[strongSwan] Unable to establish connection with Fortigate device
Lorenzo Milesi
lorenzo.milesi at yetopen.com
Mon Mar 1 08:03:02 CET 2021
Hi.
I'm trying to set up a IPSec connection between a StrongSwan server and a Fortigate device. Auth uses PSK, so according to [1] I've chosen IKEv1. The Fortigate is behind an ADSL modem.
In Fortinet I've set P1 to enc AES256 auth SHA256, DH 15, key lifetime 86400.
This is ipsec.conf:
config setup
charondebug="ike 3, knl 3, cfg 3, net 3, esp 3, dmn 3, mgr 3"
uniqueids=yes
strictcrlpolicy=no
conn sts-base
fragmentation=yes
dpdaction=restart
ike=aes256-sha256-modp3072
esp=aes256-sha256
keyingtries=%forever
leftsubnet=172.16.12.0/24
lifetime=86400
conn site-3-legacy-base
keyexchange=ikev1
rightid=L***
also=sts-base
ike=aes256-sha256-modp3072
esp=aes256-sha256
rightsubnet=192.168.4.0/24,192.168.5.0/24
right=95.x.x.x
leftauth=psk
auto=start
This is the debug log on fortinet, which seems the problematic side (doesn't like other party offers):
ike 0:to VpnTunnelName:378: out 8AD3789557DB282D9AA1D56EDDD9184605100201000000000000006C6EFC8335B133C6267388C1A0BEB63B6A2CC4E120DE7627C9166D99AFF9EAE094E5368631BB2626D86B31FFED37F29DB6CC4E5D6B2E8B9A6FA79DF8FC03531CB7EB476EC1CE6240D586943E6A675E4695
ike 0:to VpnTunnelName:378: sent IKE msg (P1_RETRANSMIT): 192.168.1.2:4500->95.x.x.x:4500, len=108, id=8ad3789557db282d/9aa1d56eddd91846
ike 0: comes 62.11.245.232:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=fc70f37fa6c9ee8d/0000000000000000 len=452
ike 0: in FC70F37FA6C9EE8D00000000000000000110020000000000000001C40D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: responder: main mode get 1st message...
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: incoming proposal:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP, val=MODP2048.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP, val=MODP1536.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP, val=MODP2048.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP, val=MODP1536.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP, val=MODP2048.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP, val=MODP1536.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP, val=MODP2048.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP, val=MODP1536.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:fc70f37fa6c9ee8d/0000000000000000:383: no SA proposal chosen
ike 0:to VpnTunnelName:378: negotiation timeout, deleting
ike 0:to VpnTunnelName: connection expiring due to phase1 down
ike 0:to VpnTunnelName: deleting
ike 0:to VpnTunnelName: deleted
ike 0:to VpnTunnelName: schedule auto-negotiate
ike 0:to VpnTunnelName: auto-negotiate connection
ike 0:to VpnTunnelName: created connection: 0x424aff8 4 192.168.1.2->95.x.x.x:500.
ike 0:to VpnTunnelName:384: initiator: main mode is sending 1st message...
ike 0:to VpnTunnelName:384: cookie c10b9be64dc0d904/0000000000000000
ike 0:to VpnTunnelName:384: out C10B9BE64DC0D90400000000000000000110020000000000000001240D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E010080030001800200048004000F0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:to VpnTunnelName:384: sent IKE msg (ident_i1send): 192.168.1.2:500->95.x.x.x:500, len=292, id=c10b9be64dc0d904/0000000000000000
ike 0: comes 95.x.x.x:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=c10b9be64dc0d904/589d6282b4f462c9 len=164
ike 0: in C10B9BE64DC0D904589D6282B4F462C90110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200048004000F80030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F
ike 0:to VpnTunnelName:384: initiator: main mode get 1st response...
ike 0:to VpnTunnelName:384: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:to VpnTunnelName:384: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:to VpnTunnelName:384: DPD negotiated
ike 0:to VpnTunnelName:384: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:to VpnTunnelName:384: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:to VpnTunnelName:384: selected NAT-T version: RFC 3947
ike 0:to VpnTunnelName:384: negotiation result
ike 0:to VpnTunnelName:384: proposal id = 1:
ike 0:to VpnTunnelName:384: protocol id = ISAKMP:
ike 0:to VpnTunnelName:384: trans_id = KEY_IKE.
ike 0:to VpnTunnelName:384: encapsulation = IKE/none
ike 0:to VpnTunnelName:384: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:to VpnTunnelName:384: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:to VpnTunnelName:384: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:to VpnTunnelName:384: type=OAKLEY_GROUP, val=MODP3072.
ike 0:to VpnTunnelName:384: ISAKMP SA lifetime=86400
ike 0:to VpnTunnelName:384: out C10B9BE64DC0D904589D6282B4F462C90410020000000000000001FC0A000184FD41F812E5C6DE946C198E07D71ED83CA1AB034F7AC7EA9C9DB184B2B0D2C35C8C2BEB7E6B298B87A5736D8344DDA782E3D813DE08FA8FD8423892B18F10E9DD24C23C81AB9C0BF5A56DEE1D0577CB4B0161A7CB88832FB484C4433B3FB20386EEFABCFCF0B862C61EA21EB6783EAE9A2C11156BC929113D2A5A9FB9D4DF7D8B09B26EC447FAA35219E95CF5D6436F68379BA3CA42E10C06B9924EF3CAF6EEACB95EFC2781FBBD4AC29C4C11426BCB28AFCF87D0B448A2B265322612526B56AED5192548CD958565FB5DC7036E6A953B7A99BDC5DB3DEE1A1E4008EA20E44BAF8C2BDB4DEC62DFADF29B1587A1C42429711694EA0F6E702DB541C08D3E40A1A7D089EF57A1CCBD6AC286D79927306533A2DB587990C0FCE20010A12A826218CEDA95EEBE08AB4623479C0A699284D4EF602EB8855B88040F117E10AB3F18A065759DBF31C359622F2A52500988D7F9FE1D3569CC49070387B05A289B3DA8443F7DAFFF248064B2687503E81E4DDA38478659A53DD15D35EA326B4F90AC7821DC14000014659CD5B151F1779BA7C8D21003510EB6140000247CA2BC74DD9D1E4D89993957656B637ECB524C9E69117E86ED55949C6C3DB0260000002488B2BA8589F1C3AE72E9E5EEC659F89AE235D2451581D4A6820F1E1FC73EB8BE
ike 0:to VpnTunnelName:384: sent IKE msg (ident_i2send): 192.168.1.2:500->95.x.x.x:500, len=508, id=c10b9be64dc0d904/589d6282b4f462c9
ike 0: comes 95.x.x.x:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=c10b9be64dc0d904/589d6282b4f462c9 len=524
ike 0: in C10B9BE64DC0D904589D6282B4F462C904100200000000000000020C0A00018494E5DE50E190B4D173E52E36616C64FEF471C0F85ACB206E8A76B32B425E35326F27ACF0C57CA5E6F50951E72E67F0798CEFA5525A40D6B4EBBCD7BD028EDF39A72DAA9B0D0D274A9DF0B21D37D72E03B9E188F08FD3C56E33CC1772AEF96B809CA4372FA9D1B3D0815722035722C85DC7B7CCDB96FF7D713A30327FAF173D8934B9D484D4F009A458A48A943D7B1A49F056E25E398A43832474F776339AB55D9298F0E15F79B14619882B8AD3B86094F04507A06FC651256ABEF72F090E5579EE9D138314A7F8C2184EBB68526149F2F375224B825CD78553E2089F00D60460A36F76EC46FE8B5B17EA07E15AC4FB8F79D3221ABD2FA47F0524AF025DB15A32B67EBC1D07996E62FE0FA1379DC320D54AFF6A0DA4EFE2EEAE112529F3103B8F49A524DBB9C9C4D72194E6B4CC002067F79337B46B365F5C95CD537EE18C4F41A947D641516023D7A705159BC61D109710FA6A5B20C99F87CC9CC0BE736EAA178E0D07B3282D669901298B40CD24C7EBBA64A72989441A9CE1E33DAFC57915A414000024965FEDABF0477240EAEA804FF51B9AE8ED87EF3B4C689DC2A192836D98440226140000241DC24402C80C6E7F1EA2A5EFACD8CD9684DDB75D14C9608C931254AF4D6A8E73000000247CA2BC74DD9D1E4D89993957656B637ECB524C9E69117E86ED55949C6C3DB026
ike 0:to VpnTunnelName:384: initiator: main mode get 2nd response...
ike 0:to VpnTunnelName:384: received NAT-D payload type 20
ike 0:to VpnTunnelName:384: received NAT-D payload type 20
ike 0:to VpnTunnelName:384: NAT detected: ME
ike 0:to VpnTunnelName:384: NAT-T float port 4500
ike 0:to VpnTunnelName:384: ISAKMP SA c10b9be64dc0d904/589d6282b4f462c9 key 32:A14C8EA6DCB45DD9A940941BDB0342AFB8D00E8153BC9EEABB117532FE53E6D0
ike 0:to VpnTunnelName:384: add INITIAL-CONTACT
ike 0:to VpnTunnelName:384: enc C10B9BE64DC0D904589D6282B4F462C905100201000000000000006B0800000F020000004C6F63616E64610B0000240E2C5E431EDC18A1A71432A2D63F3A735CF38FF3B15088600EA1C4DFA8DBAE540000001C0000000101106002C10B9BE64DC0D904589D6282B4F462C9
ike 0:to VpnTunnelName:384: out C10B9BE64DC0D904589D6282B4F462C905100201000000000000006C0A9523A71AA4D181655F68680E687AAE143646431BCF52A9AAE986F371BD20D0165F406F6525CE7BD4E99E87756AE721C2EA71E8B0D76B6DDAA3BAE63545FE806E4DABC6DBF23D09165665B8EBA17F4B
ike 0:to VpnTunnelName:384: sent IKE msg (ident_i3send): 192.168.1.2:4500->95.x.x.x:4500, len=108, id=c10b9be64dc0d904/589d6282b4f462c9
ike 0: comes 95.x.x.x:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Informational id=c10b9be64dc0d904/589d6282b4f462c9:3401b0f7 len=108
ike 0: in C10B9BE64DC0D904589D6282B4F462C9081005013401B0F70000006CCBD929F01609C09C15FB168C6027327324BD1D6560143B39C69FF01070831099C7520EDB88EBF51AC8CF9AFF5A8649CECE18DADC661F7EB7698D90A5ECEC8DB81EC258089F8E48EEBB2313BE63C33FF5
I'm fairly new to strongswan so I might have missed something in the server configuration. Any hint is welcome.
Thanks
[1] https://wiki.strongswan.org/projects/strongswan/wiki/Fortinet
--
Lorenzo Milesi - lorenzo.milesi at yetopen.com
YetOpen - https://www.yetopen.com/
Via Salerno 18 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com | Phone +1 919-817-8106 - info.us at yetopen.com
Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary
-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.
Grazie.
Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.
More information about the Users
mailing list