Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Yngve0
New Contributor II

SOLVED: Strongswan 2 FG60B

FG60B 4MR3 patch18 Behind NAT and dynamic public IP Strongswan 5.1.2 Public IP + loopback 10.177.177.2 I am not able to make the tunnel up and running and I dont understand why. Config of the Fortigate: Phase 1:
config vpn ipsec phase1-interface
     edit " DialUp_strongswan" 
         set interface " wan1" 
         set dhgrp 2
         set proposal aes256-sha1
         set localid " publicfqdn.mydomain.com" 
         set remote-gw <public-ip-strongswan>
         set psksecret ****
     next
 end
 
Phase2
 config vpn ipsec phase2-interface
     edit " VPN_StrongSwan" 
         set dst-addr-type ip
         set keepalive enable
         set phase1name " DialUp_strongswan" 
         set proposal 3des-sha1 3des-md5
         set dhgrp 2
         set dst-start-ip 10.177.177.2
         set src-subnet 192.168.160.0 255.255.252.0
     next
 end
 
Stongswan: Ipsec.conf
config setup
         charondebug=" dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 3, knl 2, net 2,enc 1, lib 1" # Sample VPN connections
 
 
 conn Fortigate
         auto=start
         left=<public-ip-strongswan>
         leftsubnet=10.177.177.2/255.255.255.255
         right=%any
         rightsubnet=192.168.160.0/22
         compress=no
         #pfs=yes
         esp=3des-modp1024
         #auth=esp
         authby=secret
         keyingtries=%forever
 
 
 
ipsec.secret
 <public-ip-strongswan> %any : PSK " ****" 
10 REPLIES 10
Yngve0
New Contributor II

Fortigate:
ike 7:DialUp_strongswan:16514: out 33A1A643AE381A9800000000000000000110020000000000000000F40D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E01008003000180020002800400020D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE000402B1
 ike 7:DialUp_strongswan:16514: sent IKE msg (P1_RETRANSMIT): <FG-int-IP>:500-><StrongSwan-ext-IP>:500, len=244, id=33a1a643ae381a98/0000000000000000
 ike 7:DialUp_strongswan:16514: negotiation timeout, deleting
 ike 7:DialUp_strongswan: connection expiring due to phase1 down
 ike 7:DialUp_strongswan: deleting
 ike 7:DialUp_strongswan: flushing 
 ike 7:DialUp_strongswan: flushed 
 ike 7:DialUp_strongswan: deleted
 ike 7:DialUp_strongswan: schedule auto-negotiate
 ike 7:DialUp_strongswan: auto-negotiate connection
 ike 7:DialUp_strongswan: created connection: 0x99a3ec8 45 <FG-int-IP>-><StrongSwan-ext-IP>:500.
 ike 7:DialUp_strongswan:16515: initiator: main mode is sending 1st message...
 ike 7:DialUp_strongswan:16515: cookie 7c6c13c3406dd63b/0000000000000000
 ike 7:DialUp_strongswan:16515: out 7C6C13C3406DD63B00000000000000000110020000000000000000F40D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E01008003000180020002800400020D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE000402B1
 ike 7:DialUp_strongswan:16515: sent IKE msg (ident_i1send): <FG-int-IP>:500-><StrongSwan-ext-IP>:500, len=244, id=7c6c13c3406dd63b/0000000000000000
 ike 7:DialUp_strongswan:16515: out 7C6C13C3406DD63B00000000000000000110020000000000000000F40D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E01008003000180020002800400020D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE000402B1
 ike 7:DialUp_strongswan:16515: sent IKE msg (P1_RETRANSMIT): <FG-int-IP>:500-><StrongSwan-ext-IP>:500, len=244, id=7c6c13c3406dd63b/0000000000000000
 
StrongSwan@Ubuntu:
 IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_1024/MODP_1536/MODP_2048/MODP_3072/MODP_4096/MODP_8192/ECP_256/ECP_384/ECP_521/MODP_1024_160/MODP_2048_224/MODP_2048_256/ECP_192/ECP_224/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
 Oct  6 20:06:05 Ubuntu charon: 15[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
 Oct  6 20:06:05 Ubuntu charon: 15[IKE] sending XAuth vendor ID
 Oct  6 20:06:05 Ubuntu charon: 15[IKE] sending DPD vendor ID
 Oct  6 20:06:05 Ubuntu charon: 15[IKE] sending NAT-T (RFC 3947) vendor ID
 Oct  6 20:06:05 Ubuntu charon: 15[ENC] generating ID_PROT response 0 [ SA V V V ]
 Oct  6 20:06:05 Ubuntu charon: 15[NET] sending packet: from <StrongSwan-ext-IP>[500] to <FortiGate-ext-IP>[63489] (136 bytes)
 Oct  6 20:06:05 Ubuntu charon: 10[NET] sending packet: from <StrongSwan-ext-IP>[500] to <FortiGate-ext-IP>[63489]
 Oct  6 20:06:11 Ubuntu charon: 09[NET] received packet: from <FortiGate-ext-IP>[63489] to <StrongSwan-ext-IP>[500]
 Oct  6 20:06:11 Ubuntu charon: 09[NET] waiting for data on sockets
 Oct  6 20:06:11 Ubuntu charon: 16[NET] received packet: from <FortiGate-ext-IP>[63489] to <StrongSwan-ext-IP>[500] (244 bytes)
 Oct  6 20:06:11 Ubuntu charon: 16[IKE] received retransmit of request with ID 0, retransmitting response
 Oct  6 20:06:11 Ubuntu charon: 16[NET] sending packet: from <StrongSwan-ext-IP>[500] to <FortiGate-ext-IP>[63489] (136 bytes)
 Oct  6 20:06:11 Ubuntu charon: 10[NET] sending packet: from <StrongSwan-ext-IP>[500] to <FortiGate-ext-IP>[63489]
 Oct  6 20:06:23 Ubuntu charon: 09[NET] received packet: from <FortiGate-ext-IP>[63489] to <StrongSwan-ext-IP>[500]
 Oct  6 20:06:23 Ubuntu charon: 09[NET] waiting for data on sockets
 Oct  6 20:06:23 Ubuntu charon: 06[NET] received packet: from <FortiGate-ext-IP>[63489] to <StrongSwan-ext-IP>[500] (244 bytes)
 Oct  6 20:06:23 Ubuntu charon: 06[IKE] received retransmit of request with ID 0, retransmitting response
 Oct  6 20:06:23 Ubuntu charon: 06[NET] sending packet: from <StrongSwan-ext-IP>[500] to <FortiGate-ext-IP>[63489] (136 bytes)
 Oct  6 20:06:23 Ubuntu charon: 10[NET] sending packet: from <StrongSwan-ext-IP>[500] to <FortiGate-ext-IP>[63489]
 Oct  6 20:06:35 Ubuntu charon: 05[JOB] deleting half open IKE_SA after timeout
 Oct  6 20:06:35 Ubuntu charon: 05[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
 Oct  6 20:06:36 Ubuntu charon: 09[NET] received packet: from <FortiGate-ext-IP>[63489] to <StrongSwan-ext-IP>[500]
 Oct  6 20:06:36 Ubuntu charon: 09[NET] waiting for data on sockets
 Oct  6 20:06:36 Ubuntu charon: 04[NET] received packet: from <FortiGate-ext-IP>[63489] to <StrongSwan-ext-IP>[500] (244 bytes)
 Oct  6 20:06:36 Ubuntu charon: 04[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
 Oct  6 20:06:36 Ubuntu charon: 04[CFG] looking for an ike config for <StrongSwan-ext-IP>...<FortiGate-ext-IP>
 Oct  6 20:06:36 Ubuntu charon: 04[CFG] ike config match: 1048 (<StrongSwan-ext-IP> <FortiGate-ext-IP> IKEv1)
 Oct  6 20:06:36 Ubuntu charon: 04[CFG]   candidate: <StrongSwan-ext-IP>...%any, prio 1048
 Oct  6 20:06:36 Ubuntu charon: 04[CFG] found matching ike config: <StrongSwan-ext-IP>...%any with prio 1048
 Oct  6 20:06:36 Ubuntu charon: 04[IKE] received NAT-T (RFC 3947) vendor ID
 Oct  6 20:06:36 Ubuntu charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
 Oct  6 20:06:36 Ubuntu charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
 Oct  6 20:06:36 Ubuntu charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
 Oct  6 20:06:36 Ubuntu charon: 04[ENC] received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
 Oct  6 20:06:36 Ubuntu charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
 Oct  6 20:06:36 Ubuntu charon: 04[IKE] received DPD vendor ID
 Oct  6 20:06:36 Ubuntu charon: 04[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:04:02:b1
 Oct  6 20:06:36 Ubuntu charon: 04[IKE] <FortiGate-ext-IP> is initiating a Main Mode IKE_SA
 Oct  6 20:06:36 Ubuntu charon: 04[IKE] IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
 Oct  6 20:06:36 Ubuntu charon: 04[CFG] selecting proposal:
 Oct  6 20:06:36 Ubuntu charon: 04[CFG]   no acceptable ENCRYPTION_ALGORITHM found
 Oct  6 20:06:36 Ubuntu charon: 04[CFG] selecting proposal:
 Oct  6 20:06:36 Ubuntu charon: 04[CFG]   no acceptable ENCRYPTION_ALGORITHM found
 Oct  6 20:06:36 Ubuntu charon: 04[CFG] selecting proposal:
 Oct  6 20:06:36 Ubuntu charon: 04[CFG]   proposal matches
 Oct  6 20:06:36 Ubuntu charon: 04[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
 Oct  6 20:06:36 Ubuntu charon: 04[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_1024/MODP_1536/MODP_2048/MODP_3072/MODP_4096/MODP_8192/ECP_256/ECP_384/ECP_521/MODP_1024_160/MODP_2048_224/MODP_2048_256/ECP_192/ECP_224/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
 Oct  6 20:06:36 Ubuntu charon: 04[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
 Oct  6 20:06:36 Ubuntu charon: 04[IKE] sending XAuth vendor ID
 Oct  6 20:06:36 Ubuntu charon: 04[IKE] sending DPD vendor ID
 Oct  6 20:06:36 Ubuntu charon: 04[IKE] sending NAT-T (RFC 3947) vendor ID
 Oct  6 20:06:36 Ubuntu charon: 04[ENC] generating ID_PROT response 0 [ SA V V V ]
 Oct  6 20:06:36 Ubuntu charon: 04[NET] sending packet: from <StrongSwan-ext-IP>[500] to <FortiGate-ext-IP>[63489] (136 bytes)
 Oct  6 20:06:36 Ubuntu charon: 10[NET] sending packet: from <StrongSwan-ext-IP>[500] to <FortiGate-ext-IP>[63489]
 Oct  6 20:06:42 Ubuntu charon: 09[NET] received packet: from <FortiGate-ext-IP>[63489] to <StrongSwan-ext-IP>[500]
 Oct  6 20:06:42 Ubuntu charon: 09[NET] waiting for data on sockets
 Oct  6 20:06:42 Ubuntu charon: 03[NET] received packet: from <FortiGate-ext-IP>[63489] to <StrongSwan-ext-IP>[500] (244 bytes)
 Oct  6 20:06:42 Ubuntu charon: 03[IKE] received retransmit of request with ID 0, retransmitting response
 Oct  6 20:06:42 Ubuntu charon: 03[NET] sending packet: from <StrongSwan-ext-IP>[500] to <FortiGate-ext-IP>[63489] (136 bytes)
 Oct  6 20:06:42 Ubuntu charon: 10[NET] sending packet: from <StrongSwan-ext-IP>[500] to <FortiGate-ext-IP>[63489]
 
 
emnoc
Esteemed Contributor III

I would started by matching the phase1 proposals. Looking at the debug output and looked at what you configured, it doesn' t match up. If you want 3des-sha w/DHGRp2 that specified it. Take a look at my openswan2fgt setup post ( very similar to strong swan ) There' s some good tips in the functionality between linux and fortigates http://socpuppet.blogspot.com/2014/05/openswan-to-fortigate-route-based-vpn.html

PCNSE 

NSE 

StrongSwan  

Yngve0
New Contributor II

Thanks; I have tried to correct the config but still fighting against the tunnels... Config@Fortigate
config vpn ipsec phase1-interface
     edit " DialUp_strongswan" 
         set interface " wan1" 
         set dhgrp 14
         set proposal 3des-sha1
         set dpd disable
         set remote-gw <public-ip-strongswan> 
         set psksecret ENC ****
     next
 end
 config vpn ipsec phase2-interface
     edit " VPN_StrongSwan" 
         set auto-negotiate enable
         set dst-addr-type ip
         set keepalive enable
         set pfs disable
         set phase1name " DialUp_strongswan" 
         set proposal aes128-sha1
         set replay disable
         set dst-start-ip 10.177.177.2
         set keylifeseconds 3600
         set src-subnet 192.168.160.0 255.255.252.0
     next
 end
Config@StrongSwan
conn Fortigate
         type=tunnel
         authby=secret
         keyexchange=ikev1
         auto=start
         # ike=aes128-sha1;modp1024!
         ike=3des-sha1-modp2048
         left=<public-ip-strongswan>
         leftsubnet=10.177.177.2/255.255.255.255
         right=%any
         rightsubnet=192.168.160.0/22
         compress=no
         # pfs=no
         esp=aes128-sha1
         #auth=esp
         keyingtries=%forever
 
Debug@Fortigate
ike 5:DialUp_strongswan:VPN_StrongSwan: IPsec SA connect 35 10.255.0.2-><public-ip-strongswan> :500 negotiating
 ike 5:DialUp_strongswan:1769:VPN_StrongSwan:1769: ISAKMP SA still negotiating, queuing quick-mode request
 ike 5:DialUp_strongswan:1769: out 010E2734A424931200000000000000000110020000000000000000F00D000034000000010000000100000028010100010000002001010000800B0001800C70808001000580030001800200028004000E0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE000402B1
 ike 5:DialUp_strongswan:1769: sent IKE msg (P1_RETRANSMIT): 10.255.0.2:500-><public-ip-strongswan> :500, len=240, id=010e2734a4249312/0000000000000000
 ike 5:DialUp_strongswan:VPN_StrongSwan: IPsec SA connect 35 10.255.0.2-><public-ip-strongswan> :500
 ike 5:DialUp_strongswan:VPN_StrongSwan: using existing connection
 ike 5:DialUp_strongswan:VPN_StrongSwan: config found
 ike 5:DialUp_strongswan:VPN_StrongSwan: IPsec SA connect 35 10.255.0.2-><public-ip-strongswan> :500
 ike 5:DialUp_strongswan:VPN_StrongSwan: using existing connection
 ike 5:DialUp_strongswan:VPN_StrongSwan: config found
Debug@StrongSwan
Oct 11 12:50:45 hetz02 charon: 11[IKE] IKE_SA (unnamed)[10176] state change: CONNECTING => DESTROYING
 Oct 11 12:50:46 hetz02 charon: 09[NET] received packet: from <public-ip-FortiGate>[61567] to <public-ip-strongswan> [500]
 Oct 11 12:50:46 hetz02 charon: 15[NET] received packet: from <public-ip-FortiGate>[61567] to <public-ip-strongswan> [500] (240 bytes)
 Oct 11 12:50:46 hetz02 charon: 15[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
 Oct 11 12:50:46 hetz02 charon: 15[CFG] looking for an ike config for <public-ip-strongswan> ...<public-ip-FortiGate>
 Oct 11 12:50:46 hetz02 charon: 15[CFG] ike config match: 1052 (<public-ip-strongswan>  <public-ip-FortiGate> IKEv1)
 Oct 11 12:50:46 hetz02 charon: 15[CFG]   candidate: <public-ip-strongswan> ...%any, prio 1052
 Oct 11 12:50:46 hetz02 charon: 15[CFG] found matching ike config: <public-ip-strongswan> ...%any with prio 1052
 Oct 11 12:50:46 hetz02 charon: 15[IKE] received NAT-T (RFC 3947) vendor ID
 Oct 11 12:50:46 hetz02 charon: 15[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
 Oct 11 12:50:46 hetz02 charon: 15[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
 Oct 11 12:50:46 hetz02 charon: 15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
 Oct 11 12:50:46 hetz02 charon: 15[ENC] received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
 Oct 11 12:50:46 hetz02 charon: 15[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
 Oct 11 12:50:46 hetz02 charon: 15[IKE] received DPD vendor ID
 Oct 11 12:50:46 hetz02 charon: 15[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:04:02:b1
 Oct 11 12:50:46 hetz02 charon: 15[IKE] <public-ip-FortiGate> is initiating a Main Mode IKE_SA
 Oct 11 12:50:46 hetz02 charon: 15[IKE] IKE_SA (unnamed)[10177] state change: CREATED => CONNECTING
 Oct 11 12:50:46 hetz02 charon: 15[CFG] selecting proposal:
 Oct 11 12:50:46 hetz02 charon: 15[CFG]   proposal matches
 Oct 11 12:50:46 hetz02 charon: 15[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
 Oct 11 12:50:46 hetz02 charon: 15[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_1024/MODP_1536/MODP_2048/MODP_3072/MODP_4096/MODP_8192/ECP_256/ECP_384/ECP_521/MODP_1024_160/MODP_2048_224/MODP_2048_256/ECP_192/ECP_224/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
 Oct 11 12:50:46 hetz02 charon: 15[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
 Oct 11 12:50:46 hetz02 charon: 15[IKE] sending XAuth vendor ID
 Oct 11 12:50:46 hetz02 charon: 15[IKE] sending DPD vendor ID
 Oct 11 12:50:46 hetz02 charon: 15[IKE] sending NAT-T (RFC 3947) vendor ID
 Oct 11 12:50:46 hetz02 charon: 15[ENC] generating ID_PROT response 0 [ SA V V V ]
 Oct 11 12:50:46 hetz02 charon: 15[NET] sending packet: from <public-ip-strongswan> [500] to <public-ip-FortiGate>[61567] (132 bytes)
 Oct 11 12:50:46 hetz02 charon: 10[NET] sending packet: from <public-ip-strongswan> [500] to <public-ip-FortiGate>[61567]
 Oct 11 12:50:46 hetz02 charon: 09[NET] waiting for data on sockets
 
emnoc
Esteemed Contributor III

Did you read the link I provided? Now you have a match in phase1 but you have AES128-sha1 configured in Phase2 ( fortigate ) and dhgrp 14. Not sure as to what your trying todo nor what proposals do you want. Here' s what I would do; config vpn ipsec phase1-interface edit " DialUp_strongswan" set interface " wan1" unset dhgrp set proposal aes128-sha1 set dpd disable set remote-gw <public-ip-strongswan> set psksecret ENC **** next end config vpn ipsec phase2-interface edit " VPN_StrongSwan" set auto-negotiate enable set dst-addr-type ip set keepalive enable set pfs disable set phase1name " DialUp_strongswan" set proposal aes128-sha1 set replay disable set dst-start-ip 10.177.177.2 set keylifeseconds 3600 set src-subnet 192.168.160.0 255.255.252.0 next end and then on swan; conn Fortigate type=tunnel authby=secret keyexchange=ikev1 auto=start # ike=aes128-sha1;modp1024! ike=3des-sha1-modp2048 left=<public-ip-strongswan> leftsubnet=10.177.177.2/255.255.255.255 right=%any rightsubnet=192.168.160.0/22 compress=no # pfs=no esp=aes128-sha1 #auth=esp keyingtries=%forever And see if that works. And if so than you can make further changes on the proposals and enabling PFS if required. Make sure to clear/flush the ike gateway on the fortigate and restart the ipsec services on the linux box. After you do the above the diag debug ike gatew and ipsec sa command will confirm if you have ph1&2 and then ensure your firewall policy and iptables allows for traffic between the left+right subnets.

PCNSE 

NSE 

StrongSwan  

Yngve0
New Contributor II

Hi again and thank you for your advise. I have readed your blog, but not sure however I understood it 100%. I have no requirment regarding DH, proposal or PFS as long as it works :) I tried the config you suggested here, but the tunnel still failed to come up. But; You suggested to unset DH on fortigate but keeped modp2048 in Swan? As mentioned initially; The fortigate is for several reason behind NAT and without any port forwarding, so the Fortigate must initiate the VPN. Is this a problem?
emnoc
Esteemed Contributor III

When you unset the dhgrp it defaults to dhgrp 2. Actaully on the swan side you had 1024 so I figure you want 1024 ( aka dhgrp #2 ) As a matter of fact, if you left the proposal open on swan it should accept about most anything. The bottom line you need to match all vpn cfg between the 2 end-points dhgrp pfs yes/no hash authentication encryption secret If you copied what I posted that should get you up between swan and fgt. Than you need to look at diagnostic commands The following link was written with route-base in mind, but the same concept applies for policy-based http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html You need to validate phase1 is established; diag vpn ike gateway list and phase 2 diag vpn tunnel list If you have established ph1&2 , than you check firewall policies by using diag debug flow match your proposals and then analyze your policies.

PCNSE 

NSE 

StrongSwan  

Yngve0
New Contributor II

Thanks emnoc, it is working now.
jlozen
New Contributor

I'm currently trying to get this to work, would it be possible for you to post your working configurations?

Palamar
New Contributor

help, no internet after the creation of the tunnel