Hi,
I'm trying to setup a VPN between my FGT-60F (home office) and a remote cloud server running Linux (Ubuntu 20.04 +
StrongSwan).
I think I managed to get through most of the issues, meaning:
- PSK authentication works
- phase 1 looks like it's established correctly and algorithms match
- phase 2 looks like algorithms match
However, VPN would still not get up, stopping with a somewhat cryptic message to me:
0:ovh-vps760438:ovh-vps760438: chosen to populate IKE_SA traffic-selectors ike 0:ovh-vps760438: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation ike 0:ovh-vps760438:1823: out 354E1A20824A9B8100000000000000002120220800000000000001342200004C02000024010100030300000C01000014800E01000300000802000006000000080400001400000024020100030300000C0100001C800E01000300000802000007000000080400001428000068001400005E33F25E7A205B1383CD194A2675B19619CD9759011063B70C6CA2AD6F2C6F8FD8FB035EBA21901D0F0C9085920F25C62536FAEDB82E32FBECEAD093D9DCC45982B286863E4FF868DB436DA9FA89BDBCEBC8BE5BCEB9F52DBBE72C961C2D774C290000249DE240AACC75B4AD849DC5BAF61B80F9F20C03DA40EE34402D26E1C48A0164032900001C00004004E205151B95C22B41FBDFD4842B5828B45864E2AA2900001C00004005DC14BC576CE79F07690F7AB5D8494BBEC56423A2000000080000402E ike 0:ovh-vps760438:1823: sent IKE msg (SA_INIT): 172.16.0.14:500->51.91.255.106:500, len=308, id=354e1a20824a9b81/0000000000000000 iike 0: comes 51.91.255.106:500->172.16.0.14:500,ifindex=6.... ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=354e1a20824a9b81/ca2d8fa6dd09667f len=288 ike 0: in 354E1A20824A9B81CA2D8FA6DD09667F2120222000000000000001202200002800000024010100030300000C01000014800E01000300000802000006000000080400001428000068001400003CA8B129A5369A30FFBE3E1CA9F0ABE426181955C6CB9CBA1073BCE5344D278CA7FA11C6EE0ACD1432E61679A39BFF9751AD1F0E9BDC2A9C2AAA6C49DD100D69946A043F65563945D74D6E822AB2E9ACA3195E7CF09009168A5C1797546B797929000024F97DA2E41B2C9DEB1B410921772B9CACC3EBAF90540D178CB5CD9692BEC1E12C2900001C000040044A3991515CB9CC440C6E276CADC0A893F6BF0BE52900001C000040057065E8A347884A486116E820C7EC3CA99DF2C168290000080000402E29000008000040220000000800004014 ike 0:ovh-vps760438:1823: initiator received SA_INIT response ike 0:ovh-vps760438:1823: processing notify type NAT_DETECTION_SOURCE_IP ike 0:ovh-vps760438:1823: processing NAT-D payload ike 0:ovh-vps760438:1823: NAT detected: PEER ike 0:ovh-vps760438:1823: process NAT-D ike 0:ovh-vps760438:1823: processing notify type NAT_DETECTION_DESTINATION_IP ike 0:ovh-vps760438:1823: processing NAT-D payload ike 0:ovh-vps760438:1823: NAT detected: ME PEER ike 0:ovh-vps760438:1823: process NAT-D ike 0:ovh-vps760438:1823: processing notify type FRAGMENTATION_SUPPORTED ike 0:ovh-vps760438:1823: processing notify type CHILDLESS_IKEV2_SUPPORTED ike 0:ovh-vps760438:1823: processing notify type 16404 ike 0:ovh-vps760438:1823: incoming proposal: ike 0:ovh-vps760438:1823: proposal id = 1: ike 0:ovh-vps760438:1823: protocol = IKEv2: ike 0:ovh-vps760438:1823: encapsulation = IKEv2/none ike 0:ovh-vps760438:1823: type=ENCR, val=AES_GCM_16 (key_len = 256) ike 0:ovh-vps760438:1823: type=PRF, val=PRF_HMAC_SHA2_384 ike 0:ovh-vps760438:1823: type=DH_GROUP, val=ECP384. ike 0:ovh-vps760438:1823: matched proposal id 1 ike 0:ovh-vps760438:1823: proposal id = 1: ike 0:ovh-vps760438:1823: protocol = IKEv2: ike 0:ovh-vps760438:1823: encapsulation = IKEv2/none ike 0:ovh-vps760438:1823: type=ENCR, val=AES_GCM_16 (key_len = 256) ike 0:ovh-vps760438:1823: type=INTEGR, val=NONE ike 0:ovh-vps760438:1823: type=PRF, val=PRF_HMAC_SHA2_384 ike 0:ovh-vps760438:1823: type=DH_GROUP, val=ECP384. ike 0:ovh-vps760438:1823: lifetime=86400 ike 0:ovh-vps760438:1823: IKE SA 354e1a20824a9b81/ca2d8fa6dd09667f SK_ei 36:6E47FB4DBF18CFD5BC803B7E4F9F9824CBE7E05561C79D31BCB21FC91D8710149A274506 ike 0:ovh-vps760438:1823: IKE SA 354e1a20824a9b81/ca2d8fa6dd09667f SK_er 36:19FF686CDE8811BF49BD939B20D7260578B0BF3B5D7924208D86D6A3CC43256683942E9F ike 0:ovh-vps760438:1823: initiator preparing AUTH msg ike 0:ovh-vps760438:1823: sending INITIAL-CONTACT ike 0:ovh-vps760438:1823: enc 2900001F02000000466F727469676174655F4F626A65637469665F32303438270000080000400029000038020000001E80DFBF9649C40C160ED1610C025862D348E29331CB575F8096372BCC0EE2F0E9851E5088BACDA6346865BD670324D721000008000040242C00006C0200002801030403B16BD6370300000C0100000C800E0100030000080300000C00000008050000000200002002030402B16BD6370300000C01000014800E010000000008050000000000002003030402B16BD6370300000C0100001C800E010000000008050000002D00001801000000070000100000FFFFC0A80000C0A8FFFF0000001801000000070000100000FFFF00000000FFFFFFFF080706050403020108 ike 0:ovh-vps760438:1823: detected NAT ike 0:ovh-vps760438:1823: NAT-T float port 4500 ike 0:ovh-vps760438:1823: out 354E1A20824A9B81CA2D8FA6DD09667F2E202308000000010000014423000128068002BB892CABF853CB46DD1D7530E30D5D68665E07891661CD05E8813BD18D711B8F1B4E9BF46125878239AA66CFCE0A4A50FDEC27702A640CDCECAFF1B3503992396B4AF7425EB5923CA14EC0C69C9F1A56924D0F42D7132B562A74ED8A1D6E99441BE439A322427D24919D27400BBD4B974BF70621229CB1FF46089B9AE44526563760E56E67307EBECFA8A94F0777500D58A556D46D779A642CF7A9803D229DFAF055DDE774CD7E8AAA5A6D428263FF488162BC7DD141F05297400A06ADAB7CF5E613343DE172968E6CB8257E3E4B8F09EB9194D1BD1C38BBCFBD929473E12F7A443A5A7BBFAC1ABFA94577826D3FA781B13CA5689A0650745968A79135114A3DBC5AED24FBD12F966032AED39D508332C5B1CA7DB48A763DD1028661FDD2B88876 ike 0:ovh-vps760438:1823: sent IKE msg (AUTH): 172.16.0.14:4500->51.91.255.106:4500, len=324, id=354e1a20824a9b81/ca2d8fa6dd09667f:00000001 sike 0: comes 51.91.255.106:4500->172.16.0.14:4500,ifindex=6.... ike 0: IKEv2 exchange=AUTH_RESPONSE id=354e1a20824a9b81/ca2d8fa6dd09667f:00000001 len=686 ike 0: in 354E1A20824A9B81CA2D8FA6DD09667F2E20232000000001000002AE24000292ABDA5D1D692582E4F34D4D1E6EF1E51EBDAE1FAD27C3AFE27A8A2119229C7A95CF42247B506CA347278B59D4A34943192C3CE72D912793E45785732B015FC4EFF9A17241BDF54CA3E92AA3B843364BD2F067B8D4EF4DF45FB79802970BE169C4068CD8A3A94E8CAF682333BEAB098AD1B3744E8CF3E28CC89EAD55AD3D56E67B2B3F8BADF296BA7C1E8E8F95DD640EC664F9D6736B08C3B4384A844BD733FC2507DD84490D5196B5032F7D3AFD69F9290AFE12CD4394E7EDC4D8E2D45F9CBA9EDC430D2F7CA582077760C05ED418557E41CE834A7F4E48DEF72FBEEF5D10868AD783644D154415C99724F8C714EC99F1E05B2AFFA8D5EF250CB8619A1A9020EA350477E08C742A5CD567D82179D7400B4A865DD89F9B7C1FD216E06AA580EC84AE3203C566B0A6A3B730EA1B2005C8E37965BD30B5D4951469F142770CF6472C2ED0D87D6311620C2BC9D0A7364DA2BA9917495C3C00C8B973840804D91D2675EC82F79EA005CBB87AC6C5D7A19820F10773933D0B093787E8611354E839C00E31910826532DDD501910848752E3D872C340E84AE4AEFFE131C39FE9C74046475749CCF980C4F9474BBB3C86438A7DC16A81553890B6FB0AB9BC3CE428F44DD50EA952DCF32235B251F97BEDA7D0B04FD30613B2720AC091EA17A83C65E12EAB2D22FE607E24B454289B10ED52258D9ACFCB5469AEC01B489B68BE4AECAE013E880ECF38240A04696CD27EC53FF7277B24897F0C12EA1DDB147BEA59C68D53F351D2D1E63F856F962FA15AC62C113B896D1003C3498F8801DED2F1480E3C944BF51581D14E40797FA0E9D791154DE23D962DF8764B25A8DB7A5382A75BBC09607C041F40281648B02AAED53BF998FB96E3BCF20982347D623FD1C505B8394980B48523EE2E632970C25F84E7D1A3 ike 0:ovh-vps760438:1823: dec 354E1A20824A9B81CA2D8FA6DD09667F2E20232000000001000002952400000427000019020000007670733736303433382E6F76682E6E657421000208010000008168881BAE9A500DFA6DC14B33CAC278B84A5D8EAC51C7D578C505D6B0DF43251B72F941955F16FB589C320B44D2FA266EDF1D6F95FE3F4CFE210B0CCDD43074AF3B3DDB3B89918B7793B6AADF1F82EF3408D51C95DA248A9CD6668C8F0BAB0C48BDD92429F9F9E37645EC8F400D25BABD864F023F740443E89FDEA9CE32406323E12C7D7AA14775175A9525B984C6BDAB918D6C6D7FE3864411C682A10393C413DA9DD30DC8F7C2BE5C79343D5808FA1653F40704E43859C0ED5B17C074F94AD3DB3FF8CECA694280FC1139F29F391538B50C327DC2676BBF5ACABE157F59EE1502CAFAC722C2BE39482C1EF4B1788BA407772F6F1A0B2CAF4A060004A090150A4F110C9B63EC734E2BDE8B4649CAF4F25809DC9E05502535EED69A3E5E2E3DF47EFB3DC4F52AA762F31283E2512FEE43354BF052C9E5D2F8B215CD3CC2D0B8850A1FBF2E193DAA534D3D72F0C047009FA6D85CCD74BFE06A8D532289D8466E3282A247B6082BEC4A10B68C51D39A4DDC427D9C2B33E52C1E22A61523215C773738231E6A00DDA543077AD5B82C552D54ECCED578E81E09792C41D081BB0CBC5379566FE29490A08230402AFB3FA681148241655C93DB37347F86DB833D2C800D12EC83FF5E2617A360CAF1A7475488F5B87F99B332F401D13A8285CC913DD4A6CABF7E81A0A3EE76738470D537E5B1FE8BB1A5C0567B85908498021ECB77372C0000240000002002030402C9E870790300000C01000014800E010000000008050000002D00001801000000070000100000FFFFC0A80000C0A8FFFF0000001801000000070000100000FFFF00000000FFFFFFFF ike 0:ovh-vps760438:1823: initiator received AUTH msg ike 0:ovh-vps760438:1823: received peer identifier FQDN 'vps760438.ovh.net' ike 0:ovh-vps760438:1823: auth verify done ike 0:ovh-vps760438:1823: initiator AUTH continuation ike 0:ovh-vps760438:1823: authentication failed ike 0:ovh-vps760438:1823: schedule delete of IKE SA 354e1a20824a9b81/ca2d8fa6dd09667f ike 0:ovh-vps760438:1823: scheduled delete of IKE SA 354e1a20824a9b81/ca2d8fa6dd09667f ike 0:ovh-vps760438: connection expiring due to phase1 down ike 0:ovh-vps760438: deleting ike 0:ovh-vps760438: deleted
Other end looks like tunnel is established, then drops after few seconds, probably because FGT "hangs up", but I admit I'm no expert in IPSec.
Below is some log on strongswan side:
Apr 01 19:36:29 vps760438 ipsec[398212]: 03[NET] waiting for data on sockets Apr 01 19:36:29 vps760438 ipsec[398212]: 07[MGR] checkout IKEv2 SA by message with SPIs 67274be175dd1bc8_i 0000000000000000_r Apr 01 19:36:29 vps760438 ipsec[398212]: 07[MGR] created IKE_SA (unnamed)[584] Apr 01 19:36:29 vps760438 ipsec[398212]: 07[NET] received packet: from 185.228.228.86[39224] to 51.91.255.106[500] (308 bytes) Apr 01 19:36:29 vps760438 ipsec[398212]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG] looking for an IKEv2 config for 51.91.255.106...185.228.228.86 Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG] candidate: %any...%any, prio 28 Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG] found matching ike config: %any...%any with prio 28 Apr 01 19:36:29 vps760438 ipsec[398212]: 07[IKE] 185.228.228.86 is initiating an IKE_SA Apr 01 19:36:29 vps760438 ipsec[398212]: 07[IKE] IKE_SA (unnamed)[584] state change: CREATED => CONNECTING Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG] selecting proposal: Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG] no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG] selecting proposal: Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG] no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG] selecting proposal: Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG] proposal matches Apr 01 19:36:29 vps760438 charon[398212]: 07[MGR] checkout IKEv2 SA by message with SPIs 67274be175dd1bc8_i 0000000000000000_r Apr 01 19:36:29 vps760438 charon[398212]: 07[MGR] created IKE_SA (unnamed)[584] Apr 01 19:36:29 vps760438 charon[398212]: 07[NET] received packet: from 185.228.228.86[39224] to 51.91.255.106[500] (308 bytes) Apr 01 19:36:29 vps760438 charon[398212]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] looking for an IKEv2 config for 51.91.255.106...185.228.228.86 Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] candidate: %any...%any, prio 28 Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] found matching ike config: %any...%any with prio 28 Apr 01 19:36:29 vps760438 charon[398212]: 07[IKE] 185.228.228.86 is initiating an IKE_SA Apr 01 19:36:29 vps760438 charon[398212]: 07[IKE] 185.228.228.86 is initiating an IKE_SA Apr 01 19:36:29 vps760438 charon[398212]: 07[IKE] IKE_SA (unnamed)[584] state change: CREATED => CONNECTING Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] selecting proposal: Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] selecting proposal: Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] selecting proposal: Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] proposal matches Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:CHACHA20_POLY1305_256/PRF_HMAC_SHA2_512/ECP_384 Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] configured proposals: IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384> Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Apr 01 19:36:29 vps760438 charon[398212]: 07[IKE] remote host is behind NAT Apr 01 19:36:29 vps760438 charon[398212]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] Apr 01 19:36:29 vps760438 charon[398212]: 07[NET] sending packet: from 51.91.255.106[500] to 185.228.228.86[39224] (288 bytes) Apr 01 19:36:29 vps760438 charon[398212]: 04[NET] sending packet: from 51.91.255.106[500] to 185.228.228.86[39224] Apr 01 19:36:29 vps760438 charon[398212]: 07[MGR] checkin IKE_SA (unnamed)[584] Apr 01 19:36:29 vps760438 charon[398212]: 07[MGR] checkin of IKE_SA successful Apr 01 19:36:30 vps760438 charon[398212]: 03[NET] received packet: from 185.228.228.86[39221] to 51.91.255.106[4500] Apr 01 19:36:30 vps760438 charon[398212]: 03[NET] waiting for data on sockets Apr 01 19:36:30 vps760438 charon[398212]: 10[MGR] checkout IKEv2 SA by message with SPIs 67274be175dd1bc8_i 5f7a352a14e63199_r Apr 01 19:36:30 vps760438 charon[398212]: 10[MGR] IKE_SA (unnamed)[584] successfully checked out Apr 01 19:36:30 vps760438 charon[398212]: 10[NET] received packet: from 185.228.228.86[39221] to 51.91.255.106[4500] (324 bytes) Apr 01 19:36:30 vps760438 charon[398212]: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ] Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] looking for peer configs matching 51.91.255.106[%any]...185.228.228.86[Fortigate_Objectif_2048] Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] candidate "ipsec-ikev2-vpn", match: 1/1/28 (me/other/ike) Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selected peer config 'ipsec-ikev2-vpn' Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] authentication of 'Fortigate_Objectif_2048' with pre-shared key successful Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] authentication of 'vps760438.ovh.net' (myself) with RSA signature successful Apr 01 19:36:30 vps760438 charon[398212]: 10[MGR] checkout IKEv2 SA with SPIs fb67216a095fdb06_i 71eeb8399d0a2f8d_r Apr 01 19:36:30 vps760438 charon[398212]: 10[MGR] IKE_SA ipsec-ikev2-vpn[583] successfully checked out Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] destroying duplicate IKE_SA for peer 'Fortigate_Objectif_2048', received INITIAL_CONTACT Apr 01 19:36:30 vps760438 charon[398212]: 10[MGR] checkin and destroy IKE_SA ipsec-ikev2-vpn[583] Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] IKE_SA ipsec-ikev2-vpn[583] state change: ESTABLISHED => DESTROYING Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] deleting policy 0.0.0.0/0 === 192.168.0.0/16 out Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] getting iface index for ens3 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] deleting policy 192.168.0.0/16 === 0.0.0.0/0 in Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] deleting policy 192.168.0.0/16 === 0.0.0.0/0 fwd Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] deleting SAD entry with SPI c4eaa9b9 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] deleted SAD entry with SPI c4eaa9b9 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] deleting SAD entry with SPI b16bd695 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] deleted SAD entry with SPI b16bd695 Apr 01 19:36:30 vps760438 charon[398212]: 10[MGR] checkin and destroy of IKE_SA successful Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] IKE_SA ipsec-ikev2-vpn[584] established between 51.91.255.106[vps760438.ovh.net]...185.228.228.86[Fortigate_Objectif_20> Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] IKE_SA ipsec-ikev2-vpn[584] established between 51.91.255.106[vps760438.ovh.net]...185.228.228.86[Fortigate_Objectif_20> Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] IKE_SA ipsec-ikev2-vpn[584] state change: CONNECTING => ESTABLISHED Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] looking for a child config for 0.0.0.0/0 === 192.168.0.0/16 Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] proposing traffic selectors for us: Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] 0.0.0.0/0 Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] proposing traffic selectors for other: Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] 192.168.0.0/16 Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] candidate "ipsec-ikev2-vpn" with prio 5+5 Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] found matching child config "ipsec-ikev2-vpn" with prio 10 Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] proposal matches Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:CHACHA20_POLY1305_> Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] configured proposals: ESP:CHACHA20_POLY1305/NO_EXT_SEQ, ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA> Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] got SPI c67fad6a Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selecting traffic selectors for us: Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0 Apr 01 19:36:30 vps760438 ipsec[398212]: 07[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:CHACHA20_POLY1305_256/PRF_HMAC_SHA2_512/ECP_384 Apr 01 19:36:30 vps760438 ipsec[398212]: 07[CFG] configured proposals: IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384,> Apr 01 19:36:30 vps760438 ipsec[398212]: 07[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Apr 01 19:36:30 vps760438 ipsec[398212]: 07[IKE] remote host is behind NAT Apr 01 19:36:30 vps760438 ipsec[398212]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] Apr 01 19:36:30 vps760438 ipsec[398212]: 07[NET] sending packet: from 51.91.255.106[500] to 185.228.228.86[39224] (288 bytes) Apr 01 19:36:30 vps760438 ipsec[398212]: 04[NET] sending packet: from 51.91.255.106[500] to 185.228.228.86[39224] Apr 01 19:36:30 vps760438 ipsec[398212]: 07[MGR] checkin IKE_SA (unnamed)[584] Apr 01 19:36:30 vps760438 ipsec[398212]: 07[MGR] checkin of IKE_SA successful Apr 01 19:36:30 vps760438 ipsec[398212]: 03[NET] received packet: from 185.228.228.86[39221] to 51.91.255.106[4500] Apr 01 19:36:30 vps760438 ipsec[398212]: 03[NET] waiting for data on sockets Apr 01 19:36:30 vps760438 ipsec[398212]: 10[MGR] checkout IKEv2 SA by message with SPIs 67274be175dd1bc8_i 5f7a352a14e63199_r Apr 01 19:36:30 vps760438 ipsec[398212]: 10[MGR] IKE_SA (unnamed)[584] successfully checked out Apr 01 19:36:30 vps760438 ipsec[398212]: 10[NET] received packet: from 185.228.228.86[39221] to 51.91.255.106[4500] (324 bytes) Apr 01 19:36:30 vps760438 ipsec[398212]: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ] Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] looking for peer configs matching 51.91.255.106[%any]...185.228.228.86[Fortigate_Objectif_2048] Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] candidate "ipsec-ikev2-vpn", match: 1/1/28 (me/other/ike) Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selected peer config 'ipsec-ikev2-vpn' Apr 01 19:36:30 vps760438 ipsec[398212]: 10[IKE] authentication of 'Fortigate_Objectif_2048' with pre-shared key successful Apr 01 19:36:30 vps760438 ipsec[398212]: 10[IKE] authentication of 'vps760438.ovh.net' (myself) with RSA signature successful Apr 01 19:36:30 vps760438 ipsec[398212]: 10[MGR] checkout IKEv2 SA with SPIs fb67216a095fdb06_i 71eeb8399d0a2f8d_r Apr 01 19:36:30 vps760438 ipsec[398212]: 10[MGR] IKE_SA ipsec-ikev2-vpn[583] successfully checked out Apr 01 19:36:30 vps760438 ipsec[398212]: 10[IKE] destroying duplicate IKE_SA for peer 'Fortigate_Objectif_2048', received INITIAL_CONTACT Apr 01 19:36:30 vps760438 ipsec[398212]: 10[MGR] checkin and destroy IKE_SA ipsec-ikev2-vpn[583] Apr 01 19:36:30 vps760438 ipsec[398212]: 10[IKE] IKE_SA ipsec-ikev2-vpn[583] state change: ESTABLISHED => DESTROYING Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selecting traffic selectors for other: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] deleting policy 0.0.0.0/0 === 192.168.0.0/16 out Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] getting iface index for ens3 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] deleting policy 192.168.0.0/16 === 0.0.0.0/0 in Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] deleting policy 192.168.0.0/16 === 0.0.0.0/0 fwd Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] deleting SAD entry with SPI c4eaa9b9 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] deleted SAD entry with SPI c4eaa9b9 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] deleting SAD entry with SPI b16bd695 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] deleted SAD entry with SPI b16bd695 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[MGR] checkin and destroy of IKE_SA successful Apr 01 19:36:30 vps760438 ipsec[398212]: 10[IKE] IKE_SA ipsec-ikev2-vpn[584] established between 51.91.255.106[vps760438.ovh.net]...185.228.228.86[Fortigate_Objectif_204> Apr 01 19:36:30 vps760438 ipsec[398212]: 10[IKE] IKE_SA ipsec-ikev2-vpn[584] state change: CONNECTING => ESTABLISHED Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] looking for a child config for 0.0.0.0/0 === 192.168.0.0/16 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] proposing traffic selectors for us: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] 0.0.0.0/0 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] proposing traffic selectors for other: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] 192.168.0.0/16 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] candidate "ipsec-ikev2-vpn" with prio 5+5 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] found matching child config "ipsec-ikev2-vpn" with prio 10 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] proposal matches Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:CHACHA20_POLY1305_2> Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] configured proposals: ESP:CHACHA20_POLY1305/NO_EXT_SEQ, ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2> Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] got SPI c67fad6a Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selecting traffic selectors for us: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selecting traffic selectors for other: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] config: 192.168.0.0/16, received: 192.168.0.0/16 => match: 192.168.0.0/16 Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] config: 192.168.0.0/16, received: 192.168.0.0/16 => match: 192.168.0.0/16 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] adding SAD entry with SPI c67fad6a and reqid {584} Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] using encryption algorithm AES_GCM_16 with key size 288 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] using replay window of 32 packets Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] HW offload: no Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] adding SAD entry with SPI b16bd696 and reqid {584} Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] using encryption algorithm AES_GCM_16 with key size 288 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] using replay window of 0 packets Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] HW offload: no Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] adding policy 192.168.0.0/16 === 0.0.0.0/0 in [priority 391807, refcount 1] Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] adding policy 192.168.0.0/16 === 0.0.0.0/0 fwd [priority 391807, refcount 1] Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] adding policy 0.0.0.0/0 === 192.168.0.0/16 out [priority 391807, refcount 1] Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] getting a local address in traffic selector 0.0.0.0/0 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] using host %any Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] getting iface name for index 2 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] using 51.91.248.1 as nexthop and ens3 as dev to reach 185.228.228.86/32 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] installing route: 192.168.0.0/16 via 51.91.248.1 src %any dev ens3 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] getting iface index for ens3 Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] CHILD_SA ipsec-ikev2-vpn{584} established with SPIs c67fad6a_i b16bd696_o and TS 0.0.0.0/0 === 192.168.0.0/16 Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] CHILD_SA ipsec-ikev2-vpn{584} established with SPIs c67fad6a_i b16bd696_o and TS 0.0.0.0/0 === 192.168.0.0/16 Apr 01 19:36:30 vps760438 charon[398212]: 10[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ] Apr 01 19:36:30 vps760438 charon[398212]: 10[NET] sending packet: from 51.91.255.106[4500] to 185.228.228.86[39221] (686 bytes) Apr 01 19:36:30 vps760438 charon[398212]: 04[NET] sending packet: from 51.91.255.106[4500] to 185.228.228.86[39221] Apr 01 19:36:30 vps760438 charon[398212]: 10[MGR] checkin IKE_SA ipsec-ikev2-vpn[584] Apr 01 19:36:30 vps760438 charon[398212]: 10[MGR] checkin of IKE_SA successful Apr 01 19:36:30 vps760438 charon[398212]: 16[MGR] checkout IKEv2 SA with SPIs 6c3a6b48b9bdc31e_i f9c5ba4b82d79332_r Apr 01 19:36:30 vps760438 charon[398212]: 16[MGR] IKE_SA checkout not successful Apr 01 19:36:31 vps760438 charon[398212]: 14[MGR] checkout IKEv2 SA with SPIs 0165b10847331dee_i 8997151eed4c282b_r Apr 01 19:36:31 vps760438 charon[398212]: 14[MGR] IKE_SA checkout not successful
Would somebody have suggestions on things to look at?
Thanks in advance!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I finally found the issue and would like to log it here in case somebody does the same mistake I did.
Issue was simply that the strongswan server was not set properly in PSK mode and would therefore reply with a certificate instead of a PSK. This cause the FGT to hang up due to authentication failure on its side.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.