> Payload length: 8
> Protocol ID: RESERVED (0)
> SPI Size: 0
> Notify Message Type: INVALID_MAJOR_VERSION (5)
> Notification DATA: <MISSING>
>
>
> Can anyone explain why the INVALID_MAJOR_VERSION error?
>
> This is the config I’m using:
>
> config setup
> charondebug="ike 2, knl 3, cfg 0"
> uniqueids = yes
>
> conn ama
> keyexchange = ikev1
> right = (FORTIGATE)
> rightid = (FORTIGATE)
> rightsubnet = 172.31.200.0/23
> rightauth = psk
> left = 10.132.0.2
> leftid = (MYIP)
> leftsubnet = 172.31.229.240/29
> leftauth = psk
> auto = start
> esp = aes256-sha256-modp2048!
> ike = aes256-sha256-modp2048!
> type = tunnel
> ikelifetime = 24h
> lifetime = 1h
> dpdaction = restart
> forceencaps = yes
>
> Thank you for the help!
>
> Best regards,
> André
More information about the Users
mailing list