New Member

Question

strongSwan on linux as IPSec VPN client

Forum|Forum|6 years ago
October 22, 2019
4 replies
48395 views

Hello.

I'm trying to connect to IPSec VPN on fortigate using strongSwan on linux OS.

My configuration on fortigate:

config vpn ipsec phase1-interface
    edit "MAC"
        set type dynamic
        set interface "wan1"
        set peertype any
        set mode-cfg enable
        set proposal aes256-md5 aes256-sha1
        set dpd on-idle
        set dhgrp 2
        set wizard-type dialup-cisco
        set xauthtype auto
        set authusrgrp "VPN"
        set net-device enable
        set ipv4-start-ip 10.10.0.2
        set ipv4-end-ip 10.10.0.254
        set dns-mode auto
        set psksecret ENC secure_enc_string
        set dpd-retryinterval 5
    next
config vpn ipsec phase2-interface
    edit "MAC"
        set phase1name "MAC"
        set proposal aes256-md5 aes256-sha1
        set pfs disable
        set keepalive enable
        set comments "VPN: MAC (Created by VPN wizard)"
    next
    edit "osx"
        set phase1name "osx"
        set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
        set comments "VPN: osx (Created by VPN wizard)"
    next

My strongSwan config on linux:

/etc/ipsec.conf

config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        charondebug="dmn 2, mgr 2, ike 2, chd 2, job 2, cfg 2, knl 2, net 2, enc2, lib 2"

conn cisco
    fragmentation = yes
    keyexchange = ikev1
    reauth = yes
    forceencaps = no
    mobike = no
    rekey = yes
    installpolicy = yes
    type = tunnel
    dpdaction = restart
    dpddelay = 10s
    dpdtimeout = 60s
    auto = add
    left = 10.10.0.100
    right = IP_OF_REMOTE_VPN_SERVER
    leftid = vpnuser@local
    ikelifetime = 14400s
    lifetime = 3600s
    ike = 3des-sha1-modp1024!
    esp = 3des-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024!
    leftauth = psk
    leftauth2 = xauth
    rightauth = psk
    rightid = vpnuser@VPNSERVER
    aggressive = no
    xauth_identity=vpnuser
    rightsubnet = 10.10.0.0/16
    leftsourceip = %config

/etc/ipsec.secrets

vpnuser : XAUTH "vpnuser_password"
vpnuser@local pgrabowski@VPNSERVER : PSK "psk-preshared-passphrase"

When I try to UP this VPN connection on console I receive:

# ipsec up cisco
initiating Main Mode IKE_SA cisco[1] to IP_OF_REMOTE_VPN_SERVER
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
sending retransmit 2 of request message ID 0, seq 1
sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)

In logs I see:

Oct 22 12:18:56 myHOST charon: 04[JOB] watched FD 16 ready to read
Oct 22 12:18:56 myHOST charon: 04[JOB] watcher going to poll() 3 fds
Oct 22 12:18:56 myHOST charon: 03[CFG] received stroke: initiate 'cisco'
Oct 22 12:18:56 myHOST charon: 05[MGR] checkout IKE_SA by config
Oct 22 12:18:56 myHOST charon: 04[JOB] watcher got notification, rebuilding
Oct 22 12:18:56 myHOST charon: 04[JOB] watcher going to poll() 4 fds
Oct 22 12:18:56 myHOST charon: 05[MGR] created IKE_SA (unnamed)[2]
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_VENDOR task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_CERT_PRE task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing MAIN_MODE task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_CERT_POST task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing ISAKMP_NATD task
Oct 22 12:18:56 myHOST charon: 05[IKE] queueing QUICK_MODE task
Oct 22 12:18:56 myHOST charon: 05[IKE] activating new tasks
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating ISAKMP_VENDOR task
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating ISAKMP_CERT_PRE task
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating MAIN_MODE task
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating ISAKMP_CERT_POST task
Oct 22 12:18:56 myHOST charon: 05[IKE]   activating ISAKMP_NATD task
Oct 22 12:18:56 myHOST charon: 05[IKE] sending XAuth vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending DPD vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending FRAGMENTATION vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending NAT-T (RFC 3947) vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: 05[IKE] initiating Main Mode IKE_SA cisco[2] to IP_OF_REMOTE_VPN_SERVER
Oct 22 12:18:56 myHOST charon: 05[IKE] IKE_SA cisco[2] state change: CREATED => CONNECTING
Oct 22 12:18:56 myHOST charon: 05[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message
Oct 22 12:18:56 myHOST charon: 05[ENC] order payloads in message
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type SECURITY_ASSOCIATION_V1 to message
Oct 22 12:18:56 myHOST charon: 05[ENC] added payload of type VENDOR_ID_V1 to message
Oct 22 12:18:56 myHOST charon: message repeated 4 times: [ 05[ENC] added payload of type VENDOR_ID_V1 to message]
Oct 22 12:18:56 myHOST charon: 05[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Oct 22 12:18:56 myHOST charon: 05[ENC] not encrypting payloads
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type HEADER
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 IKE_SPI
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 IKE_SPI
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 U_INT_4
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 U_INT_4
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 11 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 12 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 13 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 14 U_INT_32
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 15 HEADER_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC] generating HEADER payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type SECURITY_ASSOCIATION_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 U_INT_32
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 11 U_INT_32
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 12 (1259)
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type PROPOSAL_SUBSTRUCTURE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 SPI_SIZE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 SPI
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 (1261)
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BYTE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 (1263)
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type TRANSFORM_ATTRIBUTE_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 ATTRIBUTE_FORMAT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 ATTRIBUTE_TYPE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 ATTRIBUTE_VALUE
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_ATTRIBUTE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating TRANSFORM_SUBSTRUCTURE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating PROPOSAL_SUBSTRUCTURE_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating SECURITY_ASSOCIATION_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[ENC] generating payload of type VENDOR_ID_V1
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 0 U_INT_8
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 1 FLAG
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 2 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 3 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 4 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 5 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 6 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 7 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 8 RESERVED_BIT
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 9 PAYLOAD_LENGTH
Oct 22 12:18:56 myHOST charon: 05[ENC]   generating rule 10 CHUNK_DATA
Oct 22 12:18:56 myHOST charon: 05[ENC] generating VENDOR_ID_V1 payload finished
Oct 22 12:18:56 myHOST charon: 05[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
Oct 22 12:18:56 myHOST charon: 05[MGR] checkin IKE_SA cisco[2]
Oct 22 12:18:56 myHOST charon: 01[JOB] next event in 3s 999ms, waiting
Oct 22 12:18:56 myHOST charon: 05[MGR] checkin of IKE_SA successful
Oct 22 12:18:56 myHOST charon: 06[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500]
Oct 22 12:19:00 myHOST charon: 01[JOB] got event, queuing job for execution
Oct 22 12:19:00 myHOST charon: 01[JOB] no events, waiting
Oct 22 12:19:00 myHOST charon: 12[MGR] checkout IKEv1 SA with SPIs 323c3aef2f033c01_i 0000000000000000_r
Oct 22 12:19:00 myHOST charon: 12[MGR] IKE_SA cisco[2] successfully checked out
Oct 22 12:19:00 myHOST charon: 12[IKE] sending retransmit 1 of request message ID 0, seq 1
Oct 22 12:19:00 myHOST charon: 12[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
Oct 22 12:19:00 myHOST charon: 12[MGR] checkin IKE_SA cisco[2]
Oct 22 12:19:00 myHOST charon: 12[MGR] checkin of IKE_SA successful
Oct 22 12:19:00 myHOST charon: 01[JOB] next event in 7s 199ms, waiting
Oct 22 12:19:00 myHOST charon: 06[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500]
Oct 22 12:19:08 myHOST charon: 01[JOB] got event, queuing job for execution
Oct 22 12:19:08 myHOST charon: 01[JOB] no events, waiting
Oct 22 12:19:08 myHOST charon: 13[MGR] checkout IKEv1 SA with SPIs 323c3aef2f033c01_i 0000000000000000_r
Oct 22 12:19:08 myHOST charon: 13[MGR] IKE_SA cisco[2] successfully checked out
Oct 22 12:19:08 myHOST charon: 13[IKE] sending retransmit 2 of request message ID 0, seq 1
Oct 22 12:19:08 myHOST charon: 13[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500] (176 bytes)
Oct 22 12:19:08 myHOST charon: 13[MGR] checkin IKE_SA cisco[2]
Oct 22 12:19:08 myHOST charon: 13[MGR] checkin of IKE_SA successful
Oct 22 12:19:08 myHOST charon: 06[NET] sending packet: from 10.10.0.100[500] to IP_OF_REMOTE_VPN_SERVER[500]
Oct 22 12:19:08 myHOST charon: 01[JOB] next event in 12s 959ms, waiting

The question is: What I have wrong in this setup that connection can't be established?

Thanks for your help!

ede_pfau

SuperUser

Apart from this being anything than trivial, methinks you

- use MD5 in phase1 on the FGT and SHA1 on Linux. (Avoid MD5 anyway, it's broken as a standard.)

- do not use PFS in phase2 on FGT but you do in SS

If I had to tackle this, I'd

- avoid mode config (unless SS would only support this)

- use only one single proposal where necessary

- in general, keep the config as simple as possible until the tunnel works

Of course, you will have thought of creating a policy on the FGT, the tunnel won't negotiate without.

IMHO Ken Felix (emnoc) has done this before, for sure. You might have a look at [link]http://socpuppet.blogspot.com/[/link]

emnoc

New Member

Every thing Ede stated ;

So your doing it right by mastering PSK b4 trying RSA. I would do a debug app ike -1 on the fortigate and analyze the debug.

e.g ( based on your cfg )

diag debug reset

diag debug enable

diag vpn ike filter name MAC

diag debug app ike -1

That might give you the trace that you need, but your ciphers donot match in SSwan and FortiOS for starters.

http://socpuppet.blogspot...to-strongswan-cfg.html

http://socpuppet.blogspot...-eap-identity-vpn.html

https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples

http://socpuppet.blogspot.com/2014/05/openswan-to-fortigate-route-based-vpn.html

I'm post a dynamic-strongswan diaup later this week but the above will give you some ideals on what you can do. I'm using the StrongSwan client on Android btw.

but for starters get your ph1/2 proposal straighten out and I would need to see your phase1-id types and you will need to enable aggressive mode or use ikev2.

Here's a EAP dynamic-cfg that goes with one of the earlier blog links

config vpn ipsec phase1-interface

edit "DYNAMIC"

set type dynamic

set interface "wan1"

set ike-version 2

set authmethod signature

set mode-cfg enable

set ipv4-dns-server1 8.8.8.8

set ipv4-dns-server2 8.8.4.4

set ipv6-dns-server1 2001:db8:1::1

set ipv6-dns-server2 2001:db8:1::2

set proposal aes128-sha256 aes128-sha1 aes128-sha384

set localid-type address

set dpd on-idle

set comments "StrongSwan & NCP Users"

set dhgrp 19 15 14

set eap enable

set eap-identity send-request

set authusrgrp "Guest-group"

set idle-timeout enable

set certificate "CERTWITHALTNAME_IP"

set peer "mypeers"

set ipv4-start-ip 10.11.11.88

set ipv4-end-ip 10.11.11.100

set ipv6-start-ip 2001:db8:30::11

set ipv6-end-ip 2001:db8:30::110

set ipv6-prefix 64

set dpd-retrycount 10

set dpd-retryinterval 120

end

config vpn ipsec phase2-interface

edit "DYNAMIC"

set phase1name "DYNAMIC"

set proposal aes128-sha256 aes128-sha1 aes128-sha384 aes256-sha256

set dhgrp 19 15 14

set replay disable

set keepalive enable

set comments "IKEv2"

end

Don't use des or 3des and avoid dhgrp 5 or lower imho

Ken Felix

mariacziAuthor

New Member

Hello.

@ede_pfau, @emnoc - thanks for your's answers. It was very helpful. Now, my strongSwan on linux as a client to Fortigate, connecting with success. I will talk with the fortigate admin to change used crypto alghoritms in fortigate config to more secured.

emnoc

New Member

What did you decide to use ( PSK or RSA ) and was the suggested strongswan link helpful?

Ken Felix

mariacziAuthor

New Member

I keep use PSK after corrected my config file for strongSwan. I'm only read the post from socpuppet.blogspot.com.

mariacziAuthor

New Member

Going to ahead, now i'm able to establish vpn tunnel from linux using strongswan as a client to fortigate (cisco IPsec VPN) but i'm not able to ping any hosts from local network behind this fortigate. What is wrong in my config? The second think - what I should change in my strongswan config file to put all traffic from client machine via VPN tunnel? When I using forticlient on Windows to the same IPsec VPN, everything works - I'm able to ping hosts from local network behind fortigate and all traffic goes via VPN tunnel.

#cat ipsec.conf
conn cisco
    fragmentation = yes
    keyexchange = ikev1
    aggressive = no
    reauth = yes
    forceencaps = no
    mobike = no
    rekey = yes
    installpolicy = yes
    type = tunnel
    #type = passthrough
    dpdaction = restart
    dpddelay = 10s
    dpdtimeout = 60s
    ikelifetime = 14400s
    lifetime = 3600s
    auto = add
    left = %defaultroute
    leftauth = psk
    leftauth2 = xauth
    leftsourceip = %config
    leftid = vpnuser@local
    xauth_identity=vpnuser
    right = IP_OF_REMOTE_VPN_SERVER
    rightid = IP_OF_REMOTE_VPN_SERVER
    # route all trafic via this tunnel
    rightsubnet = 0.0.0.0/0
    rightauth = psk
    ike = aes256-sha256-modp1536,aes256-sha1-modp1536!
    esp = aes256-sha256,aes256-sha1!

# ipsec up cisco
initiating Main Mode IKE_SA cisco[11] to IP_OF_REMOTE_VPN_SERVER
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 172.20.10.2[500] to IP_OF_REMOTE_VPN_SERVER[500] (216 bytes)
received packet: from IP_OF_REMOTE_VPN_SERVER8[500] to 172.20.10.2[500] (200 bytes)
parsed ID_PROT response 0 [ SA V V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 172.20.10.2[500] to IP_OF_REMOTE_VPN_SERVER8[500] (332 bytes)
received packet: from IP_OF_REMOTE_VPN_SERVER8[500] to 172.20.10.2[500] (316 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (124 bytes)
received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH ]
received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (92 bytes)
parsed TRANSACTION request 766558789 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 766558789 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (108 bytes)
received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (92 bytes)
parsed TRANSACTION request 1026179008 [ HASH CPS(X_STATUS) ]
XAuth authentication of '' (myself) successful
IKE_SA cisco[11] established between 172.20.10.2[@local]...IP_OF_REMOTE_VPN_SERVER[IP_OF_REMOTE_VPN_SERVER]
scheduling reauthentication in 13685s
maximum IKE_SA lifetime 14225s
generating TRANSACTION response 1026179008 [ HASH CPA(X_STATUS) ]
sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (92 bytes)
generating TRANSACTION request 3583116127 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (92 bytes)
received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (108 bytes)
parsed TRANSACTION response 3583116127 [ HASH CPRP(ADDR DNS DNS) ]
installing DNS server 193.85.149.243 via resolvconf
installing DNS server 8.8.8.8 via resolvconf
installing new virtual IP 10.10.0.2
generating QUICK_MODE request 893811623 [ HASH SA No ID ID ]
sending packet: from 172.20.10.2[4500] to IP_OF_REMOTE_VPN_SERVER8[4500] (220 bytes)
received packet: from IP_OF_REMOTE_VPN_SERVER8[4500] to 172.20.10.2[4500] (172 bytes)
parsed QUICK_MODE response 893811623 [ HASH SA No ID ID ]
CHILD_SA cisco{13} established with SPIs c877d2c0_i 9fbf289c_o and TS 10.10.0.2/32 === IP_OF_REMOTE_VPN_SERVER8/32
connection 'cisco' established successfully

# ipsec status
Security Associations (1 up, 0 connecting):
       cisco[11]: ESTABLISHED 5 minutes ago, 172.20.10.2[@local]...IP_OF_REMOTE_VPN_SERVER8[IP_OF_REMOTE_VPN_SERVER8]
       cisco{13}:  INSTALLED, TUNNEL, reqid 11, ESP in UDP SPIs: c877d2c0_i 9fbf289c_o
       cisco{13}:   10.10.0.2/32 === IP_OF_REMOTE_VPN_SERVER8/32

# ip ru s
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default

# ip r s
default via 172.20.10.1 dev wlp2s0 proto dhcp metric 600
169.254.0.0/16 dev wlp2s0 scope link metric 1000
172.20.10.0/28 dev wlp2s0 proto kernel scope link src 172.20.10.2 metric 600

# ip r s t 220
IP_OF_REMOTE_VPN_SERVER8 via 172.20.10.1 dev wlp2s0 proto static src 10.10.0.2

# ping 10.10.0.1
PING 10.10.0.1 (10.10.0.1) 56(84) bytes of data.
^C
--- 10.10.0.1 ping statistics ---
52 packets transmitted, 0 received, 100% packet loss, time 52217ms

# ping 10.10.0.100
PING 10.10.0.100 (10.10.0.100) 56(84) bytes of data.
^C
--- 10.10.0.100 ping statistics ---
22 packets transmitted, 0 received, 100% packet loss, time 21480ms

10.10.0.0/16 is the local network behind the fortigate. 10.10.0.1 is the IP of fortigate in this local network.

emnoc

New Member

Do you have a local firewall ? What does any traceroute shows ? Have you ran diag debug on the fortigate ? Can you diag-sniffer the interface that is the tunnel

e.g

diag sniffer packet <tunnel-interface-name-from-phase1-interface> " icmp and host x.x.x.x"

Ken Felix

mariacziAuthor

New Member

No, I haven't firewall on my linux machine. `iptables` are clear, default policy is set to ACCEPT. Traceroute shows that the traffic going out via the default gateway for local lan from which I'm trying to connect to the fortigate VPN concentrator. I use different IPs in this network than have network behind the fortigate. Sorry, but i haven't access to fortigate device.

emnoc

New Member

Your route does not look correct and is missing, what does " ip a " or " ifconfig -a " show for the virtual-interface.

Ken Felix

ealburez

New Member

Hi emnoc,

when I run those command I don't really see a virtual interface (I believe it should be something like tun0, right?).

Any idea what the reason for that could be. Bellow the output:

for

ip a

I get the following:

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether b8:27:eb:7e:f9:f5 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 16:7f:36:d1:09:4d brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic noprefixroute wlan0
       valid_lft 599251sec preferred_lft 523651sec
    inet 10.172.31.230/32 scope global wlan0
       valid_lft forever preferred_lft forever
    inet6 2a01:c23:6001:2d00:3af7:8f3f:a9ed:1cd9/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 201601sec preferred_lft 115201sec
    inet6 fe80::18aa:4502:1a9f:b6c/64 scope link 
       valid_lft forever preferred_lft forever

and for

ifconfig -a

I get:

$ ifconfig -a
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
        ether b8:27:eb:7e:f9:f5 txqueuelen 1000 (Ethernet)
        RX packets 0 bytes 0 (0.0 B)
        RX errors 0 dropped 0 overruns 0 frame 0
        TX packets 0 bytes 0 (0.0 B)
        TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
        inet 127.0.0.1 netmask 255.0.0.0
        inet6 ::1 prefixlen 128 scopeid 0x10<host>
        loop txqueuelen 1000 (Local Loopback)
        RX packets 76 bytes 6036 (5.8 KiB)
        RX errors 0 dropped 0 overruns 0 frame 0
        TX packets 76 bytes 6036 (5.8 KiB)
        TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
        inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255
        inet6 fe80::18aa:4502:1a9f:b6c prefixlen 64 scopeid 0x20<link>
        inet6 2a01:c23:6001:2d00:3af7:8f3f:a9ed:1cd9 prefixlen 64 scopeid 0x0<global>
        ether 16:7f:36:d1:09:4d txqueuelen 1000 (Ethernet)
        RX packets 1978 bytes 214033 (209.0 KiB)
        RX errors 0 dropped 0 overruns 0 frame 0
        TX packets 1448 bytes 247697 (241.8 KiB)
        TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Thanks!

emnoc

New Member

Yes that is correct tun0 or ipsec0 something times, but let's go backward

When you connect can you get a diag vpn ike gateway output ?

Also if you tcpdump on the wan interfaces of the FGT or Linux host do you see your client address

e.g

# linux

tcpdump -nnnvvv -i eth0 udp port 500 or 4500

#fortiOS

diag sniffer packet any "host <your public address for linux client>"

I would check that if you see no output from diag vpn ike gateway

Ken Felix

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded