[strongSwan] INVALID_MAJOR_VERSION with Ikev1 and Fortigate
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Fri May 11 22:59:26 CEST 2018
Hello,
The Fortigate behaves incorrectly.
It is incorrect to send packets with NON-ESP markers to port 500. The Fortigate needs to send those packets to port 4500 after faking a NAT situation to force the usage of UDP encapsulation.
It did not do that.
Kind regards
Noel
On 11.05.2018 12:14, André Cruz wrote:
> Hello.
>
> I've managed to fix the problem which was related to the usage of different ports. StrongSwan was sending a request from port 500 to port 500, Fortigate is answering from port 4500 which has an ESP marker, and so StrognSwan was reading the protocol version in the wrong place.
>
> leftikeport = 4500
> rightikeport = 4500
>
> managed to fix this.
>
> Best regards,
> André
>
>> On 10 May 2018, at 22:11, André Cruz <andre at cabine.org> wrote:
>>
>> Hello.
>>
>> I’m trying to establish a VPN (IKEv1) with a Fortigate peer and I’m having some difficulties. I’m sure this has worked in the past, however now I’m getting a strange error back.
>>
>> This is the StringSwan log:
>>
>> ipsec_starter[5409]: Starting strongSwan 5.6.2 IPsec [starter]…
>> …
>> charon[5424]: 06[IKE] queueing ISAKMP_VENDOR task
>> charon[5424]: 06[IKE] queueing ISAKMP_CERT_PRE task
>> charon[5424]: 06[IKE] queueing MAIN_MODE task
>> charon[5424]: 06[IKE] queueing ISAKMP_CERT_POST task
>> charon[5424]: 06[IKE] queueing ISAKMP_NATD task
>> charon[5424]: 06[IKE] queueing QUICK_MODE task
>> charon[5424]: 06[IKE] activating new tasks
>> charon[5424]: 06[IKE] activating ISAKMP_VENDOR task
>> charon[5424]: 06[IKE] activating ISAKMP_CERT_PRE task
>> charon[5424]: 06[IKE] activating MAIN_MODE task
>> charon[5424]: 06[IKE] activating ISAKMP_CERT_POST task
>> charon[5424]: 06[IKE] activating ISAKMP_NATD task
>> charon[5424]: 06[IKE] sending XAuth vendor ID
>> charon[5424]: 06[IKE] sending DPD vendor ID
>> charon[5424]: 06[IKE] sending FRAGMENTATION vendor ID
>> charon[5424]: 06[IKE] sending NAT-T (RFC 3947) vendor ID
>> charon[5424]: 06[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>> charon[5424]: 06[IKE] initiating Main Mode IKE_SA ama[1] to (FORTIGATE)
>> charon[5424]: 06[IKE] initiating Main Mode IKE_SA ama[1] to (FORTIGATE)
>> charon[5424]: 06[IKE] IKE_SA ama[1] state change: CREATED => CONNECTING
>> charon[5424]: 06[ENC] generating ID_PROT request 0 [ SA V V V V V ]
>> charon[5424]: 06[NET] sending packet: from 10.132.0.2[500] to (FORTIGATE)[500] (184 bytes)
>> charon[5424]: 03[ENC] generating INFORMATIONAL response 0 [ N(INVAL_MAJOR) ]
>> charon[5424]: 03[NET] sending packet: from 10.132.0.2[500] to (FORTIGATE)[4500] (36 bytes)
>> charon[5424]: 03[NET] received unsupported IKE version 9.9 from (FORTIGATE), sending INVALID_MAJOR_VERSION
>>
>>
>> This is a pcap interpretation of the first 3 packets of the VPN attempt:
>>
>>
>> SSwan port 500 -> Fortigate port 500
>> Internet Security Association and Key Management Protocol
>> Initiator SPI: 15fdb0398dcc1262
>> Responder SPI: 0000000000000000
>> Next payload: Security Association (1)
>> Version: 1.0
>> 0001 .... = MjVer: 0x1
>> .... 0000 = MnVer: 0x0
>> Exchange type: Identity Protection (Main Mode) (2)
>> Flags: 0x00
>> .... ...0 = Encryption: Not encrypted
>> .... ..0. = Commit: No commit
>> .... .0.. = Authentication: No authentication
>> Message ID: 0x00000000
>> Length: 184
>> Type Payload: Security Association (1)
>> Next payload: Vendor ID (13)
>> Payload length: 60
>> Domain of interpretation: IPSEC (1)
>> Situation: 00000001
>> .... .... .... .... .... .... .... ...1 = Identity Only: True
>> .... .... .... .... .... .... .... ..0. = Secrecy: False
>> .... .... .... .... .... .... .... .0.. = Integrity: False
>> Type Payload: Proposal (2) # 0
>> Next payload: NONE / No Next Payload (0)
>> Payload length: 48
>> Proposal number: 0
>> Protocol ID: ISAKMP (1)
>> SPI Size: 0
>> Proposal transforms: 1
>> Type Payload: Transform (3) # 1
>> Next payload: NONE / No Next Payload (0)
>> Payload length: 40
>> Transform number: 1
>> Transform ID: KEY_IKE (1)
>> Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC
>> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
>> Transform IKE Attribute Type: Encryption-Algorithm (1)
>> Value: 0007
>> Encryption Algorithm: AES-CBC (7)
>> Transform IKE Attribute Type (t=14,l=2) Key-Length : 256
>> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
>> Transform IKE Attribute Type: Key-Length (14)
>> Value: 0100
>> Key Length: 256
>> Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA2-256
>> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
>> Transform IKE Attribute Type: Hash-Algorithm (2)
>> Value: 0004
>> HASH Algorithm: SHA2-256 (4)
>> Transform IKE Attribute Type (t=4,l=2) Group-Description : 2048 bit MODP group
>> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
>> Transform IKE Attribute Type: Group-Description (4)
>> Value: 000e
>> Group Description: 2048 bit MODP group (14)
>> Transform IKE Attribute Type (t=3,l=2) Authentication-Method : PSK
>> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
>> Transform IKE Attribute Type: Authentication-Method (3)
>> Value: 0001
>> Authentication Method: PSK (1)
>> Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
>> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
>> Transform IKE Attribute Type: Life-Type (11)
>> Value: 0001
>> Life Type: Seconds (1)
>> Transform IKE Attribute Type (t=12,l=4) Life-Duration : 86400
>> 0... .... .... .... = Transform IKE Format: Type/Length/Value (TLV)
>> Transform IKE Attribute Type: Life-Duration (12)
>> Length: 4
>> Value: 00015180
>> Life Duration: 86400
>> Type Payload: Vendor ID (13) : XAUTH
>> Next payload: Vendor ID (13)
>> Payload length: 12
>> Vendor ID: 09002689dfd6b712
>> Vendor ID: XAUTH
>> Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
>> Next payload: Vendor ID (13)
>> Payload length: 20
>> Vendor ID: afcad71368a1f1c96b8696fc77570100
>> Vendor ID: RFC 3706 DPD (Dead Peer Detection)
>> Type Payload: Vendor ID (13) : Cisco Fragmentation
>> Next payload: Vendor ID (13)
>> Payload length: 24
>> Vendor ID: 4048b7d56ebce88525e7de7f00d6c2d380000000
>> Vendor ID: Cisco Fragmentation
>> Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE
>> Next payload: Vendor ID (13)
>> Payload length: 20
>> Vendor ID: 4a131c81070358455c5728f20e95452f
>> Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
>> Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
>> Next payload: NONE / No Next Payload (0)
>> Payload length: 20
>> Vendor ID: 90cb80913ebb696e086381b5ec427b1f
>> Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
>>
>>
>> Fortigate port 4500 -> SSwan 500
>> Internet Security Association and Key Management Protocol
>> Initiator SPI: 15fdb0398dcc1262
>> Responder SPI: 88f25e0e3299ec3c
>> Next payload: Security Association (1)
>> Version: 1.0
>> 0001 .... = MjVer: 0x1
>> .... 0000 = MnVer: 0x0
>> Exchange type: Identity Protection (Main Mode) (2)
>> Flags: 0x00
>> .... ...0 = Encryption: Not encrypted
>> .... ..0. = Commit: No commit
>> .... .0.. = Authentication: No authentication
>> Message ID: 0x00000000
>> Length: 148
>> Type Payload: Security Association (1)
>> Next payload: Vendor ID (13)
>> Payload length: 60
>> Domain of interpretation: IPSEC (1)
>> Situation: 00000001
>> .... .... .... .... .... .... .... ...1 = Identity Only: True
>> .... .... .... .... .... .... .... ..0. = Secrecy: False
>> .... .... .... .... .... .... .... .0.. = Integrity: False
>> Type Payload: Proposal (2) # 0
>> Next payload: NONE / No Next Payload (0)
>> Payload length: 48
>> Proposal number: 0
>> Protocol ID: ISAKMP (1)
>> SPI Size: 0
>> Proposal transforms: 1
>> Type Payload: Transform (3) # 1
>> Next payload: NONE / No Next Payload (0)
>> Payload length: 40
>> Transform number: 1
>> Transform ID: KEY_IKE (1)
>> Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : AES-CBC
>> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
>> Transform IKE Attribute Type: Encryption-Algorithm (1)
>> Value: 0007
>> Encryption Algorithm: AES-CBC (7)
>> Transform IKE Attribute Type (t=14,l=2) Key-Length : 256
>> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
>> Transform IKE Attribute Type: Key-Length (14)
>> Value: 0100
>> Key Length: 256
>> Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA2-256
>> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
>> Transform IKE Attribute Type: Hash-Algorithm (2)
>> Value: 0004
>> HASH Algorithm: SHA2-256 (4)
>> Transform IKE Attribute Type (t=4,l=2) Group-Description : 2048 bit MODP group
>> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
>> Transform IKE Attribute Type: Group-Description (4)
>> Value: 000e
>> Group Description: 2048 bit MODP group (14)
>> Transform IKE Attribute Type (t=3,l=2) Authentication-Method : PSK
>> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
>> Transform IKE Attribute Type: Authentication-Method (3)
>> Value: 0001
>> Authentication Method: PSK (1)
>> Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
>> 1... .... .... .... = Transform IKE Format: Type/Value (TV)
>> Transform IKE Attribute Type: Life-Type (11)
>> Value: 0001
>> Life Type: Seconds (1)
>> Transform IKE Attribute Type (t=12,l=4) Life-Duration : 86400
>> 0... .... .... .... = Transform IKE Format: Type/Length/Value (TLV)
>> Transform IKE Attribute Type: Life-Duration (12)
>> Length: 4
>> Value: 00015180
>> Life Duration: 86400
>> Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE
>> Next payload: Vendor ID (13)
>> Payload length: 20
>> Vendor ID: 4a131c81070358455c5728f20e95452f
>> Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
>> Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
>> Next payload: Vendor ID (13)
>> Payload length: 20
>> Vendor ID: afcad71368a1f1c96b8696fc77570100
>> Vendor ID: RFC 3706 DPD (Dead Peer Detection)
>> Type Payload: Vendor ID (13) : Unknown Vendor ID
>> Next payload: NONE / No Next Payload (0)
>> Payload length: 20
>> Vendor ID: 8299031757a36082c6a621de000402b6
>> Vendor ID: Unknown Vendor ID
>>
>>
>> SSwan port 500 -> Fortigate port 4500
>> Internet Security Association and Key Management Protocol
>> Initiator SPI: 0000000015fdb039
>> Responder SPI: 8dcc126288f25e0e
>> Next payload: Notify (41)
>> Version: 2.0
>> 0010 .... = MjVer: 0x2
>> .... 0000 = MnVer: 0x0
>> Exchange type: INFORMATIONAL (37)
>> Flags: 0x20 (Responder, No higher version, Response)
>> .... 0... = Initiator: Responder
>> ...0 .... = Version: No higher version
>> ..1. .... = Response: Response
>> Message ID: 0x00000000
>> Length: 36
>> Type Payload: Notify (41) - INVALID_MAJOR_VERSION
>> Next payload: NONE / No Next Payload (0)
>> 0... .... = Critical Bit: Not Critical
>> Payload length: 8
>> Protocol ID: RESERVED (0)
>> SPI Size: 0
>> Notify Message Type: INVALID_MAJOR_VERSION (5)
>> Notification DATA: <MISSING>
>>
>>
>> Can anyone explain why the INVALID_MAJOR_VERSION error?
>>
>> This is the config I’m using:
>>
>> config setup
>> charondebug="ike 2, knl 3, cfg 0"
>> uniqueids = yes
>>
>> conn ama
>> keyexchange = ikev1
>> right = (FORTIGATE)
>> rightid = (FORTIGATE)
>> rightsubnet = 172.31.200.0/23
>> rightauth = psk
>> left = 10.132.0.2
>> leftid = (MYIP)
>> leftsubnet = 172.31.229.240/29
>> leftauth = psk
>> auto = start
>> esp = aes256-sha256-modp2048!
>> ike = aes256-sha256-modp2048!
>> type = tunnel
>> ikelifetime = 24h
>> lifetime = 1h
>> dpdaction = restart
>> forceencaps = yes
>>
>> Thank you for the help!
>>
>> Best regards,
>> André
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180511/9b08cc7f/attachment.sig>
More information about the Users
mailing list