[strongSwan] VPN connection to Remote Fortigate Client

MOSES KARIUKI kariukims at gmail.com
Mon Apr 1 23:06:08 CEST 2019


Dear Team,

After further troubleshooting, and changing the config as below :
conn televida
    auto=route
    compress=no
    type=tunnel
    reauth=no
    mobike=no
    keyexchange=ikev2
  *  lifetime=86400s*
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
*    rekey=yes*
    rightfirewall=yes
    leftfirewall=yes
    left=%any
    leftid=35.185.2**.**
    leftcert=server-cert.pem
    leftsendcert=never
    leftsubnet=10.138.0.0/20,0.0.0.0/0
    right=200.1*.1*3.*
    rightid=%any
    rightauth=psk
    rightsourceip=10.10.10.0/24
    #rightsourceip=
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    ike=aes256-sha256-ecp521
    esp=aes256-sha256-ecp521

the error is :

Apr  1 20:57:52 klick-001 charon: 05[CFG] received stroke: add connection
'televida'
Apr  1 20:57:52 klick-001 charon: 05[CFG] conn televida
Apr  1 20:57:52 klick-001 charon: 05[CFG]   left=%any
Apr  1 20:57:52 klick-001 charon: 05[CFG]   leftsubnet=10.138.0.0/20
Apr  1 20:57:52 klick-001 charon: 05[CFG]   leftid=35.185.2**.**
Apr  1 20:57:52 klick-001 charon: 05[CFG]   leftcert=server-cert.pem
Apr  1 20:57:52 klick-001 charon: 05[CFG]   leftupdown=ipsec _updown
iptables
Apr  1 20:57:52 klick-001 charon: 05[CFG]   right=200.1*.1*3.*
Apr  1 20:57:52 klick-001 charon: 05[CFG]   rightsourceip=10.10.10.0/24
Apr  1 20:57:52 klick-001 charon: 05[CFG]   rightdns=8.8.8.8,8.8.4.4
Apr  1 20:57:52 klick-001 charon: 05[CFG]   rightauth=psk
Apr  1 20:57:52 klick-001 charon: 05[CFG]   rightid=%any
Apr  1 20:57:52 klick-001 charon: 05[CFG]   rightupdown=ipsec _updown
iptables
Apr  1 20:57:52 klick-001 charon: 05[CFG]   ike=aes256-sha256-ecp521
Apr  1 20:57:52 klick-001 charon: 05[CFG]   esp=aes256-sha256-ecp521
Apr  1 20:57:52 klick-001 charon: 05[CFG]   dpddelay=300
Apr  1 20:57:52 klick-001 charon: 05[CFG]   dpdtimeout=150
Apr  1 20:57:52 klick-001 charon: 05[CFG]   dpdaction=1
Apr  1 20:57:52 klick-001 charon: 05[CFG]   sha256_96=no
Apr  1 20:57:52 klick-001 charon: 05[CFG]   mediation=no
Apr  1 20:57:52 klick-001 charon: 05[CFG]   keyexchange=ikev2
Apr  1 20:57:52 klick-001 charon: 05[CFG] adding virtual IP address pool
10.10.10.0/24
Apr  1 20:57:52 klick-001 charon: 05[CFG]   loaded certificate
"CN=35.185.2**.** " from 'server-cert.pem'
Apr  1 20:57:52 klick-001 charon: 05[CFG] added configuration 'televida'
Apr  1 20:57:52 klick-001 charon: 07[CFG] received stroke: route 'televida'
Apr  1 20:57:52 klick-001 charon: 07[CFG] proposing traffic selectors for
us:
Apr  1 20:57:52 klick-001 charon: 07[CFG]  10.138.0.0/20
Apr  1 20:57:52 klick-001 charon: 07[CFG] proposing traffic selectors for
other:
Apr  1 20:57:52 klick-001 charon: 07[CFG]  200.1*.1*3.*/32
Apr  1 20:57:52 klick-001 charon: 07[CFG] configured proposals:
ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Apr  1 20:57:58 klick-001 charon: 10[NET] received packet: from
200.1*.1*3.*[500] to 10.138.0.4[500] (292 bytes)
Apr  1 20:57:58 klick-001 charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Apr  1 20:57:58 klick-001 charon: 10[CFG] looking for an ike config for
10.138.0.4...200.1*.1*3.*
Apr  1 20:57:58 klick-001 charon: 10[CFG]   candidate: %any...200.1*.1*3.*,
prio 2076
Apr  1 20:57:58 klick-001 charon: 10[CFG] found matching ike config:
%any...200.1*.1*3.* with prio 2076
Apr  1 20:57:58 klick-001 charon: 10[IKE] 200.1*.1*3.* is initiating an
IKE_SA
Apr  1 20:57:58 klick-001 charon: 10[CFG] selecting proposal:
Apr  1 20:57:58 klick-001 charon: 10[CFG]   proposal matches
Apr  1 20:57:58 klick-001 charon: 10[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
Apr  1 20:57:58 klick-001 charon: 10[CFG] configured proposals:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Apr  1 20:57:58 klick-001 charon: 10[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
Apr  1 20:57:58 klick-001 charon: 10[IKE] local host is behind NAT, sending
keep alives
Apr  1 20:57:58 klick-001 charon: 10[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Apr  1 20:57:58 klick-001 charon: 10[NET] sending packet: from
10.138.0.4[500] to 200.1*.1*3.*[500] (316 bytes)
Apr  1 20:57:58 klick-001 charon: 11[NET] received packet: from
200.1*.1*3.*[4500] to 10.138.0.4[4500] (240 bytes)
Apr  1 20:57:58 klick-001 charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
Apr  1 20:57:58 klick-001 charon: 11[CFG] looking for peer configs matching
10.138.0.4[%any]...200.1*.1*3.*[200.1*.1*3.*]
Apr  1 20:57:58 klick-001 charon: 11[CFG]   candidate "televida", match:
1/1/2076 (me/other/ike)
Apr  1 20:57:58 klick-001 charon: 11[CFG] selected peer config 'televida'
Apr  1 20:57:58 klick-001 charon: 11[IKE] authentication of '200.1*.1*3.*'
with pre-shared key successful
Apr  1 20:57:58 klick-001 charon: 11[IKE] authentication of '35.185.2**.**
' (myself) with RSA signature successful
Apr  1 20:57:58 klick-001 charon: 11[IKE] IKE_SA televida[1] established
between 10.138.0.4[35.185.2**.** ]...200.1*.1*3.*[200.1*.1*3.*]
Apr  1 20:57:58 klick-001 charon: 11[IKE] scheduling rekeying in 9730s
*Apr  1 20:57:58 klick-001 charon: 11[IKE] maximum IKE_SA lifetime 10270s*
*Apr  1 20:57:58 klick-001 charon: 11[IKE] expected a virtual IP request,
sending FAILED_CP_REQUIRED*
Apr  1 20:57:58 klick-001 charon: 11[CFG] looking for a child config for
0.0.0.0/0 === 0.0.0.0/0
Apr  1 20:57:58 klick-001 charon: 11[CFG] proposing traffic selectors for
us:
Apr  1 20:57:58 klick-001 charon: 11[CFG]  10.138.0.0/20
Apr  1 20:57:58 klick-001 charon: 11[CFG] proposing traffic selectors for
other:
Apr  1 20:57:58 klick-001 charon: 11[CFG]  dynamic
Apr  1 20:57:58 klick-001 charon: 11[CFG]   candidate "televida" with prio
1+5
Apr  1 20:57:58 klick-001 charon: 11[CFG] found matching child config
"televida" with prio 6
Apr  1 20:57:58 klick-001 charon: 11[IKE] configuration payload negotiation
failed, no CHILD_SA built
*Apr  1 20:57:58 klick-001 charon: 11[IKE] failed to establish CHILD_SA,
keeping IKE_SA*
Apr  1 20:57:58 klick-001 charon: 11[ENC] generating IKE_AUTH response 1 [
IDr AUTH N(FAIL_CP_REQ) ]
Apr  1 20:57:58 klick-001 charon: 11[NET] sending packet: from
10.138.0.4[4500] to 200.1*.1*3.*[4500] (608 bytes)
Apr  1 20:58:02 klick-001 charon: 12[NET] received packet: from
200.1*.1*3.*[500] to 10.138.0.4[500] (292 bytes)


Please assist :

Regards
Moses K

On Mon, Apr 1, 2019 at 10:17 PM MOSES KARIUKI <kariukims at gmail.com> wrote:

> Any kind souls out there in this?
>
> On Sun, Mar 31, 2019 at 3:32 PM MOSES KARIUKI <kariukims at gmail.com> wrote:
>
>> Dear Team,
>>
>> I have not yet succeeded in establishing a connection to the remote
>> Fortigate client. The remote client has internal IPs in the range
>> I have the following configuration :
>> *sudo route -n*
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags Metric Ref    Use
>> Iface
>> 0.0.0.0         10.138.0.1      0.0.0.0         UG    100    0        0
>> ens4
>> 10.138.0.1      0.0.0.0         255.255.255.255 UH    100    0        0
>> ens4
>>
>> *I have these rules :*
>> *nat
>> -A POSTROUTING -s 10.10.10.0/24 -o ens4 -m policy --pol ipsec --dir out
>> -j ACCEPT
>> -A POSTROUTING -s 10.10.10.0/24 -o ens4 -j MASQUERADE
>> COMMIT
>>
>> *mangle
>> -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o ens4
>> -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS
>> --set-mss 1360
>> COMMIT
>>
>> -A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s
>> 10.10.10.0/24 -j ACCEPT
>> -A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d
>> 10.10.10.0/24 -j ACCEPT
>>
>> *This is my Strongswan configuration :*
>> config setup
>>     charondebug="ike 1, knl 1, cfg 2"
>>     uniqueids=yes
>>
>> conn televida
>>     auto=route
>>     compress=no
>>     type=tunnel
>>     reauth=no
>>     mobike=no
>>     keyexchange=ikev2
>>     fragmentation=yes
>>     forceencaps=yes
>>     dpdaction=clear
>>     dpddelay=300s
>>     rekey=no
>>     rightfirewall=yes
>>     leftfirewall=yes
>>     left=%any
>>     leftid=35.185.2**.**
>>     leftcert=server-cert.pem
>>     leftsendcert=never
>>   *  leftsubnet=10.138.0.0/20,0.0.0.0/0 <http://10.138.0.0/20,0.0.0.0/0>*
>>     right=200.1*.1*3.*
>>     rightid=%any
>>     rightauth=psk
>> *    rightsourceip=10.10.10.0/24 <http://10.10.10.0/24>*
>>     #rightsourceip=
>>     rightdns=8.8.8.8,8.8.4.4
>>     rightsendcert=never
>>     ike=aes256-sha256-ecp521
>>     esp=aes256-sha256-ecp521
>>
>> This is the error that I am getting :
>> *sudo ipsec up televida*
>> initiating IKE_SA televida[1] to 200.1*.1*3.*
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>> sending packet: from 10.138.0.4[500] to 200.1*.1*3.*[500] (1006 bytes)
>> received packet: from 200.1*.1*3.*[500] to 10.138.0.4[500] (292 bytes)
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> local host is behind NAT, sending keep alives
>> authentication of '35.185.2**.**' (myself) with RSA signature successful
>> establishing CHILD_SA televida{2}
>> generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(EAP_ONLY)
>> N(MSG_ID_SYN_SUP) ]
>> sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
>> retransmit 1 of request with message ID 1
>> sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
>> retransmit 2 of request with message ID 1
>> sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
>> retransmit 3 of request with message ID 1
>> sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
>> sending keep alive to 200.1*.1*3.*[4500]
>> retransmit 4 of request with message ID 1
>> sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
>> sending keep alive to 200.1*.1*3.*[4500]
>> sending keep alive to 200.1*.1*3.*[4500]
>> retransmit 5 of request with message ID 1
>> sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
>> sending keep alive to 200.1*.1*3.*[4500]
>> sending keep alive to 200.1*.1*3.*[4500]
>> sending keep alive to 200.1*.1*3.*[4500]
>> giving up after 5 retransmits
>> peer not responding, trying again (2/3)
>> initiating IKE_SA televida[1] to 200.1*.1*3.*
>> establishing connection 'televida' failed
>>
>> My biggest question is :
>> Do the two private Subnets need to be under the same Subnet Mask?
>> My private IP is *10.138.0.4*. He tells me that 10.28.2.8/32 is his
>> private.
>> Please advise. I have re-installed again and again with no success.
>>
>> Regards,
>> Moses Kariuki
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190402/c630445e/attachment-0001.html>


More information about the Users mailing list