[strongSwan] Error connecting from Fortigate VPN to Strongswan
Andreas Steffen
andreas.steffen at strongswan.org
Fri Mar 15 14:23:32 CET 2019
Hi
Mar 15 00:36:12 klick001 charon:
12[IKE] local host is behind NAT, sending keep alives
..
12[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr
N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
12[NET] sending packet: from 10.138.0.4[4500] to 200.10.1**.***[4500]
15[IKE] retransmit 1 of request with message ID 1
..
Because a NAT situation is detected, the strongSwan client floats to
the NAT-Traversal UDP port 4500 with the IKE_AUTH request (Actually
the port 4500 float always occurs because of the IKEv2 MOBIKE protocol).
But no response is received from the Fortigate gateway. You should check
the Fortigate log whether the IKE_AUTH request is actually received and
if yes if an error is produced.
Regards
Andreas
On 15.03.2019 12:09, MOSES KARIUKI wrote:
> Any other suggestion on this issue?
>
> Thanks
>
> On Fri, Mar 15, 2019 at 10:52 AM MOSES KARIUKI <kariukims at gmail.com
> <mailto:kariukims at gmail.com>> wrote:
>
> Thanks Chris.
>
> The client says that the port is open. I will change the Ciphers. Thanks
>
> On Fri, Mar 15, 2019 at 4:40 AM Chris Sherry <smilinjoe at gmail.com
> <mailto:smilinjoe at gmail.com>> wrote:
>
> The first thing to check is 200.10.1.X is allowing UDP/4500
> inbound. That being said, you should really rethink your
> ciphers, 3DES/SHA1 shouldn't be a thing anymore.
>
> Chris.
>
> On Thu, Mar 14, 2019 at 4:57 PM MOSES KARIUKI
> <kariukims at gmail.com <mailto:kariukims at gmail.com>> wrote:
>
> Dear Team,
>
> I have not been able to connect from a Fortigate firewall
> client to my Sttrongswan Host. These are the parameters set
> up on the Fortigate :
> Authentication Method Pre-Shared Secret
> Encryption Schema IKE
> Perfect Forward Secrecy- IKE DH Group-5
> Encryption Algorithm 3DES
> Hashing Algorithm SHA1
> Renegotiate IKE SA every 28800
> Main or Aggressive Mode Main
> IPSec ESP
> Perfect Forward Secrecy-IPSEC DH Group-2
> Encryption Algorithm IPSec 3DES
> Hashing Algorithm IPSec SHA1
> Renegotiate IPSec SA every 1800
>
>
> and below is my Strongswan config.
>
> conn ikev2-Teledida
> auto=start
> compress=no
> type=tunnel
> keyexchange=ikev2
> fragmentation=yes
> forceencaps=yes
> dpdaction=clear
> dpddelay=300s
> rekey=no
> left=%any
> leftid=35.185.2**.***
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> right=200.10.1**.***
> rightid=%any
> rightauth=psk
> rightsourceip=10.11.10.0/9 <http://10.11.10.0/9>
> rightdns=8.8.8.8,8.8.4.4
>
> ike=aes256-sha1-modp1024,aes128-sha1-modp1024,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048,3des-sha1-modp1536,3des-sha1-modp1024
>
> esp=aes256-sha256,aes256-sha1,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048,3des-sha1-modp1024,3des-sha1-modp1536
>
> When I try to connect, it fails with the below error:
> LOG :
> Mar 15 00:36:12 klick001 charon: 07[CFG] received stroke:
> add connection 'ikev2-Teledida'
> Mar 15 00:36:12 klick001 charon: 07[CFG] conn ikev2-Teledida
> Mar 15 00:36:12 klick001 charon: 07[CFG] left=%any
> Mar 15 00:36:12 klick001 charon: 07[CFG]
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> Mar 15 00:36:12 klick001 charon: 07[CFG] leftid=35.185.2**.***
> Mar 15 00:36:12 klick001 charon: 07[CFG] right=200.10.1**.***
> Mar 15 00:36:12 klick001 charon: 07[CFG]
> rightsourceip=10.11.10.0/9 <http://10.11.10.0/9>
> Mar 15 00:36:12 klick001 charon: 07[CFG]
> rightdns=8.8.8.8,8.8.4.4
> Mar 15 00:36:12 klick001 charon: 07[CFG] rightauth=psk
> Mar 15 00:36:12 klick001 charon: 07[CFG] rightid=%any
> Mar 15 00:36:12 klick001 charon: 07[CFG]
> ike=aes256-sha1-modp1024,aes128-sha1-modp1024,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048,3des-sha1-modp1536,3des-sha1-modp1024
> Mar 15 00:36:12 klick001 charon: 07[CFG]
> esp=aes256-sha256,aes256-sha1,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048,3des-sha1-modp1024,3des-sha1-modp1536
> Mar 15 00:36:12 klick001 charon: 07[CFG] dpddelay=300
> Mar 15 00:36:12 klick001 charon: 07[CFG] dpdtimeout=150
> Mar 15 00:36:12 klick001 charon: 07[CFG] dpdaction=1
> Mar 15 00:36:12 klick001 charon: 07[CFG] sha256_96=no
> Mar 15 00:36:12 klick001 charon: 07[CFG] mediation=no
> Mar 15 00:36:12 klick001 charon: 07[CFG] keyexchange=ikev2
> Mar 15 00:36:12 klick001 charon: 07[CFG] adding virtual IP
> address pool 10.11.10.0/9 <http://10.11.10.0/9>
> Mar 15 00:36:12 klick001 charon: 07[CFG] added configuration
> 'ikev2-Teledida'
> Mar 15 00:36:12 klick001 charon: 09[CFG] received stroke:
> initiate 'ikev2-Teledida'
> Mar 15 00:36:12 klick001 charon: 09[IKE] initiating IKE_SA
> ikev2-Teledida[1] to 200.10.1**.***
> Mar 15 00:36:12 klick001 charon: 09[CFG] configured
> proposals:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
> IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
> Mar 15 00:36:12 klick001 charon: 11[CFG] sending supported
> signature hash algorithms: sha256 sha384 sha512 identity
> Mar 15 00:36:12 klick001 charon: 11[ENC] generating
> IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Mar 15 00:36:12 klick001 charon: 11[NET] sending packet:
> from 10.138.0.4[500] to 200.10.1**.***[500] (1588 bytes)
> Mar 15 00:36:12 klick001 charon: 12[NET] received packet:
> from 200.10.1**.***[500] to 10.138.0.4[500] (348 bytes)
> Mar 15 00:36:12 klick001 charon: 12[ENC] parsed IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal:
> Mar 15 00:36:12 klick001 charon: 12[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal:
> Mar 15 00:36:12 klick001 charon: 12[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal:
> Mar 15 00:36:12 klick001 charon: 12[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal:
> Mar 15 00:36:12 klick001 charon: 12[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal:
> Mar 15 00:36:12 klick001 charon: 12[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal:
> Mar 15 00:36:12 klick001 charon: 12[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal:
> Mar 15 00:36:12 klick001 charon: 12[CFG] proposal matches
> Mar 15 00:36:12 klick001 charon: 12[CFG] received proposals:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> Mar 15 00:36:12 klick001 charon: 12[CFG] configured
> proposals:
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
> IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
> Mar 15 00:36:12 klick001 charon: 12[CFG] selected proposal:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> Mar 15 00:36:12 klick001 charon: 12[IKE] local host is
> behind NAT, sending keep alives
> Mar 15 00:36:12 klick001 charon: 12[IKE] sending cert
> request for "CN=VPN root CA"
> Mar 15 00:36:12 klick001 charon: 12[IKE] authentication of
> '35.185.2**.***' (myself) with RSA signature successful
> Mar 15 00:36:12 klick001 charon: 12[CFG] proposing traffic
> selectors for us:
> Mar 15 00:36:12 klick001 charon: 12[CFG] 0.0.0.0/0
> <http://0.0.0.0/0>
> Mar 15 00:36:12 klick001 charon: 12[CFG] proposing traffic
> selectors for other:
> Mar 15 00:36:12 klick001 charon: 12[CFG] dynamic
> Mar 15 00:36:12 klick001 charon: 12[CFG] configured
> proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ,
> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ,
> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
> Mar 15 00:36:12 klick001 charon: 12[IKE] establishing
> CHILD_SA ikev2-Teledida{1}
> Mar 15 00:36:12 klick001 charon: 12[ENC] generating IKE_AUTH
> request 1 [ IDi CERTREQ AUTH SA TSi TSr N(MOBIKE_SUP)
> N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> Mar 15 00:36:12 klick001 charon: 12[NET] sending packet:
> from 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes)
> Mar 15 00:36:16 klick001 charon: 15[IKE] retransmit 1 of
> request with message ID 1
> Mar 15 00:36:16 klick001 charon: 15[NET] sending packet:
> from 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes)
> Mar 15 00:36:23 klick001 charon: 16[IKE] retransmit 2 of
> request with message ID 1
> Mar 15 00:36:23 klick001 charon: 16[NET] sending packet:
> from 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes)
> Mar 15 00:36:36 klick001 charon: 06[IKE] retransmit 3 of
> request with message ID 1
> Mar 15 00:36:36 klick001 charon: 06[NET] sending packet:
> from 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes)
> Mar 15 00:36:56 klick001 charon: 10[IKE] sending keep alive
> to 200.10.1**.***[4500]
> Mar 15 00:36:59 klick001 charon: 09[IKE] retransmit 4 of
> request with message ID 1
> Mar 15 00:36:59 klick001 charon: 09[NET] sending packet:
> from 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes)
> Mar 15 00:37:20 klick001 charon: 12[IKE] sending keep alive
> to 200.10.1**.***[4500]
> Mar 15 00:37:40 klick001 charon: 13[IKE] sending keep alive
> to 200.10.1**.***[4500]
> Mar 15 00:37:41 klick001 charon: 14[IKE] retransmit 5 of
> request with message ID 1
> Mar 15 00:37:41 klick001 charon: 14[NET] sending packet:
> from 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes)
>
> Please assist as we are about to go live soon.
>
> Thanks in advance.
>
> Moses K
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
More information about the Users
mailing list