[strongSwan] Error connecting from Fortigate VPN to Strongswan

MOSES KARIUKI kariukims at gmail.com
Fri Mar 15 12:09:24 CET 2019


Any other suggestion on this issue?

Thanks

On Fri, Mar 15, 2019 at 10:52 AM MOSES KARIUKI <kariukims at gmail.com> wrote:

> Thanks Chris.
>
> The client says that the port is open. I will change the Ciphers. Thanks
>
> On Fri, Mar 15, 2019 at 4:40 AM Chris Sherry <smilinjoe at gmail.com> wrote:
>
>> The first thing to check is 200.10.1.X is allowing UDP/4500 inbound. That
>> being said, you should really rethink your ciphers, 3DES/SHA1 shouldn't be
>> a thing anymore.
>>
>> Chris.
>>
>> On Thu, Mar 14, 2019 at 4:57 PM MOSES KARIUKI <kariukims at gmail.com>
>> wrote:
>>
>>> Dear Team,
>>>
>>> I have not been able to connect from a Fortigate firewall client to my
>>> Sttrongswan Host. These are the parameters set up on the Fortigate :
>>> Authentication Method Pre-Shared Secret
>>> Encryption Schema IKE
>>> Perfect Forward Secrecy- IKE DH Group-5
>>> Encryption Algorithm 3DES
>>> Hashing Algorithm SHA1
>>> Renegotiate IKE SA every 28800
>>> Main or Aggressive Mode  Main
>>> IPSec ESP
>>> Perfect Forward Secrecy-IPSEC   DH Group-2
>>> Encryption Algorithm IPSec 3DES
>>> Hashing Algorithm IPSec SHA1
>>> Renegotiate IPSec SA every 1800
>>> and below is my Strongswan config.
>>>
>>> conn ikev2-Teledida
>>>     auto=start
>>>     compress=no
>>>     type=tunnel
>>>     keyexchange=ikev2
>>>     fragmentation=yes
>>>     forceencaps=yes
>>>     dpdaction=clear
>>>     dpddelay=300s
>>>     rekey=no
>>>     left=%any
>>>     leftid=35.185.2**.***
>>>     leftsubnet=0.0.0.0/0
>>>     right=200.10.1**.***
>>>     rightid=%any
>>>     rightauth=psk
>>>     rightsourceip=10.11.10.0/9
>>>     rightdns=8.8.8.8,8.8.4.4
>>>
>>> ike=aes256-sha1-modp1024,aes128-sha1-modp1024,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048,3des-sha1-modp1536,3des-sha1-modp1024
>>>
>>> esp=aes256-sha256,aes256-sha1,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048,3des-sha1-modp1024,3des-sha1-modp1536
>>>
>>> When I try to connect, it fails with the below error:
>>> LOG :
>>> Mar 15 00:36:12 klick001 charon: 07[CFG] received stroke: add connection
>>> 'ikev2-Teledida'
>>> Mar 15 00:36:12 klick001 charon: 07[CFG] conn ikev2-Teledida
>>> Mar 15 00:36:12 klick001 charon: 07[CFG]   left=%any
>>> Mar 15 00:36:12 klick001 charon: 07[CFG]   leftsubnet=0.0.0.0/0
>>> Mar 15 00:36:12 klick001 charon: 07[CFG]   leftid=35.185.2**.***
>>> Mar 15 00:36:12 klick001 charon: 07[CFG]   right=200.10.1**.***
>>> Mar 15 00:36:12 klick001 charon: 07[CFG]   rightsourceip=10.11.10.0/9
>>> Mar 15 00:36:12 klick001 charon: 07[CFG]   rightdns=8.8.8.8,8.8.4.4
>>> Mar 15 00:36:12 klick001 charon: 07[CFG]   rightauth=psk
>>> Mar 15 00:36:12 klick001 charon: 07[CFG]   rightid=%any
>>> Mar 15 00:36:12 klick001 charon: 07[CFG]
>>>  ike=aes256-sha1-modp1024,aes128-sha1-modp1024,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048,3des-sha1-modp1536,3des-sha1-modp1024
>>> Mar 15 00:36:12 klick001 charon: 07[CFG]
>>>  esp=aes256-sha256,aes256-sha1,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048,3des-sha1-modp1024,3des-sha1-modp1536
>>> Mar 15 00:36:12 klick001 charon: 07[CFG]   dpddelay=300
>>> Mar 15 00:36:12 klick001 charon: 07[CFG]   dpdtimeout=150
>>> Mar 15 00:36:12 klick001 charon: 07[CFG]   dpdaction=1
>>> Mar 15 00:36:12 klick001 charon: 07[CFG]   sha256_96=no
>>> Mar 15 00:36:12 klick001 charon: 07[CFG]   mediation=no
>>> Mar 15 00:36:12 klick001 charon: 07[CFG]   keyexchange=ikev2
>>> Mar 15 00:36:12 klick001 charon: 07[CFG] adding virtual IP address pool
>>> 10.11.10.0/9
>>> Mar 15 00:36:12 klick001 charon: 07[CFG] added configuration
>>> 'ikev2-Teledida'
>>> Mar 15 00:36:12 klick001 charon: 09[CFG] received stroke: initiate
>>> 'ikev2-Teledida'
>>> Mar 15 00:36:12 klick001 charon: 09[IKE] initiating IKE_SA
>>> ikev2-Teledida[1] to 200.10.1**.***
>>> Mar 15 00:36:12 klick001 charon: 09[CFG] configured proposals:
>>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
>>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
>>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
>>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
>>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
>>> IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
>>> Mar 15 00:36:12 klick001 charon: 11[CFG] sending supported signature
>>> hash algorithms: sha256 sha384 sha512 identity
>>> Mar 15 00:36:12 klick001 charon: 11[ENC] generating IKE_SA_INIT request
>>> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP)
>>> ]
>>> Mar 15 00:36:12 klick001 charon: 11[NET] sending packet: from
>>> 10.138.0.4[500] to 200.10.1**.***[500] (1588 bytes)
>>> Mar 15 00:36:12 klick001 charon: 12[NET] received packet: from
>>> 200.10.1**.***[500] to 10.138.0.4[500] (348 bytes)
>>> Mar 15 00:36:12 klick001 charon: 12[ENC] parsed IKE_SA_INIT response 0 [
>>> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal:
>>> Mar 15 00:36:12 klick001 charon: 12[CFG]   no acceptable
>>> ENCRYPTION_ALGORITHM found
>>> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal:
>>> Mar 15 00:36:12 klick001 charon: 12[CFG]   no acceptable
>>> ENCRYPTION_ALGORITHM found
>>> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal:
>>> Mar 15 00:36:12 klick001 charon: 12[CFG]   no acceptable
>>> ENCRYPTION_ALGORITHM found
>>> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal:
>>> Mar 15 00:36:12 klick001 charon: 12[CFG]   no acceptable
>>> ENCRYPTION_ALGORITHM found
>>> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal:
>>> Mar 15 00:36:12 klick001 charon: 12[CFG]   no acceptable
>>> ENCRYPTION_ALGORITHM found
>>> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal:
>>> Mar 15 00:36:12 klick001 charon: 12[CFG]   no acceptable
>>> ENCRYPTION_ALGORITHM found
>>> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal:
>>> Mar 15 00:36:12 klick001 charon: 12[CFG]   proposal matches
>>> Mar 15 00:36:12 klick001 charon: 12[CFG] received proposals:
>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>>> Mar 15 00:36:12 klick001 charon: 12[CFG] configured proposals:
>>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
>>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
>>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
>>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
>>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
>>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
>>> IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
>>> Mar 15 00:36:12 klick001 charon: 12[CFG] selected proposal:
>>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>>> Mar 15 00:36:12 klick001 charon: 12[IKE] local host is behind NAT,
>>> sending keep alives
>>> Mar 15 00:36:12 klick001 charon: 12[IKE] sending cert request for
>>> "CN=VPN root CA"
>>> Mar 15 00:36:12 klick001 charon: 12[IKE] authentication of
>>> '35.185.2**.***' (myself) with RSA signature successful
>>> Mar 15 00:36:12 klick001 charon: 12[CFG] proposing traffic selectors for
>>> us:
>>> Mar 15 00:36:12 klick001 charon: 12[CFG]  0.0.0.0/0
>>> Mar 15 00:36:12 klick001 charon: 12[CFG] proposing traffic selectors for
>>> other:
>>> Mar 15 00:36:12 klick001 charon: 12[CFG]  dynamic
>>> Mar 15 00:36:12 klick001 charon: 12[CFG] configured proposals:
>>> ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ,
>>> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ,
>>> ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ,
>>> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
>>> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
>>> Mar 15 00:36:12 klick001 charon: 12[IKE] establishing CHILD_SA
>>> ikev2-Teledida{1}
>>> Mar 15 00:36:12 klick001 charon: 12[ENC] generating IKE_AUTH request 1 [
>>> IDi CERTREQ AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY)
>>> N(MSG_ID_SYN_SUP) ]
>>> Mar 15 00:36:12 klick001 charon: 12[NET] sending packet: from
>>> 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes)
>>> Mar 15 00:36:16 klick001 charon: 15[IKE] retransmit 1 of request with
>>> message ID 1
>>> Mar 15 00:36:16 klick001 charon: 15[NET] sending packet: from
>>> 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes)
>>> Mar 15 00:36:23 klick001 charon: 16[IKE] retransmit 2 of request with
>>> message ID 1
>>> Mar 15 00:36:23 klick001 charon: 16[NET] sending packet: from
>>> 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes)
>>> Mar 15 00:36:36 klick001 charon: 06[IKE] retransmit 3 of request with
>>> message ID 1
>>> Mar 15 00:36:36 klick001 charon: 06[NET] sending packet: from
>>> 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes)
>>> Mar 15 00:36:56 klick001 charon: 10[IKE] sending keep alive to
>>> 200.10.1**.***[4500]
>>> Mar 15 00:36:59 klick001 charon: 09[IKE] retransmit 4 of request with
>>> message ID 1
>>> Mar 15 00:36:59 klick001 charon: 09[NET] sending packet: from
>>> 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes)
>>> Mar 15 00:37:20 klick001 charon: 12[IKE] sending keep alive to
>>> 200.10.1**.***[4500]
>>> Mar 15 00:37:40 klick001 charon: 13[IKE] sending keep alive to
>>> 200.10.1**.***[4500]
>>> Mar 15 00:37:41 klick001 charon: 14[IKE] retransmit 5 of request with
>>> message ID 1
>>> Mar 15 00:37:41 klick001 charon: 14[NET] sending packet: from
>>> 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes)
>>>
>>> Please assist as we are about to go live soon.
>>>
>>> Thanks in advance.
>>>
>>> Moses K
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190315/90506540/attachment-0001.html>


More information about the Users mailing list