[strongSwan] Configuring site-to-site IPsec VPN to a Fortigate using certificates

JR jrmailgate-strongswan at yahoo.com
Mon Oct 14 18:38:05 CEST 2019 

Hi

I am trying to configure a VPN tunnel between a Linux VM in Azure with a customer's Fortigate firewall. The Azure VM is behind an Azure load balancer, so has a different public IP from the local VM IP. The good news is that the configuration is working with PSK. However, when trying to use certificate-based authentication, the connection is not establishing. I can see the connection request coming in from the customer, but it fails to complete.

I am not sure what the "id" values should be for a Fortigate when using certificates. I have tried: IP address, FQDN, and Distinguished Name, but none appear to be working. We have tried using a third party "proper" certificate, and also a self-signed certificate (the below is based on the self-signed certificate. Both ends have the same self-signed/created CA root certificate installed).

Please see the logs and command outputs below. customer name and IPs have been sanitized.

Version: 5.6.2-1ubuntu2.4 (latest available on Ubuntu 18.04.2 LTS

Any help would be appreciated! We have spent three days trying to debug this without success.

Thanks

Julian


The output of swanctl -l:

(unnamed): #1, CONNECTING, IKEv2, d97222f0d8c960ed_i 4f771e61521bd11a_r*
  local  '%any' @ 172.26.0.85[500]
  remote '%any' @ 123.123.123.123[500]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  passive: IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE

The output of swanctl -L:
customername: IKEv2, no reauthentication, rekeying every 14400s
  local:  172.26.0.85
  remote: 123.123.123.123
  local public key authentication:
    id: vpnrsa-ss.production.onecloud.companyname.cloud
    certs: C=GB, ST=County, O=CompanyName, OU=Technical Services, CN=vpnrsa-ss.production.onecloud.companyname.cloud
  remote public key authentication:
    id: vpn1.customername.gov.uk
  datacentre-customername: TUNNEL, rekeying every 3600s or 4608000 bytes
    local:  172.26.0.85/32 172.16.16.64/27 172.16.44.32/28 172.16.60.0/22 172.16.30.196/32
    remote: 10.10.8.1/32 10.10.8.2/32 10.10.8.22/32 10.10.8.23/32 10.10.8.24/32 10.10.8.25/32 10.10.8.45/32


The output of iptables -L:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The output of ip route show table all:

10.10.8.1 via 172.26.0.81 dev eth0 table 220 proto static src 172.26.0.85
10.10.8.2 via 172.26.0.81 dev eth0 table 220 proto static src 172.26.0.85
10.10.8.22 via 172.26.0.81 dev eth0 table 220 proto static src 172.26.0.85
10.10.8.23 via 172.26.0.81 dev eth0 table 220 proto static src 172.26.0.85
10.10.8.24 via 172.26.0.81 dev eth0 table 220 proto static src 172.26.0.85
10.10.8.25 via 172.26.0.81 dev eth0 table 220 proto static src 172.26.0.85
10.10.8.45 via 172.26.0.81 dev eth0 table 220 proto static src 172.26.0.85
default via 172.26.0.81 dev eth0 proto dhcp src 172.26.0.85 metric 100
168.63.129.16 via 172.26.0.81 dev eth0 proto dhcp src 172.26.0.85 metric 100
169.254.169.254 via 172.26.0.81 dev eth0 proto dhcp src 172.26.0.85 metric 100
172.26.0.80/28 dev eth0 proto kernel scope link src 172.26.0.85
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.26.0.80 dev eth0 table local proto kernel scope link src 172.26.0.85
local 172.26.0.85 dev eth0 table local proto kernel scope host src 172.26.0.85
broadcast 172.26.0.95 dev eth0 table local proto kernel scope link src 172.26.0.85
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::20d:3aff:fe7e:9150 dev eth0 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium

The output of  ip addr:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0d:3a:7e:91:50 brd ff:ff:ff:ff:ff:ff
    inet 172.26.0.85/28 brd 172.26.0.95 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20d:3aff:fe7e:9150/64 scope link
       valid_lft forever preferred_lft forever


The only configuration file change I have made is to create a customername.conf file in /etc/swanctl/conf.d with the following:

# customername
connections {

   customername {
      local_addrs  = 172.26.0.85
      remote_addrs = 123.123.123.123

      local {
         #auth = psk
         #id = 172.26.0.85

         auth = pubkey
         id = vpnrsa-ss.production.onecloud.companyname.cloud
         certs = strongswan_self_signed2.crt
         #id = "C=GB, ST=London, L=London, O=CompanyName PLC, CN=vpnrsa.production.onecloud.companyname.cloud"
      }
      remote {
         auth = psk
         #id = 123.123.123.123
         id = vpn1.customername.gov.uk
         #auth = pubkey
         #id = "C=GB, S=customername, L=Town, O=customername County Council, OU=customername County Council, CN=vpn1.customername.gov.uk"
         #id = "C=GB, ST=County, O=CompanyName, OU=Technical Services, CN=vpn1.customername.gov.uk"
      }
      children {
         datacentre-customername {
            local_ts  = 172.26.0.85,172.16.16.64/27,172.16.44.32/28,172.16.60.0/22,172.16.30.196/32
            remote_ts = 10.10.8.1,10.10.8.2,10.10.8.22,10.10.8.23,10.10.8.24,10.10.8.25,10.10.8.45
            dpd_action = restart
            start_action = trap
            rekey_bytes = 4608000
            esp_proposals = aes256-sha256-modp2048 #phase 2
         }
      }
      version = 2
      mobike = no
      proposals = aes256-sha256-modp2048 #phase 1 customername proposed
   }
}

secrets {
   ike-customername {
        id = 172.26.0.85
        secret = <snipped>
   }
   ike-customer2 {
        id = 123.123.123.123
        secret = <snipped>
   }
   ike-customer3 {
        id = vpn1.customername.gov.uk
        secret = <snipped>
   }
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191014/8dea9538/attachment-0001.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: charon-debug.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191014/8dea9538/attachment-0001.txt>

More information about the Users mailing list