Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
traposama
New Contributor

Strongswan - Fortigate

Hi!

 

i read a lot about that but in this moment dont work.

 

in the fortigate have this:

 

config vpn ipsec phase1-interface     edit "OpenSWAN"         set type dynamic         set interface "port4"         set peertype any         set proposal aes128-sha1         set dpd disable         set psksecret ENC encoded_PSK     next end config vpn ipsec phase2-interface     edit "OpenSWAN"         set phase1name "OpenSWAN"         set proposal aes128-sha1         set pfs disable         set keepalive enable         set keylifeseconds 3600         set src-subnet 192.168.10.0 255.255.255.0         set dst-subnet 192.168.1.0 255.255.255.0     next end

 

and ipsec.secret

 

IP_WAN_FGT : PSK "thestrongpassword"

 

and ipsec.conf

 

conn FGT      type=tunnel      authby=secret      left=%any #     leftnexthop=%defaultroute      leftsubnet=192.168.1.0/24      right=IP_WAN_FGT      rightsubnet=192.168.2.0/24 #     ike=aes128      ike=3des-sha1-modp2048      esp=aes128-sha1      ikelifetime=28800s      keyexchange=ikev1      auto=start      keyingtries=%forever

 

can somebody giveme a hand for this?

 

thx :)

 

 

6 REPLIES 6
emnoc
Esteemed Contributor III

A few items

You have dhgrp14 and 3des. Set the proposals on the FGT so you know what is defined for these values IKE/IPSEC/Integrity

 

 

     ike=3des-sha1-modp2048      esp=aes128-sha1

 

I think you want ike=aes128-sha1-modp2048 and in the fortigate you defined the group as 14. 

 

  set dhgrp 14 5 

 

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
traposama

Hi Emnoc!

 

Added the both phase, the cli dont show any change and still dont connect phase1. Another idea?

 

Thx

emnoc
Esteemed Contributor III

diag sniffer packet port4 'host x.x.x.x"

 

# x.x.x.x = strongswan

 

diag debug en

diag debug app ike 10 

 

What do you see? PSK mismatch? No proposal ? peer-ids looks good?

 

 

Strongswan :

 

ipsec statusall

ipsec restart

# these might come in handy

lsof -Pni :500

lsof -Pni :4500

tcpdump -nnnvvv -i <internet facing inft>  host y.y.y.y and udp 

# y.y.y.y == fgt port4 local-address

 

 

 

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
traposama

Hi Emnoc!

 

after changet ikev1 for ikev2 connect without problem! the previous error is No proposal.

 

Now i have the tunnel but dont have traffic, something are missing in the side of strongswan

 

Have some tip for this?

traposama

Hi!!

 

finally is working!!

 

in the box(openwrt) is necessary declare a Zone like VPN and put into ipsec0 interface. Permit forward into LAN and VPN and is done!

 

:)

radokizi

traposama wrote:

Hi!!

 

finally is working!!

 

in the box(openwrt) is necessary declare a Zone like VPN and put into ipsec0 interface. Permit forward into LAN and VPN and is done!

 

:)

Can u show working configs for both routers?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors