[strongSwan] Unable to establish connection with Fortigate device
Andreas Steffen
andreas.steffen at strongswan.org
Mon Mar 1 13:16:40 CET 2021
Hello Lorenzo,
if you define DH group 15 (modp3072) only but the peer's proposals
are for MODP1536 and MODP2048 then the negotiatio hast to fail with
ike Negotiate ISAKMP SA Error: ike
0:fc70f37fa6c9ee8d/0000000000000000:383: no SA proposal chosen
Best regards
Andreas
On 01.03.2021 08:03, Lorenzo Milesi wrote:
> Hi.
> I'm trying to set up a IPSec connection between a StrongSwan server and a Fortigate device. Auth uses PSK, so according to [1] I've chosen IKEv1. The Fortigate is behind an ADSL modem.
>
> In Fortinet I've set P1 to enc AES256 auth SHA256, DH 15, key lifetime 86400.
>
> This is ipsec.conf:
>
> config setup
> charondebug="ike 3, knl 3, cfg 3, net 3, esp 3, dmn 3, mgr 3"
> uniqueids=yes
> strictcrlpolicy=no
>
>
> conn sts-base
> fragmentation=yes
> dpdaction=restart
> ike=aes256-sha256-modp3072
> esp=aes256-sha256
> keyingtries=%forever
> leftsubnet=172.16.12.0/24
> lifetime=86400
>
> conn site-3-legacy-base
> keyexchange=ikev1
> rightid=L***
> also=sts-base
> ike=aes256-sha256-modp3072
> esp=aes256-sha256
> rightsubnet=192.168.4.0/24,192.168.5.0/24
> right=95.x.x.x
> leftauth=psk
> auto=start
>
>
> This is the debug log on fortinet, which seems the problematic side (doesn't like other party offers):
>
> ike 0:to VpnTunnelName:378: out 8AD3789557DB282D9AA1D56EDDD9184605100201000000000000006C6EFC8335B133C6267388C1A0BEB63B6A2CC4E120DE7627C9166D99AFF9EAE094E5368631BB2626D86B31FFED37F29DB6CC4E5D6B2E8B9A6FA79DF8FC03531CB7EB476EC1CE6240D586943E6A675E4695
> ike 0:to VpnTunnelName:378: sent IKE msg (P1_RETRANSMIT): 192.168.1.2:4500->95.x.x.x:4500, len=108, id=8ad3789557db282d/9aa1d56eddd91846
> ike 0: comes 62.11.245.232:500->192.168.1.2:500,ifindex=4....
> ike 0: IKEv1 exchange=Identity Protection id=fc70f37fa6c9ee8d/0000000000000000 len=452
> ike 0: in FC70F37FA6C9EE8D00000000000000000110020000000000000001C40D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: responder: main mode get 1st message...
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID DPD AFCAD71368A1F1C96B8696FC77570100
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID FORTIGATE 8299031757A36082C6A621DE00000000
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: incoming proposal:
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG, val=SHA2_256.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD, val=PRESHARED_KEY.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP, val=MODP2048.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG, val=SHA2_256.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD, val=PRESHARED_KEY.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP, val=MODP1536.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG, val=SHA2_256.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD, val=PRESHARED_KEY.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP, val=MODP2048.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG, val=SHA2_256.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD, val=PRESHARED_KEY.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP, val=MODP1536.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG, val=SHA.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD, val=PRESHARED_KEY.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP, val=MODP2048.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG, val=SHA.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD, val=PRESHARED_KEY.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP, val=MODP1536.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG, val=SHA.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD, val=PRESHARED_KEY.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP, val=MODP2048.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG, val=SHA.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD, val=PRESHARED_KEY.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP, val=MODP1536.
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
> ike 0:fc70f37fa6c9ee8d/0000000000000000:383: negotiation failure
> ike Negotiate ISAKMP SA Error: ike 0:fc70f37fa6c9ee8d/0000000000000000:383: no SA proposal chosen
> ike 0:to VpnTunnelName:378: negotiation timeout, deleting
> ike 0:to VpnTunnelName: connection expiring due to phase1 down
> ike 0:to VpnTunnelName: deleting
> ike 0:to VpnTunnelName: deleted
> ike 0:to VpnTunnelName: schedule auto-negotiate
> ike 0:to VpnTunnelName: auto-negotiate connection
> ike 0:to VpnTunnelName: created connection: 0x424aff8 4 192.168.1.2->95.x.x.x:500.
> ike 0:to VpnTunnelName:384: initiator: main mode is sending 1st message...
> ike 0:to VpnTunnelName:384: cookie c10b9be64dc0d904/0000000000000000
> ike 0:to VpnTunnelName:384: out C10B9BE64DC0D90400000000000000000110020000000000000001240D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E010080030001800200048004000F0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
> ike 0:to VpnTunnelName:384: sent IKE msg (ident_i1send): 192.168.1.2:500->95.x.x.x:500, len=292, id=c10b9be64dc0d904/0000000000000000
> ike 0: comes 95.x.x.x:500->192.168.1.2:500,ifindex=4....
> ike 0: IKEv1 exchange=Identity Protection id=c10b9be64dc0d904/589d6282b4f462c9 len=164
> ike 0: in C10B9BE64DC0D904589D6282B4F462C90110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200048004000F80030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F
> ike 0:to VpnTunnelName:384: initiator: main mode get 1st response...
> ike 0:to VpnTunnelName:384: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
> ike 0:to VpnTunnelName:384: VID DPD AFCAD71368A1F1C96B8696FC77570100
> ike 0:to VpnTunnelName:384: DPD negotiated
> ike 0:to VpnTunnelName:384: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
> ike 0:to VpnTunnelName:384: VID RFC 3947 4A131C81070358455C5728F20E95452F
> ike 0:to VpnTunnelName:384: selected NAT-T version: RFC 3947
> ike 0:to VpnTunnelName:384: negotiation result
> ike 0:to VpnTunnelName:384: proposal id = 1:
> ike 0:to VpnTunnelName:384: protocol id = ISAKMP:
> ike 0:to VpnTunnelName:384: trans_id = KEY_IKE.
> ike 0:to VpnTunnelName:384: encapsulation = IKE/none
> ike 0:to VpnTunnelName:384: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
> ike 0:to VpnTunnelName:384: type=OAKLEY_HASH_ALG, val=SHA2_256.
> ike 0:to VpnTunnelName:384: type=AUTH_METHOD, val=PRESHARED_KEY.
> ike 0:to VpnTunnelName:384: type=OAKLEY_GROUP, val=MODP3072.
> ike 0:to VpnTunnelName:384: ISAKMP SA lifetime=86400
> ike 0:to VpnTunnelName:384: out C10B9BE64DC0D904589D6282B4F462C90410020000000000000001FC0A000184FD41F812E5C6DE946C198E07D71ED83CA1AB034F7AC7EA9C9DB184B2B0D2C35C8C2BEB7E6B298B87A5736D8344DDA782E3D813DE08FA8FD8423892B18F10E9DD24C23C81AB9C0BF5A56DEE1D0577CB4B0161A7CB88832FB484C4433B3FB20386EEFABCFCF0B862C61EA21EB6783EAE9A2C11156BC929113D2A5A9FB9D4DF7D8B09B26EC447FAA35219E95CF5D6436F68379BA3CA42E10C06B9924EF3CAF6EEACB95EFC2781FBBD4AC29C4C11426BCB28AFCF87D0B448A2B265322612526B56AED5192548CD958565FB5DC7036E6A953B7A99BDC5DB3DEE1A1E4008EA20E44BAF8C2BDB4DEC62DFADF29B1587A1C42429711694EA0F6E702DB541C08D3E40A1A7D089EF57A1CCBD6AC286D79927306533A2DB587990C0FCE20010A12A826218CEDA95EEBE08AB4623479C0A699284D4EF602EB8855B88040F117E10AB3F18A065759DBF31C359622F2A52500988D7F9FE1D3569CC49070387B05A289B3DA8443F7DAFFF248064B2687503E81E4DDA38478659A53DD15D35EA326B4F90AC7821DC14000014659CD5B151F1779BA7C8D21003510EB6140000247CA2BC74DD9D1E4D89993957656B637ECB524C9E69117E86ED55949C6C3DB0260000002488B2BA8589F1C3AE72E9E5EEC659F89AE235D2451581D4A6820F1E1FC73EB8BE
> ike 0:to VpnTunnelName:384: sent IKE msg (ident_i2send): 192.168.1.2:500->95.x.x.x:500, len=508, id=c10b9be64dc0d904/589d6282b4f462c9
> ike 0: comes 95.x.x.x:500->192.168.1.2:500,ifindex=4....
> ike 0: IKEv1 exchange=Identity Protection id=c10b9be64dc0d904/589d6282b4f462c9 len=524
> ike 0: in C10B9BE64DC0D904589D6282B4F462C904100200000000000000020C0A00018494E5DE50E190B4D173E52E36616C64FEF471C0F85ACB206E8A76B32B425E35326F27ACF0C57CA5E6F50951E72E67F0798CEFA5525A40D6B4EBBCD7BD028EDF39A72DAA9B0D0D274A9DF0B21D37D72E03B9E188F08FD3C56E33CC1772AEF96B809CA4372FA9D1B3D0815722035722C85DC7B7CCDB96FF7D713A30327FAF173D8934B9D484D4F009A458A48A943D7B1A49F056E25E398A43832474F776339AB55D9298F0E15F79B14619882B8AD3B86094F04507A06FC651256ABEF72F090E5579EE9D138314A7F8C2184EBB68526149F2F375224B825CD78553E2089F00D60460A36F76EC46FE8B5B17EA07E15AC4FB8F79D3221ABD2FA47F0524AF025DB15A32B67EBC1D07996E62FE0FA1379DC320D54AFF6A0DA4EFE2EEAE112529F3103B8F49A524DBB9C9C4D72194E6B4CC002067F79337B46B365F5C95CD537EE18C4F41A947D641516023D7A705159BC61D109710FA6A5B20C99F87CC9CC0BE736EAA178E0D07B3282D669901298B40CD24C7EBBA64A72989441A9CE1E33DAFC57915A414000024965FEDABF0477240EAEA804FF51B9AE8ED87EF3B4C689DC2A192836D98440226140000241DC24402C80C6E7F1EA2A5EFACD8CD9684DDB75D14C9608C931254AF4D6A8E73000000247CA2BC74DD9D1E4D89993957656B637ECB524C9E69117E86ED55949C6C3DB026
> ike 0:to VpnTunnelName:384: initiator: main mode get 2nd response...
> ike 0:to VpnTunnelName:384: received NAT-D payload type 20
> ike 0:to VpnTunnelName:384: received NAT-D payload type 20
> ike 0:to VpnTunnelName:384: NAT detected: ME
> ike 0:to VpnTunnelName:384: NAT-T float port 4500
> ike 0:to VpnTunnelName:384: ISAKMP SA c10b9be64dc0d904/589d6282b4f462c9 key 32:A14C8EA6DCB45DD9A940941BDB0342AFB8D00E8153BC9EEABB117532FE53E6D0
> ike 0:to VpnTunnelName:384: add INITIAL-CONTACT
> ike 0:to VpnTunnelName:384: enc C10B9BE64DC0D904589D6282B4F462C905100201000000000000006B0800000F020000004C6F63616E64610B0000240E2C5E431EDC18A1A71432A2D63F3A735CF38FF3B15088600EA1C4DFA8DBAE540000001C0000000101106002C10B9BE64DC0D904589D6282B4F462C9
> ike 0:to VpnTunnelName:384: out C10B9BE64DC0D904589D6282B4F462C905100201000000000000006C0A9523A71AA4D181655F68680E687AAE143646431BCF52A9AAE986F371BD20D0165F406F6525CE7BD4E99E87756AE721C2EA71E8B0D76B6DDAA3BAE63545FE806E4DABC6DBF23D09165665B8EBA17F4B
> ike 0:to VpnTunnelName:384: sent IKE msg (ident_i3send): 192.168.1.2:4500->95.x.x.x:4500, len=108, id=c10b9be64dc0d904/589d6282b4f462c9
> ike 0: comes 95.x.x.x:4500->192.168.1.2:4500,ifindex=4....
> ike 0: IKEv1 exchange=Informational id=c10b9be64dc0d904/589d6282b4f462c9:3401b0f7 len=108
> ike 0: in C10B9BE64DC0D904589D6282B4F462C9081005013401B0F70000006CCBD929F01609C09C15FB168C6027327324BD1D6560143B39C69FF01070831099C7520EDB88EBF51AC8CF9AFF5A8649CECE18DADC661F7EB7698D90A5ECEC8DB81EC258089F8E48EEBB2313BE63C33FF5
>
>
> I'm fairly new to strongswan so I might have missed something in the server configuration. Any hint is welcome.
> Thanks
>
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/Fortinet
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
More information about the Users
mailing list