Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

FernPatz
New Contributor II

Created on ‎11-11-2015 06:38 AM

VPN IPsec with Linux

Hello all,

I´m trying to connect (via VPN/IPSec) one client using linux (Ubuntu) to my FGT3700.

The connection establish but in some seconds it disconnects.

! Configuration of FGT3700

config vpn ipsec phase1-interface
    edit "procergsm"
        set type dynamic
        set interface "rprvpn1"
        set mode aggressive
        set peertype one
        set mode-cfg enable
        set ipv4-dns-server1 172.27.2.99
        set ipv4-dns-server2 172.27.2.98
        set ipv4-dns-server3 10.252.64.11
        set proposal aes256-md5 aes256-sha1
        set localid "procergsm"
        set localid-type keyid
        set comments "VPN: procergsm (Created by VPN wizard)"
        set dhgrp 2
        set wizard-type dialup-cisco
        set xauthtype auto
        set authusrgrp "GroupRadius"
        set peerid "procergsm"
        set assign-ip-from usrgrp
        set ipv4-split-include "ip-redes-dominio"
        set domain "reders"
        set include-local-lan enable
        set psksecret ENC LCVkCq8ukWgAwbI8IWxc1JelT1LSNTByd1bdRD/cKJNbkiyFAzYW5LMuIGBkHMPIr5I8Ej9pBltN5Q2m0nYE4gBGprXUgLbYUBvBAsFDXb6A3tnUfm0tRVlCf84Bkgu9MfEyW5AhPUfgUD3ot2H6Mxo/S9p2n1KR9vXs7hsF1i6ndNUKtJQatm63DVD8MX9E6jkYbg==
    next
end


config vpn ipsec phase2-interface
    edit "procergsm"
        set phase1name "procergsm"
        set proposal aes256-md5 aes256-sha1
        set pfs disable
        set keepalive enable
        set add-route enable
        set comments "VPN: procergsm (Created by VPN wizard)"
    next
end

------ 

Messages received on the client (syslog).

------

Nov 11 14:18:28 nb-dtc-0012 NetworkManager[744]: Starting VPN service 'vpnc'...
Nov 11 14:18:28 nb-dtc-0012 NetworkManager[744]: VPN service 'vpnc' started (org.freedesktop.NetworkManager.vpnc), PID 5877
Nov 11 14:18:28 nb-dtc-0012 NetworkManager[744]: VPN service 'vpnc' appeared; activating connections
Nov 11 14:18:28 nb-dtc-0012 NetworkManager[744]: VPN plugin state changed: starting (3)
Nov 11 14:18:28 nb-dtc-0012 NetworkManager[744]: VPN connection 'Fortigate' (Connect) reply received.
Nov 11 14:18:28 nb-dtc-0012 NetworkManager[744]:    SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
Nov 11 14:18:28 nb-dtc-0012 NetworkManager[744]:    SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
Nov 11 14:18:28 nb-dtc-0012 NetworkManager[744]: /sys/devices/virtual/net/tun0: couldn't determine device driver; ignoring...
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]: VPN connection 'Fortigate' (IP4 Config Get) reply received from old-style plugin.
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]: VPN Gateway: 200.189.128.211
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]: Tunnel Device: tun0
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]: IPv4 configuration:
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]:    Internal Address: 10.124.240.26
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]:    Internal Prefix: 32
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]:    Internal Point-to-Point Address: 10.124.240.26
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]:    Maximum Segment Size (MSS): 0
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]:    Static Route: 10.0.0.0/8   Next Hop: 10.0.0.0
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]:    Static Route: 172.16.0.0/12   Next Hop: 172.16.0.0
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]:    Static Route: 192.168.0.0/16   Next Hop: 192.168.0.0
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]:    Static Route: 200.233.0.0/20   Next Hop: 200.233.0.0
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]:    Static Route: 200.189.128.0/19   Next Hop: 200.189.128.0
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]:    Static Route: 200.198.128.0/19   Next Hop: 200.198.128.0
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]:    Static Route: 200.198.160.0/20   Next Hop: 200.198.160.0
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]:    Forbid Default Route: yes
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]:    Internal DNS: 172.27.2.99
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]:    Internal DNS: 172.27.2.98
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]:    Internal DNS: 10.252.64.11
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]:    DNS Domain: 'reders'
Nov 11 14:18:30 nb-dtc-0012 NetworkManager[744]: No IPv6 configuration
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: (7) failed to find interface name for index
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: [1447258711.697145] [nm-system.c:145] nm_system_device_set_ip4_route(): (unknown): failed to set IPv4 route: No such device
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: (7) failed to find interface name for index
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: [1447258711.697397] [nm-system.c:145] nm_system_device_set_ip4_route(): (unknown): failed to set IPv4 route: No such device
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: (7) failed to find interface name for index
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: [1447258711.697607] [nm-system.c:145] nm_system_device_set_ip4_route(): (unknown): failed to set IPv4 route: No such device
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: (7) failed to find interface name for index
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: [1447258711.697814] [nm-system.c:145] nm_system_device_set_ip4_route(): (unknown): failed to set IPv4 route: No such device
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: (7) failed to find interface name for index
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: [1447258711.698066] [nm-system.c:145] nm_system_device_set_ip4_route(): (unknown): failed to set IPv4 route: No such device
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: (7) failed to find interface name for index
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: [1447258711.698304] [nm-system.c:145] nm_system_device_set_ip4_route(): (unknown): failed to set IPv4 route: No such device
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: (7) failed to find interface name for index
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: [1447258711.698559] [nm-system.c:145] nm_system_device_set_ip4_route(): (unknown): failed to set IPv4 route: No such device
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: VPN connection 'Fortigate' (IP Config Get) complete.
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: Policy set 'VISITANTE' (wlan0) as default for IPv4 routing and DNS.
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: Writing DNS information to /sbin/resolvconf
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: setting upstream servers from DBus
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 10.252.64.11#53 for domain 160.198.200.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 10.252.64.11#53 for domain 128.198.200.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 10.252.64.11#53 for domain 128.189.200.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 10.252.64.11#53 for domain 0.233.200.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 10.252.64.11#53 for domain 0.168.192.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 10.252.64.11#53 for domain 16.172.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 10.252.64.11#53 for domain 10.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 10.252.64.11#53 for domain reders
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 172.27.2.98#53 for domain 160.198.200.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 172.27.2.98#53 for domain 128.198.200.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 172.27.2.98#53 for domain 128.189.200.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 172.27.2.98#53 for domain 0.233.200.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 172.27.2.98#53 for domain 0.168.192.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 172.27.2.98#53 for domain 16.172.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 172.27.2.98#53 for domain 10.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 172.27.2.98#53 for domain reders
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 172.27.2.99#53 for domain 160.198.200.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 172.27.2.99#53 for domain 128.198.200.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 172.27.2.99#53 for domain 128.189.200.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 172.27.2.99#53 for domain 0.233.200.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 172.27.2.99#53 for domain 0.168.192.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 172.27.2.99#53 for domain 16.172.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 172.27.2.99#53 for domain 10.in-addr.arpa
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 172.27.2.99#53 for domain reders
Nov 11 14:18:31 nb-dtc-0012 dnsmasq[1172]: using nameserver 192.168.8.1#53
Nov 11 14:18:31 nb-dtc-0012 dbus[598]: [system] Activating service name='org.freedesktop.nm_dispatcher' (using servicehelper)
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: VPN plugin state changed: started (4)
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]:    SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/tun0, iface: tun0)
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: VPN plugin state changed: stopped (6)
Nov 11 14:18:31 nb-dtc-0012 NetworkManager[744]: VPN plugin state change reason: 0
Nov 11 14:18:31 nb-dtc-0012 dbus[598]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Nov 11 14:18:31 nb-dtc-0012 ntpdate[5990]: no servers can be used, exiting
Nov 11 14:18:32 nb-dtc-0012 NetworkManager[744]: Policy set 'VISITANTE' (wlan0) as default for IPv4 routing and DNS.
Nov 11 14:18:32 nb-dtc-0012 NetworkManager[744]: Writing DNS information to /sbin/resolvconf
Nov 11 14:18:32 nb-dtc-0012 dnsmasq[1172]: setting upstream servers from DBus
Nov 11 14:18:32 nb-dtc-0012 dnsmasq[1172]: using nameserver 192.168.8.1#53
Nov 11 14:18:32 nb-dtc-0012 NetworkManager[744]: error disconnecting VPN: Could not process the request because no VPN connection was active.
Nov 11 14:18:32 nb-dtc-0012 NetworkManager[744]: (7) failed to find interface name for index
Nov 11 14:18:32 nb-dtc-0012 NetworkManager[744]: nm_system_iface_flush_routes: assertion 'iface != NULL' failed
Nov 11 14:18:32 nb-dtc-0012 NetworkManager[744]: (7) failed to find interface name for index

-------------

Messages received on FGT3700 syslog

-------------

Nov 11 14:25:21 200.189.128.211 date=2015-11-11 time=14:25:32 devname=FG-primary devid=FGT37D4614800509 logid=0101037127 type=event subtype=vpn level=notice vd="st02" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=172.28.200.200 locip=200.189.128.211 remport=500 locport=500 outintf="rprvpn1" cookies="38c24e064563c7bf/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="PGEBRASILIA" status=success init=local mode=main dir=outbound stage=1 role=initiator result=OK
Nov 11 14:25:23 200.189.128.211 date=2015-11-11 time=14:25:34 devname=FG-primary devid=FGT37D4614800509 logid=0101037127 type=event subtype=vpn level=notice vd="st02" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=200.189.128.118 locip=200.189.128.211 remport=34698 locport=500 outintf="rprvpn1" cookies="3d2a8ffe1f71ffea/bfcfe7393c2d61f0" user="procergsm" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="procergsm" status=success init=remote mode=aggressive dir=outbound stage=1 role=responder result=OK

Nov 11 14:25:23 200.189.128.211 date=2015-11-11 time=14:25:34 devname=FG-primary devid=FGT37D4614800509 logid=0101037127 type=event subtype=vpn level=notice vd="st02" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=200.189.128.118 locip=200.189.128.211 remport=34698 locport=4500 outintf="rprvpn1" cookies="3d2a8ffe1f71ffea/bfcfe7393c2d61f0" user="procergsm" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="procergsm" status=success init=remote mode=aggressive dir=inbound stage=2 role=responder result=DONE
Nov 11 14:25:23 200.189.128.211 date=2015-11-11 time=14:25:34 devname=FG-primary devid=FGT37D4614800509 logid=0101037127 type=event subtype=vpn level=notice vd="st02" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=200.189.128.118 locip=200.189.128.211 remport=34698 locport=4500 outintf="rprvpn1" cookies="3d2a8ffe1f71ffea/bfcfe7393c2d61f0" user="procergsm" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="procergsm" status=success init=local mode=aggressive dir=inbound stage=2 role=initiator result=DONE
Nov 11 14:25:23 200.189.128.211 date=2015-11-11 time=14:25:34 devname=FG-primary devid=FGT37D4614800509 logid=0101037127 type=event subtype=vpn level=notice vd="st02" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=200.189.128.118 locip=200.189.128.211 remport=3594 locport=4500 outintf="rprvpn1" cookies="3d2a8ffe1f71ffea/bfcfe7393c2d61f0" user="procergsm" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="procergsm" status=success init=local mode=xauth dir=outbound stage=1 role=initiator result=OK
Nov 11 14:25:25 200.189.128.211 date=2015-11-11 time=14:25:36 devname=FG-primary devid=FGT37D4614800509 logid=0101037120 type=event subtype=vpn level=notice vd="st02" logdesc="Negotiate IPsec phase 1" msg="negotiate IPsec phase 1" action=negotiate remip=200.189.128.118 locip=200.189.128.211 remport=3594 locport=4500 outintf="rprvpn1" cookies="3d2a8ffe1f71ffea/bfcfe7393c2d61f0" user="procergsm" group="N/A" xauthuser="ti000713" xauthgroup="GroupRadius" assignip=N/A vpntunnel="procergsm" status=success result="XAUTH authentication successful"
Nov 11 14:25:25 200.189.128.211 date=2015-11-11 time=14:25:36 devname=FG-primary devid=FGT37D4614800509 logid=0101037127 type=event subtype=vpn level=notice vd="st02" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=200.189.128.118 locip=200.189.128.211 remport=3594 locport=4500 outintf="rprvpn1" cookies="3d2a8ffe1f71ffea/bfcfe7393c2d61f0" user="procergsm" group="N/A" xauthuser="ti000713" xauthgroup="GroupRadius" assignip=N/A vpntunnel="procergsm" status=success init=local mode=xauth dir=outbound stage=2 role=initiator result=OK
Nov 11 14:25:25 200.189.128.211 date=2015-11-11 time=14:25:36 devname=FG-primary devid=FGT37D4614800509 logid=0101037127 type=event subtype=vpn level=notice vd="st02" logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=200.189.128.118 locip=200.189.128.211 remport=3594 locport=4500 outintf="rprvpn1" cookies="3d2a8ffe1f71ffea/bfcfe7393c2d61f0" user="procergsm" group="N/A" xauthuser="ti000713" xauthgroup="GroupRadius" assignip=N/A vpntunnel="procergsm" status=success init=local mode=xauth dir=inbound stage=2 role=initiator result=DONE
Nov 11 14:25:25 200.189.128.211 date=2015-11-11 time=14:25:36 devname=FG-primary devid=FGT37D4614800509 logid=0101037133 type=event subtype=vpn level=notice vd="st02" logdesc="IPsec SA installed" msg="install IPsec SA" action=install_sa remip=200.189.128.118 locip=200.189.128.211 remport=3594 locport=4500 outintf="rprvpn1" cookies="3d2a8ffe1f71ffea/bfcfe7393c2d61f0" user="procergsm" group="N/A" xauthuser="ti000713" xauthgroup="GroupRadius" assignip=10.124.240.26 vpntunnel="procergsm" role=responder in_spi="f66a339d" out_spi="4a1a1b32"
Nov 11 14:25:25 200.189.128.211 date=2015-11-11 time=14:25:36 devname=FG-primary devid=FGT37D4614800509 logid=0101037139 type=event subtype=vpn level=notice vd="st02" logdesc="IPsec phase 2 status changed" msg="IPsec phase 2 status change" action=phase2-up remip=200.189.128.118 locip=200.189.128.211 remport=3594 locport=4500 outintf="rprvpn1" cookies="3d2a8ffe1f71ffea/bfcfe7393c2d61f0" user="procergsm" group="N/A" xauthuser="ti000713" xauthgroup="GroupRadius" assignip=10.124.240.26 vpntunnel="procergsm_0" phase2_name=procergsm
Nov 11 14:25:25 200.189.128.211 date=2015-11-11 time=14:25:36 devname=FG-primary devid=FGT37D4614800509 logid=0101037138 type=event subtype=vpn level=notice vd="st02" logdesc="IPsec connection status changed" msg="IPsec connection status change" action=tunnel-up remip=200.189.128.118 locip=200.189.128.211 remport=3594 locport=4500 outintf="rprvpn1" cookies="3d2a8ffe1f71ffea/bfcfe7393c2d61f0" user="procergsm" group="N/A" xauthuser="ti000713" xauthgroup="GroupRadius" assignip=10.124.240.26 vpntunnel="procergsm_0" tunnelip=10.124.240.26 tunnelid=1817532353 tunneltype="ipsec" duration=0 sentbyte=0 rcvdbyte=0 nextstat=0
Nov 11 14:25:25 200.189.128.211 date=2015-11-11 time=14:25:36 devname=FG-primary devid=FGT37D4614800509 logid=0101037129 type=event subtype=vpn level=notice vd="st02" logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action=negotiate remip=200.189.128.118 locip=200.189.128.211 remport=3594 locport=4500 outintf="rprvpn1" cookies="3d2a8ffe1f71ffea/bfcfe7393c2d61f0" user="procergsm" group="N/A" xauthuser="ti000713" xauthgroup="GroupRadius" assignip=10.124.240.26 vpntunnel="procergsm" status=success init=remote mode=quick dir=outbound stage=1 role=responder result=OK
Nov 11 14:25:48 200.189.128.211 date=2015-11-11 time=14:25:59 devname=FG-primary devid=FGT37D4614800509 logid=0101037136 type=event subtype=vpn level=error vd="st02" logdesc="IPsec DPD failed" msg="IPsec DPD failure" action=dpd remip=200.189.128.118 locip=200.189.128.211 remport=3594 locport=4500 outintf="rprvpn1" cookies="3d2a8ffe1f71ffea/bfcfe7393c2d61f0" user="procergsm" group="N/A" xauthuser="ti000713" xauthgroup="GroupRadius" assignip=10.124.240.26 vpntunnel="procergsm_0" status=dpd_failure
Nov 11 14:25:48 200.189.128.211 date=2015-11-11 time=14:25:59 devname=FG-primary devid=FGT37D4614800509 logid=0101037139 type=event subtype=vpn level=notice vd="st02" logdesc="IPsec phase 2 status changed" msg="IPsec phase 2 status change" action=phase2-down remip=200.189.128.118 locip=200.189.128.211 remport=3594 locport=4500 outintf="rprvpn1" cookies="3d2a8ffe1f71ffea/bfcfe7393c2d61f0" user="procergsm" group="N/A" xauthuser="ti000713" xauthgroup="GroupRadius" assignip=10.124.240.26 vpntunnel="procergsm_0" phase2_name=procergsm
Nov 11 14:25:48 200.189.128.211 date=2015-11-11 time=14:25:59 devname=FG-primary devid=FGT37D4614800509 logid=0101037134 type=event subtype=vpn level=notice vd="st02" logdesc="IPsec phase 1 SA deleted" msg="delete IPsec phase 1 SA" action=delete_phase1_sa remip=200.189.128.118 locip=200.189.128.211 remport=3594 locport=4500 outintf="rprvpn1" cookies="3d2a8ffe1f71ffea/bfcfe7393c2d61f0" user="procergsm" group="N/A" xauthuser="ti000713" xauthgroup="GroupRadius" assignip=10.124.240.26 vpntunnel="procergsm"
Nov 11 14:25:48 200.189.128.211 date=2015-11-11 time=14:25:59 devname=FG-primary devid=FGT37D4614800509 logid=0101037138 type=event subtype=vpn level=notice vd="st02" logdesc="IPsec connection status changed" msg="IPsec connection status change" action=tunnel-down remip=200.189.128.118 locip=200.189.128.211 remport=3594 locport=500 outintf="rprvpn1" cookies="3d2a8ffe1f71ffea/bfcfe7393c2d61f0" user="N/A" group="N/A" xauthuser="ti000713" xauthgroup="GroupRadius" assignip=10.124.240.26 vpntunnel="procergsm_0" tunnelip=10.124.240.26 tunnelid=1817532353 tunneltype="ipsec" duration=22 sentbyte=0 rcvdbyte=0 nextstat=0
Nov 11 14:25:50 200.189.128.211 date=2015-11-11 time=14:26:00 devname=FG-primary devid=FGT37D4614800509 logid=0001000014 type=traffic subtype=local level=notice vd=st02 srcip=200.189.128.118 srcport=20964 srcintf=unknown-0 dstip=200.189.128.211 dstport=500 dstintf=unknown-0 sessionid=1780702957 proto=17 action=accept policyid=0 dstcountry="Brazil" srccountry="Brazil" trandisp=noop service="IKE" app="IPSec" duration=180 sentbyte=1333 rcvdbyte=437 sentpkt=1 rcvdpkt=1
Nov 11 14:25:52 200.189.128.211 date=2015-11-11 time=14:26:02 devname=FG-primary devid=FGT37D4614800509 logid=0001000014 type=traffic subtype=local level=notice vd=st02 srcip=200.189.128.211 srcport=20656 srcintf=unknown-0 dstip=200.198.128.235 dstport=1812 dstintf=unknown-0 sessionid=1780703111 proto=17 action=accept policyid=0 dstcountry="Brazil" srccountry="Brazil" trandisp=noop service="RADIUS" app="RADIUS" duration=182 sentbyte=518 rcvdbyte=192 sentpkt=3 rcvdpkt=3

Can anyone help with this ?

[FirstName]
[FirstName]
Labels:
193
0 Kudos
1 REPLY 1
mbarbosa
Staff
Staff

Created on ‎01-28-2016 12:38 PM

Fernando,

Have you validated the VPN config using another VPN client other than Linux ? Maybe this can help you isolate the problem.

Either way, I have tested a config here using Ubuntu 14.04.3 and vpnc (the default used by Network Manager GUI) successfully, however I have found several articles mentioning vpnc problems (there's no official patch for it, but in the links below there's the procedure to download a patched package or you can patch it yourself).

Here's my config:

config vpn ipsec phase1-interface
 edit "devstack"
 set type dynamic
 set interface "port2"
 set mode aggressive
 set peertype one
 set mode-cfg enable
 set proposal aes256-sha1
 set dhgrp 2
 set xauthtype auto
 set authusrgrp "linux"
 set peerid "UBUNTU"
 set ipv4-start-ip 10.200.250.0
 set ipv4-end-ip 10.200.250.255
 set dns-mode auto
 set ipv4-split-include "devstack_split"
 set psksecret Admin123
 next
end

config vpn ipsec phase2-interface
 edit "devstack"
 set phase1name "devstack"
 set proposal aes256-sha1
 set pfs disable
 set keepalive enable
 next
end

and here my vpnc config file:

IPSec gateway 100.x.y.z
IPSec ID UBUNTU
IPSec secret Admin123
IKE Authmode psk
Xauth username linuxusr
Xauth password Admin123

Sometimes I've got the client-side error: "vpnc: vpnc.c:1194: lifetime_ike_process: Assertion `a->next->type == IKE_ATTRIB_LIFE_DURATION' failed.", but if I just keep trying it will connect just fine even wirhout the above mentioned patch.

http://www.justdailynotes.com/fortinet/linux/2015/02/14/Fortigate-IPSec-Linux-NetworkManager/

http://rolandtapken.de/blog/2015-06/how-connect-fortigate-ipsec-vpn-using-linux

Just keep in mind that if you connect successfully to your VPN using another client (like FortiClient or IOS VPN Client) than most likely you'll have better luck changing your VPN client software.

--
Michel Barbosa, NSE8

---
Michel Barbosa
NSE8 #3073
189
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.