[strongSwan] VPN connection to Remote Fortigate Client
MOSES KARIUKI
kariukims at gmail.com
Sun Mar 31 14:32:27 CEST 2019
Dear Team,
I have not yet succeeded in establishing a connection to the remote
Fortigate client. The remote client has internal IPs in the range
I have the following configuration :
*sudo route -n*
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
0.0.0.0 10.138.0.1 0.0.0.0 UG 100 0 0 ens4
10.138.0.1 0.0.0.0 255.255.255.255 UH 100 0 0 ens4
*I have these rules :*
*nat
-A POSTROUTING -s 10.10.10.0/24 -o ens4 -m policy --pol ipsec --dir out -j
ACCEPT
-A POSTROUTING -s 10.10.10.0/24 -o ens4 -j MASQUERADE
COMMIT
*mangle
-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o ens4 -p
tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS
--set-mss 1360
COMMIT
-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s
10.10.10.0/24 -j ACCEPT
-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d
10.10.10.0/24 -j ACCEPT
*This is my Strongswan configuration :*
config setup
charondebug="ike 1, knl 1, cfg 2"
uniqueids=yes
conn televida
auto=route
compress=no
type=tunnel
reauth=no
mobike=no
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
rightfirewall=yes
leftfirewall=yes
left=%any
leftid=35.185.2**.**
leftcert=server-cert.pem
leftsendcert=never
* leftsubnet=10.138.0.0/20,0.0.0.0/0 <http://10.138.0.0/20,0.0.0.0/0>*
right=200.1*.1*3.*
rightid=%any
rightauth=psk
* rightsourceip=10.10.10.0/24 <http://10.10.10.0/24>*
#rightsourceip=
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
ike=aes256-sha256-ecp521
esp=aes256-sha256-ecp521
This is the error that I am getting :
*sudo ipsec up televida*
initiating IKE_SA televida[1] to 200.1*.1*3.*
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.138.0.4[500] to 200.1*.1*3.*[500] (1006 bytes)
received packet: from 200.1*.1*3.*[500] to 10.138.0.4[500] (292 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
local host is behind NAT, sending keep alives
authentication of '35.185.2**.**' (myself) with RSA signature successful
establishing CHILD_SA televida{2}
generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(EAP_ONLY)
N(MSG_ID_SYN_SUP) ]
sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
retransmit 1 of request with message ID 1
sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
retransmit 2 of request with message ID 1
sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
retransmit 3 of request with message ID 1
sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
sending keep alive to 200.1*.1*3.*[4500]
retransmit 4 of request with message ID 1
sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
sending keep alive to 200.1*.1*3.*[4500]
sending keep alive to 200.1*.1*3.*[4500]
retransmit 5 of request with message ID 1
sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes)
sending keep alive to 200.1*.1*3.*[4500]
sending keep alive to 200.1*.1*3.*[4500]
sending keep alive to 200.1*.1*3.*[4500]
giving up after 5 retransmits
peer not responding, trying again (2/3)
initiating IKE_SA televida[1] to 200.1*.1*3.*
establishing connection 'televida' failed
My biggest question is :
Do the two private Subnets need to be under the same Subnet Mask?
My private IP is *10.138.0.4*. He tells me that 10.28.2.8/32 is his private.
Please advise. I have re-installed again and again with no success.
Regards,
Moses Kariuki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190331/bf69e815/attachment.html>
More information about the Users
mailing list