[strongSwan] VPN connection to Remote Fortigate Client

MOSES KARIUKI kariukims at gmail.com
Sun Mar 31 14:32:27 CEST 2019


Dear Team,

I have not yet succeeded in establishing a connection to the remote
Fortigate client. The remote client has internal IPs in the range
I have the following configuration :
*sudo route -n*
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
0.0.0.0         10.138.0.1      0.0.0.0         UG    100    0        0 ens4
10.138.0.1      0.0.0.0         255.255.255.255 UH    100    0        0 ens4

*I have these rules :*
*nat
-A POSTROUTING -s 10.10.10.0/24 -o ens4 -m policy --pol ipsec --dir out -j
ACCEPT
-A POSTROUTING -s 10.10.10.0/24 -o ens4 -j MASQUERADE
COMMIT

*mangle
-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o ens4 -p
tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS
--set-mss 1360
COMMIT

-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s
10.10.10.0/24 -j ACCEPT
-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d
10.10.10.0/24 -j ACCEPT

*This is my Strongswan configuration :*
config setup
    charondebug="ike 1, knl 1, cfg 2"
    uniqueids=yes

conn televida
    auto=route
    compress=no
    type=tunnel
    reauth=no
    mobike=no
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    rightfirewall=yes
    leftfirewall=yes
    left=%any
    leftid=35.185.2**.**
    leftcert=server-cert.pem
    leftsendcert=never
  *  leftsubnet=10.138.0.0/20,0.0.0.0/0 <http://10.138.0.0/20,0.0.0.0/0>*
    right=200.1*.1*3.*
    rightid=%any
    rightauth=psk
*    rightsourceip=10.10.10.0/24 <http://10.10.10.0/24>*
    #rightsourceip=
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    ike=aes256-sha256-ecp521
    esp=aes256-sha256-ecp521

This is the error that I am getting :
*sudo ipsec up televida*
initiating IKE_SA televida[1] to 200.1*.1*3.*
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.138.0.4[500] to 200.1*.1*3.*[500] (1006 bytes)
received packet: from 200.1*.1*3.*[500] to 10.138.0.4[500] (292 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
local host is behind NAT, sending keep alives
authentication of '35.185.2**.**' (myself) with RSA signature successful
establishing CHILD_SA televida{2}
generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(EAP_ONLY)
N(MSG_ID_SYN_SUP) ]
sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
retransmit 1 of request with message ID 1
sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
retransmit 2 of request with message ID 1
sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
retransmit 3 of request with message ID 1
sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
sending keep alive to 200.1*.1*3.*[4500]
retransmit 4 of request with message ID 1
sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
sending keep alive to 200.1*.1*3.*[4500]
sending keep alive to 200.1*.1*3.*[4500]
retransmit 5 of request with message ID 1
sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
sending keep alive to 200.1*.1*3.*[4500]
sending keep alive to 200.1*.1*3.*[4500]
sending keep alive to 200.1*.1*3.*[4500]
giving up after 5 retransmits
peer not responding, trying again (2/3)
initiating IKE_SA televida[1] to 200.1*.1*3.*
establishing connection 'televida' failed

My biggest question is :
Do the two private Subnets need to be under the same Subnet Mask?
My private IP is *10.138.0.4*. He tells me that 10.28.2.8/32 is his private.
Please advise. I have re-installed again and again with no success.

Regards,
Moses Kariuki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190331/bf69e815/attachment.html>


More information about the Users mailing list