set type dynamic set interface "port1" set ike-version 2 set peertype any set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha384 aes128gcm-prfsha256 set dpd on-idle set dhgrp 20 19 14 set reauth enable set idle-timeout enable set psksecret ENC 1VQ0j0YX34DWAmM8U2OnsibIcaGXjAsuaJfZEE4tZ/YPh1cayPwyql3b47Ro01xQVPs60wZHn4l/f8/mQZnsHidUbGPp7Q61gWN8FP91Q1sbAKuZoCxbFn13+rJAnSS7kkT7OnaB3iYWqf6pU4SZIJjYa2HxRkZglfGuq8TnoetM8g+qc/kFKlHwCTow4m+ZRrsy+A== set dpd-retryinterval 60
My Setup is this.
But whenever I tried to bring up tunnel against fortigate (FortiOS v6.0.9)
I see following error.
ike 0: IKEv2 exchange=SA_INIT id=d740acea5f4716a4/0000000000000000 len=264 ike 0: in D740ACEA5F4716A400000000000000002120220800000000000001082200002800000024010100030300000C01000014800E00800300000802000005000000080400001328000048001300002D34B59462315518C39B3D2575F5D5C5B85D6DAF45377F071FB8A63DE28394165866E7935EDB8EFE2FA3E0D274D034CD9915ED716B4B2F3744D6EFA02AC0EC2D290000241FD60B2308A8EE036155EACA8498C1EA7DF63749BE32BF98DC0E1F315E4BCE562900001C00004004C408DDCDF31AF7BF61AF35C89E73BBEC5D2425FB2900001C0000400592FE081C8710B828D14274E50BEBE7FBCB8E868E290000080000402E290000100000402F00020003000400050000000800004016 ike 0:d740acea5f4716a4/0000000000000000:4901: responder received SA_INIT msg ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type NAT_DETECTION_SOURCE_IP ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type NAT_DETECTION_DESTINATION_IP ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type FRAGMENTATION_SUPPORTED ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type SIGNATURE_HASH_ALGORITHMS ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type 16406 ike 0:d740acea5f4716a4/0000000000000000:4901: ignoring unauthenticated notify payload (16406) ike 0:d740acea5f4716a4/0000000000000000:4901: incoming proposal: ike 0:d740acea5f4716a4/0000000000000000:4901: proposal id = 1: ike 0:d740acea5f4716a4/0000000000000000:4901: protocol = IKEv2: ike 0:d740acea5f4716a4/0000000000000000:4901: encapsulation = IKEv2/none ike 0:d740acea5f4716a4/0000000000000000:4901: type=ENCR, val=AES_GCM_16 (key_len = 128) ike 0:d740acea5f4716a4/0000000000000000:4901: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:d740acea5f4716a4/0000000000000000:4901: type=DH_GROUP, val=ECP256. ike 0:IKEv2: ignoring IKEv2 request, interface is administratively down ike 0:d740acea5f4716a4/0000000000000000:4901: negotiation failure ike Negotiate SA Error: ike ike [10142]
With same set of cipher suite and setting,
IKEv1 is working fine, but IKEv2 doesn't work.
Looks like it doesn't like the proposal or something, but from the log it is not clear.
Anybody have same issue?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The other side is StrongSwan.
interesting , so can you share the conn profile that you have built in srongswan? dump out the ike details from ipsec.conf or swanctl
I'm betting IKEv2 is not enabled and that might be part of the issue but that easy to determine
Ken Felix
PCNSE
NSE
StrongSwan
Here it is.
ipsec.conf
conn %default authby=never mobike=no closeaction=none dpdaction=hold dpddelay=30s dpdtimeout=150s inactivity=180 ikelifetime=3h keyexchange=ike keyingtries=3 lifetime=1h reauth=yes rekey=yes margintime=9m esp=sha1-aes256,sha256-aes256! ike=aes256-sha256-modp2048! forceencaps=no conn icmpv6 right=::1 # so this connection does not get used for other purposes leftsubnet=::/0[ipv6-icmp/%any] rightsubnet=::/0[ipv6-icmp/%any] auto=route type=passthrough conn 4.10-0-1-0.24.0.0 inactivity=3600 right=54.241.130.111 rightsubnet=10.0.1.0/24 leftauth=psk rightauth=psk leftsendcert=no rightsendcert=no rightid=%any type=tunnel auto=route
ipsec statusall dump
Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1127.8.2.el7.x86_64, x86_64): uptime: 20 hours, since Jun 23 12:47:13 2020 malloc: sbrk 1462272, mmap 0, used 343232, free 1119040 worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aes des sha2 sha1 md5 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 sshkey pem openssl curve25519 xcbc hmac attr kernel-netlink socket-default stroke vici updown error-notify counters Listening IP addresses: 192.168.41.165 fd15:4ba5:5a2b:1002:ccae:9dbd:e1e4:1022 Connections: icmpv6: %any...::1 IKEv1/2, dpddelay=30s icmpv6: local: uses public key authentication icmpv6: remote: [::1] uses public key authentication icmpv6: child: ::/0[ipv6-icmp] === ::/0[ipv6-icmp] PASS, dpdaction=hold 4.10-0-1-0.24.0.0: %any...54.241.130.111 IKEv1/2, dpddelay=30s 4.10-0-1-0.24.0.0: local: uses pre-shared key authentication 4.10-0-1-0.24.0.0: remote: uses pre-shared key authentication 4.10-0-1-0.24.0.0: child: dynamic === 10.0.1.0/24 TUNNEL, dpdaction=hold Shunted Connections: icmpv6: ::/0[ipv6-icmp] === ::/0[ipv6-icmp] PASS Routed Connections: 4.10-0-1-0.24.0.0{2}: ROUTED, TUNNEL, reqid 2 4.10-0-1-0.24.0.0{2}: 192.168.41.165/32 === 10.0.1.0/24 Security Associations (0 up, 0 connecting): none
Strongwan set ikev2 as a default.
From my original post.
ike 0:d740acea5f4716a4/0000000000000000:4901: responder received SA_INIT msg ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type NAT_DETECTION_SOURCE_IP ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type NAT_DETECTION_DESTINATION_IP ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type FRAGMENTATION_SUPPORTED ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type SIGNATURE_HASH_ALGORITHMS ike 0:d740acea5f4716a4/0000000000000000:4901: received notify type 16406 ike 0:d740acea5f4716a4/0000000000000000:4901: ignoring unauthenticated notify payload (16406) ike 0:d740acea5f4716a4/0000000000000000:4901: incoming proposal: ike 0:d740acea5f4716a4/0000000000000000:4901: proposal id = 1: ike 0:d740acea5f4716a4/0000000000000000:4901: protocol = IKEv2: ike 0:d740acea5f4716a4/0000000000000000:4901: encapsulation = IKEv2/none ike 0:d740acea5f4716a4/0000000000000000:4901: type=ENCR, val=AES_GCM_16 (key_len = 128) ike 0:d740acea5f4716a4/0000000000000000:4901: type=PRF, val=PRF_HMAC_SHA2_256 ike 0:d740acea5f4716a4/0000000000000000:4901: type=DH_GROUP, val=ECP256. ike 0:IKEv2: ignoring IKEv2 request, interface is administratively down
That is why Fortigate recognized as IKEv2.
And I hardcoded ikev2 like you suggested, it is still same.
With same setup IKEv1 works not IKEv2. So I don't doubt there is any need switch to dial up or from the scratch at this point.
I am suspicious that "type=PRF, val=PRF_HMAC_SHA2_256" strongswan adding in default will not matches to what Fortigate expected?
Or IKEv1 and IKEv2 configuration cannot coexists on the same port?
Like the fortigate ike1/ike2 is available and can work on the same ports. That admin down seems to me that it or somebody thinks they are NOT enabled for IKE version 2. I see this a lot with firewall that does either of the two version and have ran into this on many occasions.
Here's an ideal , if do the config from a 2nd fortigate does the same error come up? has the strongswan side ever had a IKEv2 conn at any give time?
Do you have the means to plumb a simple ikev2 gateway and connect to the strongswan host ( i.e aws- or digitalocean and a linux vmguest )
When I have problems like this and do not have a lab gear, I stroke machine or even a virt-fortigate and run series of testing to get to the bottom of the issue. Also a pcap analyze will very helpful if you have not taken one. I would capture the ike datagrams between peers and then analyze them in wireshark. You can learn and witness a lot of details.
Ken Felix
PCNSE
NSE
StrongSwan
Emoc.
Thank you so much for helping me.
I have a same setup against Cisco ASA, PAN and StrongSwan as well as Fortigate.
Cisco ASA, PAN and StrongSwan works. :)
The last pieces is Fortigate.
Bingo
keyexchange needs to be called out
keyexchange = ikev2
here's a basic template of what I used PSk with set left/right ( local/remote ike-identity )
conn FGT100D fragmentation = yes keyexchange = ikev2 installpolicy = yes type = tunnel
# enable DPD optional but reccomended if tunnels comes up and drop disable DPD and # remonitor dpdaction = restart dpddelay = 10s dpdtimeout = 60s
# set ike/ph2 lifetimnes ikelifetime = 14400s lifetime = 3600s auto = add left = %defaultroute leftauth = psk leftid = @linux1@socpuppets.com right = x.x.x.x # installed the public-address of FGThere rightid = @fgt200D@socpppets.com # change this to match fgt ike-identiyt or using %any rightsubnet = 10.19.0.0/23 # match the subnets in the enc-domain leftsubnet = 10.18.20/24 ike = aes256-sha256-modp1536,aes256-sha1-modp1536! # proposals IKE esp = aes256-sha256,aes256-sha1! # proposal ESP
i would start with a basic cfg if your seeing problems and I personally ( nothing wrong with it ) hate multiple proposals for ph1/ph2 on site-2-site vpns
Dynamic dialup make sense but deterministic is better and easier to diagnose
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.