Skip to main content
maxxer
maxxer
New Member
March 1, 2021
Question

Unable to establish connection to strongswan server

  • March 1, 2021
  • 1 reply
  • 12170 views

Hi.

I've a strongswan server and a Fortigate 50E device running v6.0.9. 

 

This is the configuration on the fortinet side

 

 

In strongswan I have:

config setup
        charondebug="ike 3, knl 3, cfg 3, net 3, esp 3, dmn 3, mgr 3"
        uniqueids=yes
        strictcrlpolicy=no

 


conn sts-base
    fragmentation=yes
    dpdaction=restart
    ike=aes256-sha256-modp3072
    esp=aes256-sha256
    keyingtries=%forever
    leftsubnet=172.16.12.0/24
    lifetime=86400

conn site-3-legacy-base
    keyexchange=ikev1
    rightid=L***
    also=sts-base
    ike=aes256-sha256-modp3072
    esp=aes256-sha256
    rightsubnet=192.168.4.0/24,192.168.5.0/24
    right=95.x.x.x
    leftauth=psk
    auto=start

 

In debug I have:

 
 
 
FGT-FgtIdentifier # ike 0:to VpnTunnelName:378: out 8AD3789557DB282D9AA1D56EDDD9184605100201000000000000006C6EFC8335B133C6267388C1A0BEB63B6A2CC4E120DE7627C9166D99AFF9EAE094E5368631BB2626D86B31FFED37F29DB6CC4E5D6B2E8B9A6FA79DF8FC03531CB7EB476EC1CE6240D586943E6A675E4695
ike 0:to VpnTunnelName:378: sent IKE msg (P1_RETRANSMIT): 192.168.1.2:4500->95.x.x.x:4500, len=108, id=8ad3789557db282d/9aa1d56eddd91846
ike 0: comes 62.11.245.232:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=fc70f37fa6c9ee8d/0000000000000000 len=452
ike 0: in FC70F37FA6C9EE8D00000000000000000110020000000000000001C40D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: responder: main mode get 1st message...
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: incoming proposal:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_GROUP, val=MODP2048.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_GROUP, val=MODP1536.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_GROUP, val=MODP2048.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_GROUP, val=MODP1536.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_GROUP, val=MODP2048.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_GROUP, val=MODP1536.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_GROUP, val=MODP2048.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:      encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383:         type=OAKLEY_GROUP, val=MODP1536.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:fc70f37fa6c9ee8d/0000000000000000:383: no SA proposal chosen
ike 0:to VpnTunnelName:378: negotiation timeout, deleting
ike 0:to VpnTunnelName: connection expiring due to phase1 down
ike 0:to VpnTunnelName: deleting
ike 0:to VpnTunnelName: deleted
ike 0:to VpnTunnelName: schedule auto-negotiate
ike 0:to VpnTunnelName: auto-negotiate connection
ike 0:to VpnTunnelName: created connection: 0x424aff8 4 192.168.1.2->95.x.x.x:500.
ike 0:to VpnTunnelName:384: initiator: main mode is sending 1st message...
ike 0:to VpnTunnelName:384: cookie c10b9be64dc0d904/0000000000000000
ike 0:to VpnTunnelName:384: out C10B9BE64DC0D90400000000000000000110020000000000000001240D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E010080030001800200048004000F0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:to VpnTunnelName:384: sent IKE msg (ident_i1send): 192.168.1.2:500->95.x.x.x:500, len=292, id=c10b9be64dc0d904/0000000000000000
ike 0: comes 95.x.x.x:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=c10b9be64dc0d904/589d6282b4f462c9 len=164
ike 0: in C10B9BE64DC0D904589D6282B4F462C90110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200048004000F80030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F
ike 0:to VpnTunnelName:384: initiator: main mode get 1st response...
ike 0:to VpnTunnelName:384: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:to VpnTunnelName:384: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:to VpnTunnelName:384: DPD negotiated
ike 0:to VpnTunnelName:384: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:to VpnTunnelName:384: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:to VpnTunnelName:384: selected NAT-T version: RFC 3947
ike 0:to VpnTunnelName:384: negotiation result
ike 0:to VpnTunnelName:384: proposal id = 1:
ike 0:to VpnTunnelName:384:   protocol id = ISAKMP:
ike 0:to VpnTunnelName:384:      trans_id = KEY_IKE.
ike 0:to VpnTunnelName:384:      encapsulation = IKE/none
ike 0:to VpnTunnelName:384:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:to VpnTunnelName:384:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:to VpnTunnelName:384:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:to VpnTunnelName:384:         type=OAKLEY_GROUP, val=MODP3072.
ike 0:to VpnTunnelName:384: ISAKMP SA lifetime=86400
ike 0:to VpnTunnelName:384: out C10B9BE64DC0D904589D6282B4F462C90410020000000000000001FC0A000184FD41F812E5C6DE946C198E07D71ED83CA1AB034F7AC7EA9C9DB184B2B0D2C35C8C2BEB7E6B298B87A5736D8344DDA782E3D813DE08FA8FD8423892B18F10E9DD24C23C81AB9C0BF5A56DEE1D0577CB4B0161A7CB88832FB484C4433B3FB20386EEFABCFCF0B862C61EA21EB6783EAE9A2C11156BC929113D2A5A9FB9D4DF7D8B09B26EC447FAA35219E95CF5D6436F68379BA3CA42E10C06B9924EF3CAF6EEACB95EFC2781FBBD4AC29C4C11426BCB28AFCF87D0B448A2B265322612526B56AED5192548CD958565FB5DC7036E6A953B7A99BDC5DB3DEE1A1E4008EA20E44BAF8C2BDB4DEC62DFADF29B1587A1C42429711694EA0F6E702DB541C08D3E40A1A7D089EF57A1CCBD6AC286D79927306533A2DB587990C0FCE20010A12A826218CEDA95EEBE08AB4623479C0A699284D4EF602EB8855B88040F117E10AB3F18A065759DBF31C359622F2A52500988D7F9FE1D3569CC49070387B05A289B3DA8443F7DAFFF248064B2687503E81E4DDA38478659A53DD15D35EA326B4F90AC7821DC14000014659CD5B151F1779BA7C8D21003510EB6140000247CA2BC74DD9D1E4D89993957656B637ECB524C9E69117E86ED55949C6C3DB0260000002488B2BA8589F1C3AE72E9E5EEC659F89AE235D2451581D4A6820F1E1FC73EB8BE
ike 0:to VpnTunnelName:384: sent IKE msg (ident_i2send): 192.168.1.2:500->95.x.x.x:500, len=508, id=c10b9be64dc0d904/589d6282b4f462c9
ike 0: comes 95.x.x.x:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=c10b9be64dc0d904/589d6282b4f462c9 len=524
ike 0: in C10B9BE64DC0D904589D6282B4F462C904100200000000000000020C0A00018494E5DE50E190B4D173E52E36616C64FEF471C0F85ACB206E8A76B32B425E35326F27ACF0C57CA5E6F50951E72E67F0798CEFA5525A40D6B4EBBCD7BD028EDF39A72DAA9B0D0D274A9DF0B21D37D72E03B9E188F08FD3C56E33CC1772AEF96B809CA4372FA9D1B3D0815722035722C85DC7B7CCDB96FF7D713A30327FAF173D8934B9D484D4F009A458A48A943D7B1A49F056E25E398A43832474F776339AB55D9298F0E15F79B14619882B8AD3B86094F04507A06FC651256ABEF72F090E5579EE9D138314A7F8C2184EBB68526149F2F375224B825CD78553E2089F00D60460A36F76EC46FE8B5B17EA07E15AC4FB8F79D3221ABD2FA47F0524AF025DB15A32B67EBC1D07996E62FE0FA1379DC320D54AFF6A0DA4EFE2EEAE112529F3103B8F49A524DBB9C9C4D72194E6B4CC002067F79337B46B365F5C95CD537EE18C4F41A947D641516023D7A705159BC61D109710FA6A5B20C99F87CC9CC0BE736EAA178E0D07B3282D669901298B40CD24C7EBBA64A72989441A9CE1E33DAFC57915A414000024965FEDABF0477240EAEA804FF51B9AE8ED87EF3B4C689DC2A192836D98440226140000241DC24402C80C6E7F1EA2A5EFACD8CD9684DDB75D14C9608C931254AF4D6A8E73000000247CA2BC74DD9D1E4D89993957656B637ECB524C9E69117E86ED55949C6C3DB026
ike 0:to VpnTunnelName:384: initiator: main mode get 2nd response...
ike 0:to VpnTunnelName:384: received NAT-D payload type 20
ike 0:to VpnTunnelName:384: received NAT-D payload type 20
ike 0:to VpnTunnelName:384: NAT detected: ME
ike 0:to VpnTunnelName:384: NAT-T float port 4500
ike 0:to VpnTunnelName:384: ISAKMP SA c10b9be64dc0d904/589d6282b4f462c9 key 32:A14C8EA6DCB45DD9A940941BDB0342AFB8D00E8153BC9EEABB117532FE53E6D0
ike 0:to VpnTunnelName:384: add INITIAL-CONTACT
ike 0:to VpnTunnelName:384: enc C10B9BE64DC0D904589D6282B4F462C905100201000000000000006B0800000F020000004C6F63616E64610B0000240E2C5E431EDC18A1A71432A2D63F3A735CF38FF3B15088600EA1C4DFA8DBAE540000001C0000000101106002C10B9BE64DC0D904589D6282B4F462C9
ike 0:to VpnTunnelName:384: out C10B9BE64DC0D904589D6282B4F462C905100201000000000000006C0A9523A71AA4D181655F68680E687AAE143646431BCF52A9AAE986F371BD20D0165F406F6525CE7BD4E99E87756AE721C2EA71E8B0D76B6DDAA3BAE63545FE806E4DABC6DBF23D09165665B8EBA17F4B
ike 0:to VpnTunnelName:384: sent IKE msg (ident_i3send): 192.168.1.2:4500->95.x.x.x:4500, len=108, id=c10b9be64dc0d904/589d6282b4f462c9
ike 0: comes 95.x.x.x:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Informational id=c10b9be64dc0d904/589d6282b4f462c9:3401b0f7 len=108
ike 0: in C10B9BE64DC0D904589D6282B4F462C9081005013401B0F70000006CCBD929F01609C09C15FB168C6027327324BD1D6560143B39C69FF01070831099C7520EDB88EBF51AC8CF9AFF5A8649CECE18DADC661F7EB7698D90A5ECEC8DB81EC258089F8E48EEBB2313BE63C33FF5
 
 
 
 
 
 
 
 
I don't get why I get all proposals with id = 0.
Also those combinations are not offered by the server... Why? thanks
1 reply
emnoc
emnoc
New Member
March 1, 2021
Okay my observations;
 
1:I would not use modulus3072. It's rarely supported or even used . DHGRP 14 would be much better supported
 
2: I would not do your "conn"s like what you. I'm even surprised that would work but here's what I would do.
 
# move the common stuff to base
#
conn sts-base
    keyexchange=ikev1
    fragmentation=yes
    dpdaction=restart
    ike=aes256-sha256-modp3072
    esp=aes256-sha256
    keyingtries=%forever
    leftsubnet=172.16.12.0/24
    lifetime=86400
    leftauth=psk
    righid=L****
    auto=start
    right=95.x.x.x
 
# define your phase2 and associate to base 
#
#
conn site-3-1
    also=sts-base
    leftsubnet=172.16.12.0/24
    rightsubnet=192.168.4.0/24
 
conn site-3-2
    also=sts-base
    leftsubnet=172.16.12.0/24
    rightsubnet=192.168.5.0/24
 
make sure if iptables  or firewalld is used to have a policy   in the IN/OUT chain and for IKE
 
Now your gui screen shot is not showing the whole picture so here's a cli format of the match 
fortios cfg
 
 
config vpn ipsec phase1-interface
    edit "sts-base"
        set interface "wan1". # put the correct public facing interfaces here
        set peertype any
        set net-device disable
        set proposal aes256-sha256
        set dhgrp 16
        set remote remote-gw "strongswan public-ip"
        set psksecret   "match ipsec.secrets    x.x.x.x  : PSK "
    next
end
config vpn ipsec phase2-interface
    edit "site-3-1"
        set phase1name "sts-base"
        set keylifeseconds 3600
        set keepalive enable
        set src-subnet 192.168.4.0/24
        set dst-subnet 172.16.12.0/24
    next
    edit "site-3-2"
        set phase1name "sts-base"
        set keepalive enable
        set keylifeseconds 3600
        set src-subnet 192.168.5.0/24
        set dst-subnet 172.16.12.0/24
    next
end
 
Make sure to have a route and policy 
 
 
Try that and if you still get errors, change dhgrp16 to dhgrp14 ( mod2048 )  , and see if that cleans up the connection.
 
strongswan
/*  or strongswan status  statusall */
 
 ipsec status
 ipsec statusall
 
fortios
 
 diag vpn ike gateway
 dag vpn tunnel list
 
Also, I would look at Fortios6.2 as an upgrade direction at some future time.
 
Ken Felix
maxxer
maxxerAuthor
New Member
March 2, 2021
Thank you very much for your reply.
 
I picked the configuration from Strongswan examples. Also I found there are these limitations, that's why I did a single ipsec config with both subnets.
 
I will try a fresh config based on your suggestions, will let you know.
Thanks again
 
P.S. yes I am going to update to 6.2 as soon as I can get a timeslot for it
maxxer
maxxerAuthor
New Member
May 4, 2021
I finally was able to have a look at this again... Unfortunately without success.
 
I did some minor changes to your config:
* used rightid and set the corresponding on the firewall
* had to omit set net-device disable because the device I'm currently testing on runs 6.0.2 (not upgraded yet)
* if I got it correctly there's a mismatch between the two dh key groups. Anyway I tried all from 14 to 16 (modp2048 to modp4096)
* for failsafe I added both IP and ID in the secrets file... As I often had messages of secret not found on strongswan
 
Anyway I'm still stuck and unable to figure out what's wrong.
 
Thanks again for your feedback and support.
 
I'm posting all the relevant debug info.
 
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-123-generic, x86_64):
  uptime: 42 seconds, since May 04 17:17:19 2021
  malloc: sbrk 2342912, mmap 532480, used 1437152, free 905760
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Listening IP addresses:
  STRONGSWAN_IP
  172.32.1.5
Connections:
    sts-base:  %any...FORTINET_PUBLIC_IP  IKEv1, dpddelay=30s
    sts-base:   local:  [STRONGSWAN_IP] uses pre-shared key authentication
    sts-base:   remote: [FORTINET_PUBLIC_IP] uses pre-shared key authentication
    sts-base:   child:  172.32.1.0/24 === dynamic TUNNEL, dpdaction=restart
    site-3-1:   child:  172.32.1.0/24 === 192.168.8.0/24 TUNNEL, dpdaction=restart
    site-3-2:   child:  172.32.1.0/24 === 192.168.9.0/24 TUNNEL, dpdaction=restart
Security Associations (0 up, 0 connecting):
  none

# cat /etc/ipsec.conf
conn sts-base
    keyexchange=ikev1
    fragmentation=yes
    dpdaction=restart
    ike=aes256-sha256-modp3072
    esp=aes256-sha256
    keyingtries=%forever
    leftsubnet=172.32.1.0/24
    lifetime=86400
    leftauth=psk
    rightauth=psk
    righid=Identifier01
    auto=start
    right=FORTINET_PUBLIC_IP

# define your phase2 and associate to base
conn site-3-1
    also=sts-base
    leftsubnet=172.32.1.0/24
    rightsubnet=192.168.8.0/24

conn site-3-2
    also=sts-base
    leftsubnet=172.32.1.0/24
    rightsubnet=192.168.9.0/24

# cat /etc/ipsec.secrets
FORTINET_PUBLIC_IP : PSK 'abc#qk!'
Identifier01 : PSK 'abc#qk!'


# syslog
May  4 17:17:20 vpn01 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
May  4 17:17:20 vpn01 charon: 10[NET] received packet: from FORTINET_PUBLIC_IP[500] to STRONGSWAN_IP[500] (292 bytes)
May  4 17:17:20 vpn01 charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V ]
May  4 17:17:20 vpn01 charon: 10[IKE] received NAT-T (RFC 3947) vendor ID
May  4 17:17:20 vpn01 charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
May  4 17:17:20 vpn01 charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
May  4 17:17:20 vpn01 charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May  4 17:17:20 vpn01 charon: 10[ENC] received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
May  4 17:17:20 vpn01 charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
May  4 17:17:20 vpn01 charon: 10[IKE] received DPD vendor ID
May  4 17:17:20 vpn01 charon: 10[IKE] received FRAGMENTATION vendor ID
May  4 17:17:20 vpn01 charon: 10[IKE] received FRAGMENTATION vendor ID
May  4 17:17:20 vpn01 charon: 10[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
May  4 17:17:20 vpn01 charon: 10[IKE] FORTINET_PUBLIC_IP is initiating a Main Mode IKE_SA
May  4 17:17:20 vpn01 charon: 10[ENC] generating ID_PROT response 0 [ SA V V V V ]
May  4 17:17:20 vpn01 charon: 10[NET] sending packet: from STRONGSWAN_IP[500] to FORTINET_PUBLIC_IP[500] (164 bytes)
May  4 17:17:20 vpn01 charon: 09[NET] received packet: from FORTINET_PUBLIC_IP[500] to STRONGSWAN_IP[500] (508 bytes)
May  4 17:17:20 vpn01 charon: 09[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
May  4 17:17:20 vpn01 charon: 09[IKE] remote host is behind NAT
May  4 17:17:20 vpn01 charon: 09[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
May  4 17:17:20 vpn01 charon: 09[NET] sending packet: from STRONGSWAN_IP[500] to FORTINET_PUBLIC_IP[500] (524 bytes)
May  4 17:17:20 vpn01 charon: 12[NET] received packet: from FORTINET_PUBLIC_IP[4500] to STRONGSWAN_IP[4500] (108 bytes)
May  4 17:17:20 vpn01 charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
May  4 17:17:20 vpn01 charon: 12[CFG] looking for pre-shared key peer configs matching STRONGSWAN_IP...FORTINET_PUBLIC_IP[Identifier01]
May  4 17:17:20 vpn01 charon: 12[IKE] no peer config found
May  4 17:17:20 vpn01 charon: 12[ENC] generating INFORMATIONAL_V1 request 3067967679 [ HASH N(AUTH_FAILED) ]
May  4 17:17:20 vpn01 charon: 12[NET] sending packet: from STRONGSWAN_IP[4500] to FORTINET_PUBLIC_IP[4500] (108 bytes)


# config
config vpn ipsec phase1-interface
    edit "sts-base"
        set interface "wan1"
        set peertype any
        set proposal aes256-sha256
        set localid "Identifier01"
        set dhgrp 15
        set remote-gw STRONGSWAN_IP
        set psksecret ENC X+abc==
    next
end
config vpn ipsec phase2-interface
    edit "site-3-1"
        set phase1name "sts-base"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set keepalive enable
        set keylifeseconds 3600
        set src-subnet 192.168.8.0 255.255.255.0
        set dst-subnet 172.32.1.0 255.255.255.0
    next
    edit "site-3-2"
        set phase1name "sts-base"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set keepalive enable
        set keylifeseconds 3600
        set src-subnet 192.168.9.0 255.255.255.0
        set dst-subnet 172.32.1.0 255.255.255.0
    next
end

# get vpn ipsec tunnel summary
'sts-base' STRONGSWAN_IP:0  selectors(total,up): 2/0  rx(pkt,err): 0/0  tx(pkt,err): 0/1


# Fortinet debug

FGT-Identifier01 # ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=2761fa9214821b47/0000000000000000 len=240
ike 0: in 2761FA9214821B4700000000000000000110020000000000000000F00D00007400000001000000010000006800010003030000240101000080010007800E0100800200048004000F80030001800B0001800C2A30030000240201000080010007800E0080800200048004001380030001800B0001800C2A3000000018030100008004001380030001800B0001800C2A300D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D3800000000D0000144A131C81070358455C5728F20E95452F0000001490CB80913EBB696E086381B5EC427B1F
ike 0:2761fa9214821b47/0000000000000000:2778: responder: main mode get 1st message...
ike 0:2761fa9214821b47/0000000000000000:2778: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:2761fa9214821b47/0000000000000000:2778: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:2761fa9214821b47/0000000000000000:2778: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:2761fa9214821b47/0000000000000000:2778: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:2761fa9214821b47/0000000000000000:2778: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:2761fa9214821b47/0000000000000000:2778: negotiation result
ike 0:2761fa9214821b47/0000000000000000:2778: proposal id = 1:
ike 0:2761fa9214821b47/0000000000000000:2778:   protocol id = ISAKMP:
ike 0:2761fa9214821b47/0000000000000000:2778:      trans_id = KEY_IKE.
ike 0:2761fa9214821b47/0000000000000000:2778:      encapsulation = IKE/none
ike 0:2761fa9214821b47/0000000000000000:2778:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:2761fa9214821b47/0000000000000000:2778:         type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:2761fa9214821b47/0000000000000000:2778:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:2761fa9214821b47/0000000000000000:2778:         type=OAKLEY_GROUP, val=MODP3072.
ike 0:2761fa9214821b47/0000000000000000:2778: ISAKMP SA lifetime=86400
ike 0:2761fa9214821b47/0000000000000000:2778: SA proposal chosen, matched gateway sts-base
ike 0: found sts-base 192.168.1.2 4 -> STRONGSWAN_IP:500
ike 0:sts-base:2778: selected NAT-T version: RFC 3947
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=2761fa9214821b47/afc986d6414ec9a6 len=524
ike 0: in 2761FA9214821B47AFC986D6414EC9A604100200000000000000020C0A0001843D54D76780834DE893553E821E8361BA6BE1E595E353DFAA2DBF4350965D69007FA402C0E89C215179F0893E0B5B0A8ED54FE3C785EC56BC598BF9DFD6536357B2612DAD10027EA897704D7E25F4874CF611C76C439996CA19001F1A4E40A7D013151BD064A4907B2875E77E50A2850A8633E6460AD31B23B83D94368D4DB67FD214C2AF6A7E1CBBB4B663BD662EF01D6F13BCE04674E1A9E231206CE114953D9A2B9A8A08D6214BFE629766884D761032914496BB121FEED5761B8C00DD97482013B4FB339C045FBABF0C2854640625AB94716298245D98157F97C34489D2EAB7A7B6DA32FA3613C04DFCDF4D8B1BF10CAE946DF4E4455972BA2F5232E8BAC7ECFE528BEA7D2EEA3BD383DE25156D2C6ED6195A0AAE8945D79ACC0E695C093E583CF52F743D5A237B57089BF8E5B502CE99140BAE2D0D2065169CBC108A4A96252B66F588BF953ADE308A22E3A4978AD034DB9F2AC370445EAA2F6ED2A29FBF314EF804C3452C75C64DF1E68B407965F278D309BB4E48593888B8EC5F7CCDC1140000248BB8E738AA6817004D681761AF4C75F433BC57EA0FF22FAA283D025C3CEB940D140000243C61D277D269F273784438A2C09D1885B1FA2BDB61B973EA0C546385F44788FF000000244C928931AECAC3D95620C9F351040AD13467D00F6FD1CCFEF8693A92D9B86426
ike 0: comes STRONGSWAN_IP:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=2761fa9214821b47/afc986d6414ec9a6 len=108
ike 0: in 2761FA9214821B47AFC986D6414EC9A605100201000000000000006C0447B06DBEF21E97290F734027CFD481273710E21D9DB94136BED68A3B9A9DE5F78C82CF2543B94AD13C80C9370B94F184FD2463CAAFBCE575CD68564C8D33F278D203D6C2F1F9028A9C628665751DAA
ike 0:sts-base: carrier up
ike 0: comes STRONGSWAN_IP:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Informational id=2761fa9214821b47/afc986d6414ec9a6:3168e506 len=108
ike 0: in 2761FA9214821B47AFC986D6414EC9A6081005013168E5060000006C53E0BF94246E8A781E8AFFAB109D1E03190B8F91471F39CE2965023CFA102248C36E77963E693866442BEC56550C52A982B1C49DA6DA4BF40020316C8687BD84652B56B101CA1F5FAF06AE36A6096BCD
ike 0:sts-base: carrier down
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=52ee2e43b9d233cc/aa83ea66bf3f46b3 len=164
ike 0: in 52EE2E43B9D233CCAA83EA66BF3F46B30110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200048004000F80030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=52ee2e43b9d233cc/aa83ea66bf3f46b3 len=524
ike 0: in 52EE2E43B9D233CCAA83EA66BF3F46B304100200000000000000020C0A0001842A606D3EC584B8DEED2D2D0AEE5CCCB4C79765065B9D5A785718DDC0F65A8C0202869924CEF9821A5592C121F2BCB041292EE8FB535D7F90C5127FB9083B3ADEA3AA781378804A5CFFEBD9AC291A2F25C222C6F88FA9CF34F2E389F34AD0AD1D05296F11D518B6FFD4515C1BDBFC0B7DDB6368561B1483256C93446E8037156F7DF25DB52C1C2438DEBE1080BFC6036FBC9F14AE909F7B88D0E62821D48AC8989D0B2C2818EE0758D07B68AC73A8343F9CB14B3F94B027CE24E6EA0348DC9B03B5A25CBC891454FE4C86963E44E0CC7EA22E1E06AB138678713BBF7A3BC21B031346F5754E96F032EE2811C20B2E973F5C80E92B3F6C3067DAE94CE1EEBEE84458BEE2DEE662D0C4BFE13D5D87A6BEC9C7601C6BD4460D8690C8849C0E6DE3BAFF50C82CBCE4A39FB4C0EFC010FB7F220C65C7B54FE493E933176C6EDF1D65A37B86E5C8B8385AE4A7EA3242A99420421810D55AD74B4F9975E355F230BFF784F038B11710F7725E3E1C03E8127BF1D891D94A34C83F69F958B23E74FB25BFD814000024C6B35B611576DD0863B652897E8736DD0B2BE054E44B57524B30FD1ABC468B791400002440FCC410B275922E2EA93AE307E68EBC56C9CE92C27DC46B65FF6D4C6DCA141D0000002489A69CD4B2309AA9A5B9DFEA6C94186D2AFB3100B1788173B9CBA965E1BF3142
ike 0: comes STRONGSWAN_IP:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Informational id=52ee2e43b9d233cc/aa83ea66bf3f46b3:b6dd78bf len=108
ike 0: in 52EE2E43B9D233CCAA83EA66BF3F46B308100501B6DD78BF0000006CBFE53268A6CC52F6C88E7CF954624FF512A38B6211012D2DD6E0F88B4F2B8EAA8D1D69B86C45D8DCCE2D474ABBB7DCEBE63C8F66F2D14BAA862B84DD76761BEF708F912A5A4B2EBE73E8B50C2BF4B156
ike shrank heap by 126976 bytes
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=38a5b41bfa29f04e/a41b8884f4e89d6a len=164
ike 0: in 38A5B41BFA29F04EA41B8884F4E89D6A0110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200048004000F80030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=38a5b41bfa29f04e/a41b8884f4e89d6a len=524
ike 0: in 38A5B41BFA29F04EA41B8884F4E89D6A04100200000000000000020C0A000184D698447D928913E530494E0935AE4266268A6A80731D3CE62C41FA9D233C17EB3941A8EFEA435BF4FCDA37E302E93372CACB3770F16C8981866690539806A8B135EEF7C0FAF7A65874CF02E3A8438C7A969188A11EE5086BE0ADEFF3145880F6CA3C7EF1D1912470F31B81DCE483B3A20632089D510BEA4AA955801CFAECD3B28F733B954E51D75309C1B0DCCB95BDF873979A7EA580486B1326646656B61AD2D764857F3834A39EC56823C5F765171CB38B1BBB333C85D25831C50D0A37FC0BB016838ACC83454B6E6B0D0CF42110AD81E94B2D42FB58AC203654768A70AA7CBF5208973DB50A8D0A0A3ECBF2734D43636819AD2692D3538E6AC698E23A416D07C4EF9BB2D9130F92B95938157EA90CDDB609D315BDA61326D37914E8100DC8FE7B248C52A1187C4CC1BB7D47EA47E74AD14B0C007E3BC106FD704AA64F30D29CA16BE6ED952FB6E6E95DB7CDB3C35344CC3D3B9E7EF8583DAFF2CB949B16B915FB6587321151A1A5143C139ECFE0AB7713A805485D4A0153022F78F34D64AB140000247E717AE82180E48827DD375194B620813E1DEC07E33653ABD142180EB229B8EF140000247584901C074A7A306E0D0FFD6F1C02B68AA4A6A8767CED00C43BA3C8DD2BD1F2000000243358CE1CC6ADE045B3D4832B923682F702E30893844A10E32603A77848D2F746
ike 0: comes STRONGSWAN_IP:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Informational id=38a5b41bfa29f04e/a41b8884f4e89d6a:8f8dece2 len=108
ike 0: in 38A5B41BFA29F04EA41B8884F4E89D6A081005018F8DECE20000006CDB395C20A27369C90BCC862D20257E46D57CC77E22B3CBF47D7EECFB8115158989169C001E50B182249500233F4DCEFC929555E0D53150A84F8C192646F84C5EA2D848CE2029B90E4BABCBDF55CBAFDE
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=dd22d4d8e3e615ad/a764fe7b215be79b len=164
ike 0: in DD22D4D8E3E615ADA764FE7B215BE79B0110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200048004000F80030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=dd22d4d8e3e615ad/a764fe7b215be79b len=524
ike 0: in DD22D4D8E3E615ADA764FE7B215BE79B04100200000000000000020C0A000184E928C51D373B739956D2E58A80754D87B63926E167780EEB3A0588A4DE97537321134A022043189663FFA3D54ECAB6F2B04079164C5557A72422F2BFFD0D7F88B075BFE54BC06B722AFA67A1C1216A96A0320B0C03D324E799DE7ED23B455F21D18D3BFAB2033C9533D0E4E599E57F3CD18055EE45422D844590A040A3D27174C1FF742F5C712D525B652B3507FA7C6A94D50C4A90A92005CA9D7990AC76930C0B04CA43104DE074DC5FA8BED124235EF7DFE374E19C74F59C4E6763E1CF43FE8E3930F98BC31895D83C79F9E87A635EB83FBAF8CAD8AE2FD11CC702786A16A3AE9F7A98E5A134C68EDC8AE7ED4212E9D1A3E443EE6B06835457BD658C9FA23926F2579FA1672B093D17C5827CA85A87F7833F0FDA6D0E4B84EA23E08F5BC1816A62D4EC2D871438FE14CEE6138E6B1338282DA280684838772279893EABC14BBA2C890009745077882EDE3D6E5C37B8B96F1E32AA26473151FD569994E67627397F095CC97D2BF6B1F4D26D71CF207C2AABEDF4381DED43A62248339BD2C8E714000024194E6CAE3CF25FF7026DBFB0584CD758302827A9A1B2D2EE4FD735F09CBB49C31400002455EB83D915DCBE62F857EE90BD7E0150B00D21A0109E9C83216190B7809200B3000000241CF888C525D70D445322785726C3513E271BEBD8288C1BB0627F64236F32C601
ike 0: comes STRONGSWAN_IP:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Informational id=dd22d4d8e3e615ad/a764fe7b215be79b:bdacbbe6 len=108
ike 0: in DD22D4D8E3E615ADA764FE7B215BE79B08100501BDACBBE60000006C029416414DB3DB915970AFD1967D1F08C303529FE2587D4057FCE113639024FAD4CCFCD5B9B27EC1FA75215027C757D3E874D90207868B383AD838E8EA8454377C492923D7C2AB517D19A270DA2831FA
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=4c829109074c5d68/7600779e229a9719 len=164
ike 0: in 4C829109074C5D687600779E229A97190110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200048004000F80030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=4c829109074c5d68/7600779e229a9719 len=524
ike 0: in 4C829109074C5D687600779E229A971904100200000000000000020C0A00018400E0065CBBDD60889126B647A229478D85500A9BB315BA24298F45D0C22F0285E18B7A3D70CC627B735A80D7DD8EDC0B586D7FEF79BA9E3C5726DDA3B5F70561A4F9FB2F887E25F6A3A9C8B11C93174B3287479A0F0F66EF14E810E0D059F2DC78F86601F12405E39DC92A445159D102403DF3B73024389B6EE9AFBBDBD85F81C0BB1DABF7F24F9AAA676059093DEA0C08A6B95DC6F05A41B687AF541A50CF085C1002B6BEA682A0475C4509F75FBAD5E317359246D95D0654C8263B657BE30499731BC217234C502289617B8A38F19E785E9780CE516DE151A066FEF43F7B6E1AED6C1A5502AA2D3605EBB2D59977B5B9D5D21EA09B46E8645AE420427B231A6706E03F1D6AC97D7FBA53E1A1AAA4E5BFAC4924481C0B18D85A365AE2AF36313A20D652BA94867720C44BF6797AB537FE6E58A6A01562194A72A7F9DB6D2F04648A1BCE0D94B0535D0AB75BF6FB2076598F747E8827840CCBC6D5CD3A34B7CF49B72CA60FE345B320F0E4CBFEB36786AA2412622A0281E4775AE7D417FD40BF14000024B052A17B6026C487DA5259AB3161B95D274F076FE1B21EB2C4F64667671FD418140000247D02CCF72035BEEA9E42A44B81D29567D18DAFA09C24DF119C799711582B2A5B00000024444F7CA0F2821C191424D786289772F219EBDC5D756692DBCF01A5195FC731BF
ike 0: comes STRONGSWAN_IP:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Informational id=4c829109074c5d68/7600779e229a9719:070f32a5 len=108
ike 0: in 4C829109074C5D687600779E229A971908100501070F32A50000006C69771E04AB6DAB20CB042C65E7175228021CB49892566C9E6C6708D9086873925E1D41362C59785D9C0C26F8691BF19EBEDED75A20547B861E5CC40F1F3D6FE5A0F903C4003BE64985ED64E50AC40CBB
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=98475cd064d39e86/8f8caccf85271506 len=164
ike 0: in 98475CD064D39E868F8CACCF852715060110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200048004000F80030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F
ike 0: comes STRONGSWAN_IP:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=98475cd064d39e86/8f8caccf85271506 len=524
ike 0: in 98475CD064D39E868F8CACCF8527150604100200000000000000020C0A0001840B90F73080457F6CC0C1AC47812D6590739364259B4E47687863C6433A7C23EA8AF5554CFEFC8429C432E496B71E163D01C7D53EED1927BEC0C81BA2D85BEF693DED68CF4B7B70EDCBF1C4F11F6DF13BCE0C74BEAA249E4051122C330022215F75BF853EED6213E1D3A896B5FE8AE689E175B596EDF24FE17D15847ED3506F900896DDE70DF3CB69286C902DF4975AA631DF7327153B92DBF5D1DDABFF0F346DD715B1FFD851B1A0ABA42FACE84DCF84D97B6F88750FF7D233D7DAD735FB0FE79FA77AF330AC3C71F3B60B312ED06644C3AD4034244417F3416F8B13B93A64E00FB7F68F975FC427660FA5ED01C56746E58EBBF036FC97137E20FD76B56273696A727C8C7492A6E9B37AFFB608E031BEC8F8BDC7C76BD03BB9ADC6C5B183E3A837C19CD7BD43C4F7F13D674A471A15A9F4C2C3D0EFD3B576CB58C8C599801C44C806393CCA1F64D197C01878AD72C4BF97D02218AE34360002D3EE9793542A96BE47B386E9D8E6DA207AFEFCD6862B716F6BA5F4BF8ED370D39DE503C5D2337614000024E5611363F7DC41FCB846DEDA48C81C6427DE3A277B2F998EE20A769DCFBECD6B14000024913E75C90C4D9455FBED7AC95BCA0BF446849B9FA3D7A9BE5725695C01B877180000002401A6C6496CC769454448B184423B2E9A22BDB67B25EE559A007EE27DE434DCAA
ike 0: comes STRONGSWAN_IP:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Informational id=98475cd064d39e86/8f8caccf85271506:3ea3779e len=108
ike 0: in 98475CD064D39E868F8CACCF85271506081005013EA3779E0000006C0D3ED58B1271FC88583F7BFE5D08D9B16A781DF3F2F15C2F427515291C2B2E474A08F05F3833716C44CDE01FE79E9DB937BCD55863E34481891100A2869F7D072CBA93AC7BB0C2371FF602C6B5D7441E

        
                                                

        

    


            

                                        

            
                        

                                                                                                            
            






        

                    

    
    





    


                                        

                                                        

            
        
    






                                    
Terms & ConditionsAccessibility statement