[strongSwan] INVALID_MAJOR_VERSION with Ikev1 and Fortigate
André Cruz
andre at cabine.org
Fri May 11 23:18:18 CEST 2018
Thank you for the clarification.
On Fri, 11 May 2018 at 22:00, Noel Kuntze
<noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
> Hello,
>
> The Fortigate behaves incorrectly.
> It is incorrect to send packets with NON-ESP markers to port 500. The
> Fortigate needs to send those packets to port 4500 after faking a NAT
> situation to force the usage of UDP encapsulation.
> It did not do that.
>
> Kind regards
>
> Noel
>
> On 11.05.2018 12:14, André Cruz wrote:
> > Hello.
> >
> > I've managed to fix the problem which was related to the usage of
> different ports. StrongSwan was sending a request from port 500 to port
> 500, Fortigate is answering from port 4500 which has an ESP marker, and so
> StrognSwan was reading the protocol version in the wrong place.
> >
> > leftikeport = 4500
> > rightikeport = 4500
> >
> > managed to fix this.
> >
> > Best regards,
> > André
> >
> >> On 10 May 2018, at 22:11, André Cruz <andre at cabine.org> wrote:
> >>
> >> Hello.
> >>
> >> I’m trying to establish a VPN (IKEv1) with a Fortigate peer and I’m
> having some difficulties. I’m sure this has worked in the past, however now
> I’m getting a strange error back.
> >>
> >> This is the StringSwan log:
> >>
> >> ipsec_starter[5409]: Starting strongSwan 5.6.2 IPsec [starter]…
> >> …
> >> charon[5424]: 06[IKE] queueing ISAKMP_VENDOR task
> >> charon[5424]: 06[IKE] queueing ISAKMP_CERT_PRE task
> >> charon[5424]: 06[IKE] queueing MAIN_MODE task
> >> charon[5424]: 06[IKE] queueing ISAKMP_CERT_POST task
> >> charon[5424]: 06[IKE] queueing ISAKMP_NATD task
> >> charon[5424]: 06[IKE] queueing QUICK_MODE task
> >> charon[5424]: 06[IKE] activating new tasks
> >> charon[5424]: 06[IKE] activating ISAKMP_VENDOR task
> >> charon[5424]: 06[IKE] activating ISAKMP_CERT_PRE task
> >> charon[5424]: 06[IKE] activating MAIN_MODE task
> >> charon[5424]: 06[IKE] activating ISAKMP_CERT_POST task
> >> charon[5424]: 06[IKE] activating ISAKMP_NATD task
> >> charon[5424]: 06[IKE] sending XAuth vendor ID
> >> charon[5424]: 06[IKE] sending DPD vendor ID
> >> charon[5424]: 06[IKE] sending FRAGMENTATION vendor ID
> >> charon[5424]: 06[IKE] sending NAT-T (RFC 3947) vendor ID
> >> charon[5424]: 06[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> >> charon[5424]: 06[IKE] initiating Main Mode IKE_SA ama[1] to (FORTIGATE)
> >> charon[5424]: 06[IKE] initiating Main Mode IKE_SA ama[1] to (FORTIGATE)
> >> charon[5424]: 06[IKE] IKE_SA ama[1] state change: CREATED => CONNECTING
> >> charon[5424]: 06[ENC] generating ID_PROT request 0 [ SA V V V V V ]
> >> charon[5424]: 06[NET] sending packet: from 10.132.0.2[500] to
> (FORTIGATE)[500] (184 bytes)
> >> charon[5424]: 03[ENC] generating INFORMATIONAL response 0 [
> N(INVAL_MAJOR) ]
> >> charon[5424]: 03[NET] sending packet: from 10.132.0.2[500] to
> (FORTIGATE)[4500] (36 bytes)
> >> charon[5424]: 03[NET] received unsupported IKE version 9.9 from
> (FORTIGATE), sending INVALID_MAJOR_VERSION
> >>
> >>
> >> This is a pcap interpretation of the first 3 packets of the VPN attempt:
> >>
> >>
> >> SSwan port 500 -> Fortigate port 500
> >> Internet Security Association and Key Management Protocol
> >> Initiator SPI: 15fdb0398dcc1262
> >> Responder SPI: 0000000000000000
> >> Next payload: Security Association (1)
> >> Version: 1.0
> >> 0001 .... = MjVer: 0x1
> >> .... 0000 = MnVer: 0x0
> >> Exchange type: Identity Protection (Main Mode) (2)
> >> Flags: 0x00
> >> .... ...0 = Encryption: Not encrypted
> >> .... ..0. = Commit: No commit
> >> .... .0.. = Authentication: No authentication
> >> Message ID: 0x00000000
> >> Length: 184
> >> Type Payload: Security Association (1)
> >> Next payload: Vendor ID (13)
> >> Payload length: 60
> >> Domain of interpretation: IPSEC (1)
> >> Situation: 00000001
> >> .... .... .... .... .... .... .... ...1 = Identity Only: True
> >> .... .... .... .... .... .... .... ..0. = Secrecy: False
> >> .... .... .... .... .... .... .... .0.. = Integrity: False
> >> Type Payload: Proposal (2) # 0
> >> Next payload: NONE / No Next Payload (0)
> >> Payload length: 48
> >> Proposal number: 0
> >> Protocol ID: ISAKMP (1)
> >> SPI Size: 0
> >> Proposal transforms: 1
> >> Type Payload: Transform (3) # 1
> >> Next payload: NONE / No Next Payload (0)
> >> Payload length: 40
> >> Transform number: 1
> >> Transform ID: KEY_IKE (1)
> >> Transform IKE Attribute Type (t=1,l=2)
> Encryption-Algorithm : AES-CBC
> >> 1... .... .... .... = Transform IKE Format:
> Type/Value (TV)
> >> Transform IKE Attribute Type: Encryption-Algorithm
> (1)
> >> Value: 0007
> >> Encryption Algorithm: AES-CBC (7)
> >> Transform IKE Attribute Type (t=14,l=2) Key-Length : 256
> >> 1... .... .... .... = Transform IKE Format:
> Type/Value (TV)
> >> Transform IKE Attribute Type: Key-Length (14)
> >> Value: 0100
> >> Key Length: 256
> >> Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm :
> SHA2-256
> >> 1... .... .... .... = Transform IKE Format:
> Type/Value (TV)
> >> Transform IKE Attribute Type: Hash-Algorithm (2)
> >> Value: 0004
> >> HASH Algorithm: SHA2-256 (4)
> >> Transform IKE Attribute Type (t=4,l=2) Group-Description
> : 2048 bit MODP group
> >> 1... .... .... .... = Transform IKE Format:
> Type/Value (TV)
> >> Transform IKE Attribute Type: Group-Description (4)
> >> Value: 000e
> >> Group Description: 2048 bit MODP group (14)
> >> Transform IKE Attribute Type (t=3,l=2)
> Authentication-Method : PSK
> >> 1... .... .... .... = Transform IKE Format:
> Type/Value (TV)
> >> Transform IKE Attribute Type: Authentication-Method
> (3)
> >> Value: 0001
> >> Authentication Method: PSK (1)
> >> Transform IKE Attribute Type (t=11,l=2) Life-Type :
> Seconds
> >> 1... .... .... .... = Transform IKE Format:
> Type/Value (TV)
> >> Transform IKE Attribute Type: Life-Type (11)
> >> Value: 0001
> >> Life Type: Seconds (1)
> >> Transform IKE Attribute Type (t=12,l=4) Life-Duration :
> 86400
> >> 0... .... .... .... = Transform IKE Format:
> Type/Length/Value (TLV)
> >> Transform IKE Attribute Type: Life-Duration (12)
> >> Length: 4
> >> Value: 00015180
> >> Life Duration: 86400
> >> Type Payload: Vendor ID (13) : XAUTH
> >> Next payload: Vendor ID (13)
> >> Payload length: 12
> >> Vendor ID: 09002689dfd6b712
> >> Vendor ID: XAUTH
> >> Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
> >> Next payload: Vendor ID (13)
> >> Payload length: 20
> >> Vendor ID: afcad71368a1f1c96b8696fc77570100
> >> Vendor ID: RFC 3706 DPD (Dead Peer Detection)
> >> Type Payload: Vendor ID (13) : Cisco Fragmentation
> >> Next payload: Vendor ID (13)
> >> Payload length: 24
> >> Vendor ID: 4048b7d56ebce88525e7de7f00d6c2d380000000
> >> Vendor ID: Cisco Fragmentation
> >> Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal
> in the IKE
> >> Next payload: Vendor ID (13)
> >> Payload length: 20
> >> Vendor ID: 4a131c81070358455c5728f20e95452f
> >> Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
> >> Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n
> >> Next payload: NONE / No Next Payload (0)
> >> Payload length: 20
> >> Vendor ID: 90cb80913ebb696e086381b5ec427b1f
> >> Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n
> >>
> >>
> >> Fortigate port 4500 -> SSwan 500
> >> Internet Security Association and Key Management Protocol
> >> Initiator SPI: 15fdb0398dcc1262
> >> Responder SPI: 88f25e0e3299ec3c
> >> Next payload: Security Association (1)
> >> Version: 1.0
> >> 0001 .... = MjVer: 0x1
> >> .... 0000 = MnVer: 0x0
> >> Exchange type: Identity Protection (Main Mode) (2)
> >> Flags: 0x00
> >> .... ...0 = Encryption: Not encrypted
> >> .... ..0. = Commit: No commit
> >> .... .0.. = Authentication: No authentication
> >> Message ID: 0x00000000
> >> Length: 148
> >> Type Payload: Security Association (1)
> >> Next payload: Vendor ID (13)
> >> Payload length: 60
> >> Domain of interpretation: IPSEC (1)
> >> Situation: 00000001
> >> .... .... .... .... .... .... .... ...1 = Identity Only: True
> >> .... .... .... .... .... .... .... ..0. = Secrecy: False
> >> .... .... .... .... .... .... .... .0.. = Integrity: False
> >> Type Payload: Proposal (2) # 0
> >> Next payload: NONE / No Next Payload (0)
> >> Payload length: 48
> >> Proposal number: 0
> >> Protocol ID: ISAKMP (1)
> >> SPI Size: 0
> >> Proposal transforms: 1
> >> Type Payload: Transform (3) # 1
> >> Next payload: NONE / No Next Payload (0)
> >> Payload length: 40
> >> Transform number: 1
> >> Transform ID: KEY_IKE (1)
> >> Transform IKE Attribute Type (t=1,l=2)
> Encryption-Algorithm : AES-CBC
> >> 1... .... .... .... = Transform IKE Format:
> Type/Value (TV)
> >> Transform IKE Attribute Type: Encryption-Algorithm
> (1)
> >> Value: 0007
> >> Encryption Algorithm: AES-CBC (7)
> >> Transform IKE Attribute Type (t=14,l=2) Key-Length : 256
> >> 1... .... .... .... = Transform IKE Format:
> Type/Value (TV)
> >> Transform IKE Attribute Type: Key-Length (14)
> >> Value: 0100
> >> Key Length: 256
> >> Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm :
> SHA2-256
> >> 1... .... .... .... = Transform IKE Format:
> Type/Value (TV)
> >> Transform IKE Attribute Type: Hash-Algorithm (2)
> >> Value: 0004
> >> HASH Algorithm: SHA2-256 (4)
> >> Transform IKE Attribute Type (t=4,l=2) Group-Description
> : 2048 bit MODP group
> >> 1... .... .... .... = Transform IKE Format:
> Type/Value (TV)
> >> Transform IKE Attribute Type: Group-Description (4)
> >> Value: 000e
> >> Group Description: 2048 bit MODP group (14)
> >> Transform IKE Attribute Type (t=3,l=2)
> Authentication-Method : PSK
> >> 1... .... .... .... = Transform IKE Format:
> Type/Value (TV)
> >> Transform IKE Attribute Type: Authentication-Method
> (3)
> >> Value: 0001
> >> Authentication Method: PSK (1)
> >> Transform IKE Attribute Type (t=11,l=2) Life-Type :
> Seconds
> >> 1... .... .... .... = Transform IKE Format:
> Type/Value (TV)
> >> Transform IKE Attribute Type: Life-Type (11)
> >> Value: 0001
> >> Life Type: Seconds (1)
> >> Transform IKE Attribute Type (t=12,l=4) Life-Duration :
> 86400
> >> 0... .... .... .... = Transform IKE Format:
> Type/Length/Value (TLV)
> >> Transform IKE Attribute Type: Life-Duration (12)
> >> Length: 4
> >> Value: 00015180
> >> Life Duration: 86400
> >> Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal
> in the IKE
> >> Next payload: Vendor ID (13)
> >> Payload length: 20
> >> Vendor ID: 4a131c81070358455c5728f20e95452f
> >> Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE
> >> Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection)
> >> Next payload: Vendor ID (13)
> >> Payload length: 20
> >> Vendor ID: afcad71368a1f1c96b8696fc77570100
> >> Vendor ID: RFC 3706 DPD (Dead Peer Detection)
> >> Type Payload: Vendor ID (13) : Unknown Vendor ID
> >> Next payload: NONE / No Next Payload (0)
> >> Payload length: 20
> >> Vendor ID: 8299031757a36082c6a621de000402b6
> >> Vendor ID: Unknown Vendor ID
> >>
> >>
> >> SSwan port 500 -> Fortigate port 4500
> >> Internet Security Association and Key Management Protocol
> >> Initiator SPI: 0000000015fdb039
> >> Responder SPI: 8dcc126288f25e0e
> >> Next payload: Notify (41)
> >> Version: 2.0
> >> 0010 .... = MjVer: 0x2
> >> .... 0000 = MnVer: 0x0
> >> Exchange type: INFORMATIONAL (37)
> >> Flags: 0x20 (Responder, No higher version, Response)
> >> .... 0... = Initiator: Responder
> >> ...0 .... = Version: No higher version
> >> ..1. .... = Response: Response
> >> Message ID: 0x00000000
> >> Length: 36
> >> Type Payload: Notify (41) - INVALID_MAJOR_VERSION
> >> Next payload: NONE / No Next Payload (0)
> >> 0... .... = Critical Bit: Not Critical
> >> Payload length: 8
> >> Protocol ID: RESERVED (0)
> >> SPI Size: 0
> >> Notify Message Type: INVALID_MAJOR_VERSION (5)
> >> Notification DATA: <MISSING>
> >>
> >>
> >> Can anyone explain why the INVALID_MAJOR_VERSION error?
> >>
> >> This is the config I’m using:
> >>
> >> config setup
> >> charondebug="ike 2, knl 3, cfg 0"
> >> uniqueids = yes
> >>
> >> conn ama
> >> keyexchange = ikev1
> >> right = (FORTIGATE)
> >> rightid = (FORTIGATE)
> >> rightsubnet = 172.31.200.0/23
> >> rightauth = psk
> >> left = 10.132.0.2
> >> leftid = (MYIP)
> >> leftsubnet = 172.31.229.240/29
> >> leftauth = psk
> >> auto = start
> >> esp = aes256-sha256-modp2048!
> >> ike = aes256-sha256-modp2048!
> >> type = tunnel
> >> ikelifetime = 24h
> >> lifetime = 1h
> >> dpdaction = restart
> >> forceencaps = yes
> >>
> >> Thank you for the help!
> >>
> >> Best regards,
> >> André
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180511/232cafaf/attachment-0001.html>
More information about the Users
mailing list