Hi!
i read a lot about that but in this moment dont work.
in the fortigate have this:
config vpn ipsec phase1-interface edit "OpenSWAN" set type dynamic set interface "port4" set peertype any set proposal aes128-sha1 set dpd disable set psksecret ENC encoded_PSK next end config vpn ipsec phase2-interface edit "OpenSWAN" set phase1name "OpenSWAN" set proposal aes128-sha1 set pfs disable set keepalive enable set keylifeseconds 3600 set src-subnet 192.168.10.0 255.255.255.0 set dst-subnet 192.168.1.0 255.255.255.0 next end
and ipsec.secret
IP_WAN_FGT : PSK "thestrongpassword"
and ipsec.conf
conn FGT type=tunnel authby=secret left=%any # leftnexthop=%defaultroute leftsubnet=192.168.1.0/24 right=IP_WAN_FGT rightsubnet=192.168.2.0/24 # ike=aes128 ike=3des-sha1-modp2048 esp=aes128-sha1 ikelifetime=28800s keyexchange=ikev1 auto=start keyingtries=%forever
can somebody giveme a hand for this?
thx :)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
A few items
You have dhgrp14 and 3des. Set the proposals on the FGT so you know what is defined for these values IKE/IPSEC/Integrity
ike=3des-sha1-modp2048 esp=aes128-sha1
I think you want ike=aes128-sha1-modp2048 and in the fortigate you defined the group as 14.
set dhgrp 14 5 Ken Felix
PCNSE
NSE
StrongSwan
Hi Emnoc!
Added the both phase, the cli dont show any change and still dont connect phase1. Another idea?
Thx
diag sniffer packet port4 'host x.x.x.x"
# x.x.x.x = strongswan
diag debug en
diag debug app ike 10
What do you see? PSK mismatch? No proposal ? peer-ids looks good?
Strongswan :
ipsec statusall
ipsec restart
# these might come in handy
lsof -Pni :500
lsof -Pni :4500
tcpdump -nnnvvv -i <internet facing inft> host y.y.y.y and udp
# y.y.y.y == fgt port4 local-address
Ken
PCNSE
NSE
StrongSwan
Hi Emnoc!
after changet ikev1 for ikev2 connect without problem! the previous error is No proposal.
Now i have the tunnel but dont have traffic, something are missing in the side of strongswan
Have some tip for this?
Hi!!
finally is working!!
in the box(openwrt) is necessary declare a Zone like VPN and put into ipsec0 interface. Permit forward into LAN and VPN and is done!
:)
traposama wrote:Hi!!
finally is working!!
in the box(openwrt) is necessary declare a Zone like VPN and put into ipsec0 interface. Permit forward into LAN and VPN and is done!
:)
Can u show working configs for both routers?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.