[strongSwan] VPN connection to Remote Fortigate Client

MOSES KARIUKI kariukims at gmail.com
Mon Apr 1 21:17:43 CEST 2019 

Any kind souls out there in this?

On Sun, Mar 31, 2019 at 3:32 PM MOSES KARIUKI <kariukims at gmail.com> wrote:

> Dear Team,
>
> I have not yet succeeded in establishing a connection to the remote
> Fortigate client. The remote client has internal IPs in the range
> I have the following configuration :
> *sudo route -n*
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 0.0.0.0         10.138.0.1      0.0.0.0         UG    100    0        0
> ens4
> 10.138.0.1      0.0.0.0         255.255.255.255 UH    100    0        0
> ens4
>
> *I have these rules :*
> *nat
> -A POSTROUTING -s 10.10.10.0/24 -o ens4 -m policy --pol ipsec --dir out
> -j ACCEPT
> -A POSTROUTING -s 10.10.10.0/24 -o ens4 -j MASQUERADE
> COMMIT
>
> *mangle
> -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o ens4
> -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS
> --set-mss 1360
> COMMIT
>
> -A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s
> 10.10.10.0/24 -j ACCEPT
> -A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d
> 10.10.10.0/24 -j ACCEPT
>
> *This is my Strongswan configuration :*
> config setup
>     charondebug="ike 1, knl 1, cfg 2"
>     uniqueids=yes
>
> conn televida
>     auto=route
>     compress=no
>     type=tunnel
>     reauth=no
>     mobike=no
>     keyexchange=ikev2
>     fragmentation=yes
>     forceencaps=yes
>     dpdaction=clear
>     dpddelay=300s
>     rekey=no
>     rightfirewall=yes
>     leftfirewall=yes
>     left=%any
>     leftid=35.185.2**.**
>     leftcert=server-cert.pem
>     leftsendcert=never
>   *  leftsubnet=10.138.0.0/20,0.0.0.0/0 <http://10.138.0.0/20,0.0.0.0/0>*
>     right=200.1*.1*3.*
>     rightid=%any
>     rightauth=psk
> *    rightsourceip=10.10.10.0/24 <http://10.10.10.0/24>*
>     #rightsourceip=
>     rightdns=8.8.8.8,8.8.4.4
>     rightsendcert=never
>     ike=aes256-sha256-ecp521
>     esp=aes256-sha256-ecp521
>
> This is the error that I am getting :
> *sudo ipsec up televida*
> initiating IKE_SA televida[1] to 200.1*.1*3.*
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 10.138.0.4[500] to 200.1*.1*3.*[500] (1006 bytes)
> received packet: from 200.1*.1*3.*[500] to 10.138.0.4[500] (292 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> local host is behind NAT, sending keep alives
> authentication of '35.185.2**.**' (myself) with RSA signature successful
> establishing CHILD_SA televida{2}
> generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(EAP_ONLY)
> N(MSG_ID_SYN_SUP) ]
> sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
> retransmit 1 of request with message ID 1
> sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
> retransmit 2 of request with message ID 1
> sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
> retransmit 3 of request with message ID 1
> sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
> sending keep alive to 200.1*.1*3.*[4500]
> retransmit 4 of request with message ID 1
> sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
> sending keep alive to 200.1*.1*3.*[4500]
> sending keep alive to 200.1*.1*3.*[4500]
> retransmit 5 of request with message ID 1
> sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
> sending keep alive to 200.1*.1*3.*[4500]
> sending keep alive to 200.1*.1*3.*[4500]
> sending keep alive to 200.1*.1*3.*[4500]
> giving up after 5 retransmits
> peer not responding, trying again (2/3)
> initiating IKE_SA televida[1] to 200.1*.1*3.*
> establishing connection 'televida' failed
>
> My biggest question is :
> Do the two private Subnets need to be under the same Subnet Mask?
> My private IP is *10.138.0.4*. He tells me that 10.28.2.8/32 is his
> private.
> Please advise. I have re-installed again and again with no success.
>
> Regards,
> Moses Kariuki
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190401/571ebe16/attachment-0001.html>

More information about the Users mailing list