- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
L2TP/IPsec-with-certificate Windows10 native client
As the FortiGate IPsec Wizard didn't led to success, we're trying to setup a certificate based dialup vpn by-hand.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: incoming proposal:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: proposal id = 0:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: protocol id = ISAKMP:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: trans_id = KEY_IKE.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: encapsulation = IKE/none
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_HASH_ALG, val=SHA.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=AUTH_METHOD, val=RSA_SIG.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_GROUP, val=ECP384.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: ISAKMP SA lifetime=28800
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: proposal id = 0:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: protocol id = ISAKMP:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: trans_id = KEY_IKE.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: encapsulation = IKE/none
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_HASH_ALG, val=SHA.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=AUTH_METHOD, val=RSA_SIG.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_GROUP, val=ECP256.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: ISAKMP SA lifetime=28800
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: proposal id = 0:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: protocol id = ISAKMP:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: trans_id = KEY_IKE.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: encapsulation = IKE/none
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_HASH_ALG, val=SHA.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=AUTH_METHOD, val=RSA_SIG.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_GROUP, val=MODP2048.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: ISAKMP SA lifetime=28800
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: proposal id = 0:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: protocol id = ISAKMP:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: trans_id = KEY_IKE.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: encapsulation = IKE/none
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_HASH_ALG, val=SHA.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=AUTH_METHOD, val=RSA_SIG.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_GROUP, val=MODP2048.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: ISAKMP SA lifetime=28800
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: proposal id = 0:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: protocol id = ISAKMP:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: trans_id = KEY_IKE.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: encapsulation = IKE/none
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_HASH_ALG, val=SHA.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=AUTH_METHOD, val=RSA_SIG.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_GROUP, val=MODP1024.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: ISAKMP SA lifetime=28800
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: negotiation failure
ike V=root:Negotiate ISAKMP SA Error:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: no SA proposal chosen
When interpreting the proposals received, we tried to implement them through the following settings:
- Algorithms : 3DES-SHA1, AES256-SHA1
- Diffie-Hellman Group : 14
which has led to the expected proposal from the side of the FortiGate (as follows):
ike V=root:0:24279aec99b82985/0000000000000000:879: my proposal, gw IPsecW10_OUVW:
ike V=root:0:24279aec99b82985/0000000000000000:879: proposal id = 1:
ike V=root:0:24279aec99b82985/0000000000000000:879: protocol id = ISAKMP:
ike V=root:0:24279aec99b82985/0000000000000000:879: trans_id = KEY_IKE.
ike V=root:0:24279aec99b82985/0000000000000000:879: encapsulation = IKE/none
ike V=root:0:24279aec99b82985/0000000000000000:879: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike V=root:0:24279aec99b82985/0000000000000000:879: type=OAKLEY_HASH_ALG, val=SHA.
ike V=root:0:24279aec99b82985/0000000000000000:879: type=AUTH_METHOD, val=RSA_SIG.
ike V=root:0:24279aec99b82985/0000000000000000:879: type=OAKLEY_GROUP, val=MODP2048.
ike V=root:0:24279aec99b82985/0000000000000000:879: ISAKMP SA lifetime=28800
ike V=root:0:24279aec99b82985/0000000000000000:879: proposal id = 1:
ike V=root:0:24279aec99b82985/0000000000000000:879: protocol id = ISAKMP:
ike V=root:0:24279aec99b82985/0000000000000000:879: trans_id = KEY_IKE.
ike V=root:0:24279aec99b82985/0000000000000000:879: encapsulation = IKE/none
ike V=root:0:24279aec99b82985/0000000000000000:879: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike V=root:0:24279aec99b82985/0000000000000000:879: type=OAKLEY_HASH_ALG, val=SHA.
ike V=root:0:24279aec99b82985/0000000000000000:879: type=AUTH_METHOD, val=RSA_SIG.
ike V=root:0:24279aec99b82985/0000000000000000:879: type=OAKLEY_GROUP, val=MODP2048.
ike V=root:0:24279aec99b82985/0000000000000000:879: ISAKMP SA lifetime=28800
Perhaps we have overlooked some details but we have expected a SA match - and not a negotiation failure.
Does anyone have got a working solution for Windows10/certificate-with-user-and-password or give us a hint, why the fortigate refuses to accept the proposal?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Guenther,
Are you trying to connect from FortiClient? Can you try with only AES256-SHA1 on the client side?
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @hbac ,
to keep it simple, we tried to propose installing software in case of BYOD - therefore, we haven't tried the FortiClient (was works well at least on MacOS). On the client side there are no more parameters selectable.
Best regards!
![](/skins/images/EC12350B26E3A30E8BDB0075C9F4DA72/responsive_peak/images/icon_anonymous_message.png)