Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mmutz
New Contributor

VPN to Linux server

Hi,

 

I'm trying to setup a VPN between my FGT-60F (home office) and a remote cloud server running Linux (Ubuntu 20.04 +

StrongSwan).

 

I think I managed to get through most of the issues, meaning:

- PSK authentication works

- phase 1 looks like it's established correctly and algorithms match

- phase 2 looks like algorithms match

 

However, VPN would still not get up, stopping with a somewhat cryptic message to me:

0:ovh-vps760438:ovh-vps760438: chosen to populate IKE_SA traffic-selectors ike 0:ovh-vps760438: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation ike 0:ovh-vps760438:1823: out 354E1A20824A9B8100000000000000002120220800000000000001342200004C02000024010100030300000C01000014800E01000300000802000006000000080400001400000024020100030300000C0100001C800E01000300000802000007000000080400001428000068001400005E33F25E7A205B1383CD194A2675B19619CD9759011063B70C6CA2AD6F2C6F8FD8FB035EBA21901D0F0C9085920F25C62536FAEDB82E32FBECEAD093D9DCC45982B286863E4FF868DB436DA9FA89BDBCEBC8BE5BCEB9F52DBBE72C961C2D774C290000249DE240AACC75B4AD849DC5BAF61B80F9F20C03DA40EE34402D26E1C48A0164032900001C00004004E205151B95C22B41FBDFD4842B5828B45864E2AA2900001C00004005DC14BC576CE79F07690F7AB5D8494BBEC56423A2000000080000402E ike 0:ovh-vps760438:1823: sent IKE msg (SA_INIT): 172.16.0.14:500->51.91.255.106:500, len=308, id=354e1a20824a9b81/0000000000000000 iike 0: comes 51.91.255.106:500->172.16.0.14:500,ifindex=6.... ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=354e1a20824a9b81/ca2d8fa6dd09667f len=288 ike 0: in 354E1A20824A9B81CA2D8FA6DD09667F2120222000000000000001202200002800000024010100030300000C01000014800E01000300000802000006000000080400001428000068001400003CA8B129A5369A30FFBE3E1CA9F0ABE426181955C6CB9CBA1073BCE5344D278CA7FA11C6EE0ACD1432E61679A39BFF9751AD1F0E9BDC2A9C2AAA6C49DD100D69946A043F65563945D74D6E822AB2E9ACA3195E7CF09009168A5C1797546B797929000024F97DA2E41B2C9DEB1B410921772B9CACC3EBAF90540D178CB5CD9692BEC1E12C2900001C000040044A3991515CB9CC440C6E276CADC0A893F6BF0BE52900001C000040057065E8A347884A486116E820C7EC3CA99DF2C168290000080000402E29000008000040220000000800004014 ike 0:ovh-vps760438:1823: initiator received SA_INIT response ike 0:ovh-vps760438:1823: processing notify type NAT_DETECTION_SOURCE_IP ike 0:ovh-vps760438:1823: processing NAT-D payload ike 0:ovh-vps760438:1823: NAT detected: PEER ike 0:ovh-vps760438:1823: process NAT-D ike 0:ovh-vps760438:1823: processing notify type NAT_DETECTION_DESTINATION_IP ike 0:ovh-vps760438:1823: processing NAT-D payload ike 0:ovh-vps760438:1823: NAT detected: ME PEER ike 0:ovh-vps760438:1823: process NAT-D ike 0:ovh-vps760438:1823: processing notify type FRAGMENTATION_SUPPORTED ike 0:ovh-vps760438:1823: processing notify type CHILDLESS_IKEV2_SUPPORTED ike 0:ovh-vps760438:1823: processing notify type 16404 ike 0:ovh-vps760438:1823: incoming proposal: ike 0:ovh-vps760438:1823: proposal id = 1: ike 0:ovh-vps760438:1823:   protocol = IKEv2: ike 0:ovh-vps760438:1823:      encapsulation = IKEv2/none ike 0:ovh-vps760438:1823:         type=ENCR, val=AES_GCM_16 (key_len = 256) ike 0:ovh-vps760438:1823:         type=PRF, val=PRF_HMAC_SHA2_384 ike 0:ovh-vps760438:1823:         type=DH_GROUP, val=ECP384. ike 0:ovh-vps760438:1823: matched proposal id 1 ike 0:ovh-vps760438:1823: proposal id = 1: ike 0:ovh-vps760438:1823:   protocol = IKEv2: ike 0:ovh-vps760438:1823:      encapsulation = IKEv2/none ike 0:ovh-vps760438:1823:         type=ENCR, val=AES_GCM_16 (key_len = 256) ike 0:ovh-vps760438:1823:         type=INTEGR, val=NONE ike 0:ovh-vps760438:1823:         type=PRF, val=PRF_HMAC_SHA2_384 ike 0:ovh-vps760438:1823:         type=DH_GROUP, val=ECP384. ike 0:ovh-vps760438:1823: lifetime=86400 ike 0:ovh-vps760438:1823: IKE SA 354e1a20824a9b81/ca2d8fa6dd09667f SK_ei 36:6E47FB4DBF18CFD5BC803B7E4F9F9824CBE7E05561C79D31BCB21FC91D8710149A274506 ike 0:ovh-vps760438:1823: IKE SA 354e1a20824a9b81/ca2d8fa6dd09667f SK_er 36:19FF686CDE8811BF49BD939B20D7260578B0BF3B5D7924208D86D6A3CC43256683942E9F ike 0:ovh-vps760438:1823: initiator preparing AUTH msg ike 0:ovh-vps760438:1823: sending INITIAL-CONTACT ike 0:ovh-vps760438:1823: enc 2900001F02000000466F727469676174655F4F626A65637469665F32303438270000080000400029000038020000001E80DFBF9649C40C160ED1610C025862D348E29331CB575F8096372BCC0EE2F0E9851E5088BACDA6346865BD670324D721000008000040242C00006C0200002801030403B16BD6370300000C0100000C800E0100030000080300000C00000008050000000200002002030402B16BD6370300000C01000014800E010000000008050000000000002003030402B16BD6370300000C0100001C800E010000000008050000002D00001801000000070000100000FFFFC0A80000C0A8FFFF0000001801000000070000100000FFFF00000000FFFFFFFF080706050403020108 ike 0:ovh-vps760438:1823: detected NAT ike 0:ovh-vps760438:1823: NAT-T float port 4500 ike 0:ovh-vps760438:1823: out 354E1A20824A9B81CA2D8FA6DD09667F2E202308000000010000014423000128068002BB892CABF853CB46DD1D7530E30D5D68665E07891661CD05E8813BD18D711B8F1B4E9BF46125878239AA66CFCE0A4A50FDEC27702A640CDCECAFF1B3503992396B4AF7425EB5923CA14EC0C69C9F1A56924D0F42D7132B562A74ED8A1D6E99441BE439A322427D24919D27400BBD4B974BF70621229CB1FF46089B9AE44526563760E56E67307EBECFA8A94F0777500D58A556D46D779A642CF7A9803D229DFAF055DDE774CD7E8AAA5A6D428263FF488162BC7DD141F05297400A06ADAB7CF5E613343DE172968E6CB8257E3E4B8F09EB9194D1BD1C38BBCFBD929473E12F7A443A5A7BBFAC1ABFA94577826D3FA781B13CA5689A0650745968A79135114A3DBC5AED24FBD12F966032AED39D508332C5B1CA7DB48A763DD1028661FDD2B88876 ike 0:ovh-vps760438:1823: sent IKE msg (AUTH): 172.16.0.14:4500->51.91.255.106:4500, len=324, id=354e1a20824a9b81/ca2d8fa6dd09667f:00000001 sike 0: comes 51.91.255.106:4500->172.16.0.14:4500,ifindex=6.... ike 0: IKEv2 exchange=AUTH_RESPONSE id=354e1a20824a9b81/ca2d8fa6dd09667f:00000001 len=686 ike 0: in 354E1A20824A9B81CA2D8FA6DD09667F2E20232000000001000002AE24000292ABDA5D1D692582E4F34D4D1E6EF1E51EBDAE1FAD27C3AFE27A8A2119229C7A95CF42247B506CA347278B59D4A34943192C3CE72D912793E45785732B015FC4EFF9A17241BDF54CA3E92AA3B843364BD2F067B8D4EF4DF45FB79802970BE169C4068CD8A3A94E8CAF682333BEAB098AD1B3744E8CF3E28CC89EAD55AD3D56E67B2B3F8BADF296BA7C1E8E8F95DD640EC664F9D6736B08C3B4384A844BD733FC2507DD84490D5196B5032F7D3AFD69F9290AFE12CD4394E7EDC4D8E2D45F9CBA9EDC430D2F7CA582077760C05ED418557E41CE834A7F4E48DEF72FBEEF5D10868AD783644D154415C99724F8C714EC99F1E05B2AFFA8D5EF250CB8619A1A9020EA350477E08C742A5CD567D82179D7400B4A865DD89F9B7C1FD216E06AA580EC84AE3203C566B0A6A3B730EA1B2005C8E37965BD30B5D4951469F142770CF6472C2ED0D87D6311620C2BC9D0A7364DA2BA9917495C3C00C8B973840804D91D2675EC82F79EA005CBB87AC6C5D7A19820F10773933D0B093787E8611354E839C00E31910826532DDD501910848752E3D872C340E84AE4AEFFE131C39FE9C74046475749CCF980C4F9474BBB3C86438A7DC16A81553890B6FB0AB9BC3CE428F44DD50EA952DCF32235B251F97BEDA7D0B04FD30613B2720AC091EA17A83C65E12EAB2D22FE607E24B454289B10ED52258D9ACFCB5469AEC01B489B68BE4AECAE013E880ECF38240A04696CD27EC53FF7277B24897F0C12EA1DDB147BEA59C68D53F351D2D1E63F856F962FA15AC62C113B896D1003C3498F8801DED2F1480E3C944BF51581D14E40797FA0E9D791154DE23D962DF8764B25A8DB7A5382A75BBC09607C041F40281648B02AAED53BF998FB96E3BCF20982347D623FD1C505B8394980B48523EE2E632970C25F84E7D1A3 ike 0:ovh-vps760438:1823: dec 354E1A20824A9B81CA2D8FA6DD09667F2E20232000000001000002952400000427000019020000007670733736303433382E6F76682E6E657421000208010000008168881BAE9A500DFA6DC14B33CAC278B84A5D8EAC51C7D578C505D6B0DF43251B72F941955F16FB589C320B44D2FA266EDF1D6F95FE3F4CFE210B0CCDD43074AF3B3DDB3B89918B7793B6AADF1F82EF3408D51C95DA248A9CD6668C8F0BAB0C48BDD92429F9F9E37645EC8F400D25BABD864F023F740443E89FDEA9CE32406323E12C7D7AA14775175A9525B984C6BDAB918D6C6D7FE3864411C682A10393C413DA9DD30DC8F7C2BE5C79343D5808FA1653F40704E43859C0ED5B17C074F94AD3DB3FF8CECA694280FC1139F29F391538B50C327DC2676BBF5ACABE157F59EE1502CAFAC722C2BE39482C1EF4B1788BA407772F6F1A0B2CAF4A060004A090150A4F110C9B63EC734E2BDE8B4649CAF4F25809DC9E05502535EED69A3E5E2E3DF47EFB3DC4F52AA762F31283E2512FEE43354BF052C9E5D2F8B215CD3CC2D0B8850A1FBF2E193DAA534D3D72F0C047009FA6D85CCD74BFE06A8D532289D8466E3282A247B6082BEC4A10B68C51D39A4DDC427D9C2B33E52C1E22A61523215C773738231E6A00DDA543077AD5B82C552D54ECCED578E81E09792C41D081BB0CBC5379566FE29490A08230402AFB3FA681148241655C93DB37347F86DB833D2C800D12EC83FF5E2617A360CAF1A7475488F5B87F99B332F401D13A8285CC913DD4A6CABF7E81A0A3EE76738470D537E5B1FE8BB1A5C0567B85908498021ECB77372C0000240000002002030402C9E870790300000C01000014800E010000000008050000002D00001801000000070000100000FFFFC0A80000C0A8FFFF0000001801000000070000100000FFFF00000000FFFFFFFF ike 0:ovh-vps760438:1823: initiator received AUTH msg ike 0:ovh-vps760438:1823: received peer identifier FQDN 'vps760438.ovh.net' ike 0:ovh-vps760438:1823: auth verify done ike 0:ovh-vps760438:1823: initiator AUTH continuation ike 0:ovh-vps760438:1823: authentication failed ike 0:ovh-vps760438:1823: schedule delete of IKE SA 354e1a20824a9b81/ca2d8fa6dd09667f ike 0:ovh-vps760438:1823: scheduled delete of IKE SA 354e1a20824a9b81/ca2d8fa6dd09667f ike 0:ovh-vps760438: connection expiring due to phase1 down ike 0:ovh-vps760438: deleting ike 0:ovh-vps760438: deleted

Other end looks like tunnel is established, then drops after few seconds, probably because FGT "hangs up", but I admit I'm no expert in IPSec.

 

Below is some log on strongswan side:

 

Apr 01 19:36:29 vps760438 ipsec[398212]: 03[NET] waiting for data on sockets Apr 01 19:36:29 vps760438 ipsec[398212]: 07[MGR] checkout IKEv2 SA by message with SPIs 67274be175dd1bc8_i 0000000000000000_r Apr 01 19:36:29 vps760438 ipsec[398212]: 07[MGR] created IKE_SA (unnamed)[584] Apr 01 19:36:29 vps760438 ipsec[398212]: 07[NET] received packet: from 185.228.228.86[39224] to 51.91.255.106[500] (308 bytes) Apr 01 19:36:29 vps760438 ipsec[398212]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG] looking for an IKEv2 config for 51.91.255.106...185.228.228.86 Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG]   candidate: %any...%any, prio 28 Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG] found matching ike config: %any...%any with prio 28 Apr 01 19:36:29 vps760438 ipsec[398212]: 07[IKE] 185.228.228.86 is initiating an IKE_SA Apr 01 19:36:29 vps760438 ipsec[398212]: 07[IKE] IKE_SA (unnamed)[584] state change: CREATED => CONNECTING Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG] selecting proposal: Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG]   no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG] selecting proposal: Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG]   no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG] selecting proposal: Apr 01 19:36:29 vps760438 ipsec[398212]: 07[CFG]   proposal matches Apr 01 19:36:29 vps760438 charon[398212]: 07[MGR] checkout IKEv2 SA by message with SPIs 67274be175dd1bc8_i 0000000000000000_r Apr 01 19:36:29 vps760438 charon[398212]: 07[MGR] created IKE_SA (unnamed)[584] Apr 01 19:36:29 vps760438 charon[398212]: 07[NET] received packet: from 185.228.228.86[39224] to 51.91.255.106[500] (308 bytes) Apr 01 19:36:29 vps760438 charon[398212]: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] looking for an IKEv2 config for 51.91.255.106...185.228.228.86 Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG]   candidate: %any...%any, prio 28 Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] found matching ike config: %any...%any with prio 28 Apr 01 19:36:29 vps760438 charon[398212]: 07[IKE] 185.228.228.86 is initiating an IKE_SA Apr 01 19:36:29 vps760438 charon[398212]: 07[IKE] 185.228.228.86 is initiating an IKE_SA Apr 01 19:36:29 vps760438 charon[398212]: 07[IKE] IKE_SA (unnamed)[584] state change: CREATED => CONNECTING Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] selecting proposal: Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG]   no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] selecting proposal: Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG]   no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] selecting proposal: Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG]   proposal matches Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:CHACHA20_POLY1305_256/PRF_HMAC_SHA2_512/ECP_384 Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] configured proposals: IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384> Apr 01 19:36:29 vps760438 charon[398212]: 07[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Apr 01 19:36:29 vps760438 charon[398212]: 07[IKE] remote host is behind NAT Apr 01 19:36:29 vps760438 charon[398212]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] Apr 01 19:36:29 vps760438 charon[398212]: 07[NET] sending packet: from 51.91.255.106[500] to 185.228.228.86[39224] (288 bytes) Apr 01 19:36:29 vps760438 charon[398212]: 04[NET] sending packet: from 51.91.255.106[500] to 185.228.228.86[39224] Apr 01 19:36:29 vps760438 charon[398212]: 07[MGR] checkin IKE_SA (unnamed)[584] Apr 01 19:36:29 vps760438 charon[398212]: 07[MGR] checkin of IKE_SA successful Apr 01 19:36:30 vps760438 charon[398212]: 03[NET] received packet: from 185.228.228.86[39221] to 51.91.255.106[4500] Apr 01 19:36:30 vps760438 charon[398212]: 03[NET] waiting for data on sockets Apr 01 19:36:30 vps760438 charon[398212]: 10[MGR] checkout IKEv2 SA by message with SPIs 67274be175dd1bc8_i 5f7a352a14e63199_r Apr 01 19:36:30 vps760438 charon[398212]: 10[MGR] IKE_SA (unnamed)[584] successfully checked out Apr 01 19:36:30 vps760438 charon[398212]: 10[NET] received packet: from 185.228.228.86[39221] to 51.91.255.106[4500] (324 bytes) Apr 01 19:36:30 vps760438 charon[398212]: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ] Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] looking for peer configs matching 51.91.255.106[%any]...185.228.228.86[Fortigate_Objectif_2048] Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG]   candidate "ipsec-ikev2-vpn", match: 1/1/28 (me/other/ike) Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selected peer config 'ipsec-ikev2-vpn' Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] authentication of 'Fortigate_Objectif_2048' with pre-shared key successful Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] authentication of 'vps760438.ovh.net' (myself) with RSA signature successful Apr 01 19:36:30 vps760438 charon[398212]: 10[MGR] checkout IKEv2 SA with SPIs fb67216a095fdb06_i 71eeb8399d0a2f8d_r Apr 01 19:36:30 vps760438 charon[398212]: 10[MGR] IKE_SA ipsec-ikev2-vpn[583] successfully checked out Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] destroying duplicate IKE_SA for peer 'Fortigate_Objectif_2048', received INITIAL_CONTACT Apr 01 19:36:30 vps760438 charon[398212]: 10[MGR] checkin and destroy IKE_SA ipsec-ikev2-vpn[583] Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] IKE_SA ipsec-ikev2-vpn[583] state change: ESTABLISHED => DESTROYING Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] deleting policy 0.0.0.0/0 === 192.168.0.0/16 out Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] getting iface index for ens3 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] deleting policy 192.168.0.0/16 === 0.0.0.0/0 in Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] deleting policy 192.168.0.0/16 === 0.0.0.0/0 fwd Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] deleting SAD entry with SPI c4eaa9b9 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] deleted SAD entry with SPI c4eaa9b9 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] deleting SAD entry with SPI b16bd695 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] deleted SAD entry with SPI b16bd695 Apr 01 19:36:30 vps760438 charon[398212]: 10[MGR] checkin and destroy of IKE_SA successful Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] IKE_SA ipsec-ikev2-vpn[584] established between 51.91.255.106[vps760438.ovh.net]...185.228.228.86[Fortigate_Objectif_20> Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] IKE_SA ipsec-ikev2-vpn[584] established between 51.91.255.106[vps760438.ovh.net]...185.228.228.86[Fortigate_Objectif_20> Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] IKE_SA ipsec-ikev2-vpn[584] state change: CONNECTING => ESTABLISHED Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] looking for a child config for 0.0.0.0/0 === 192.168.0.0/16 Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] proposing traffic selectors for us: Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG]  0.0.0.0/0 Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] proposing traffic selectors for other: Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG]  192.168.0.0/16 Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG]   candidate "ipsec-ikev2-vpn" with prio 5+5 Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] found matching child config "ipsec-ikev2-vpn" with prio 10 Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG]   proposal matches Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:CHACHA20_POLY1305_> Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] configured proposals: ESP:CHACHA20_POLY1305/NO_EXT_SEQ, ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA> Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] got SPI c67fad6a Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selecting traffic selectors for us: Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG]  config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0 Apr 01 19:36:30 vps760438 ipsec[398212]: 07[CFG] received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:CHACHA20_POLY1305_256/PRF_HMAC_SHA2_512/ECP_384 Apr 01 19:36:30 vps760438 ipsec[398212]: 07[CFG] configured proposals: IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384,> Apr 01 19:36:30 vps760438 ipsec[398212]: 07[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384 Apr 01 19:36:30 vps760438 ipsec[398212]: 07[IKE] remote host is behind NAT Apr 01 19:36:30 vps760438 ipsec[398212]: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] Apr 01 19:36:30 vps760438 ipsec[398212]: 07[NET] sending packet: from 51.91.255.106[500] to 185.228.228.86[39224] (288 bytes) Apr 01 19:36:30 vps760438 ipsec[398212]: 04[NET] sending packet: from 51.91.255.106[500] to 185.228.228.86[39224] Apr 01 19:36:30 vps760438 ipsec[398212]: 07[MGR] checkin IKE_SA (unnamed)[584] Apr 01 19:36:30 vps760438 ipsec[398212]: 07[MGR] checkin of IKE_SA successful Apr 01 19:36:30 vps760438 ipsec[398212]: 03[NET] received packet: from 185.228.228.86[39221] to 51.91.255.106[4500] Apr 01 19:36:30 vps760438 ipsec[398212]: 03[NET] waiting for data on sockets Apr 01 19:36:30 vps760438 ipsec[398212]: 10[MGR] checkout IKEv2 SA by message with SPIs 67274be175dd1bc8_i 5f7a352a14e63199_r Apr 01 19:36:30 vps760438 ipsec[398212]: 10[MGR] IKE_SA (unnamed)[584] successfully checked out Apr 01 19:36:30 vps760438 ipsec[398212]: 10[NET] received packet: from 185.228.228.86[39221] to 51.91.255.106[4500] (324 bytes) Apr 01 19:36:30 vps760438 ipsec[398212]: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ] Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] looking for peer configs matching 51.91.255.106[%any]...185.228.228.86[Fortigate_Objectif_2048] Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG]   candidate "ipsec-ikev2-vpn", match: 1/1/28 (me/other/ike) Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selected peer config 'ipsec-ikev2-vpn' Apr 01 19:36:30 vps760438 ipsec[398212]: 10[IKE] authentication of 'Fortigate_Objectif_2048' with pre-shared key successful Apr 01 19:36:30 vps760438 ipsec[398212]: 10[IKE] authentication of 'vps760438.ovh.net' (myself) with RSA signature successful Apr 01 19:36:30 vps760438 ipsec[398212]: 10[MGR] checkout IKEv2 SA with SPIs fb67216a095fdb06_i 71eeb8399d0a2f8d_r Apr 01 19:36:30 vps760438 ipsec[398212]: 10[MGR] IKE_SA ipsec-ikev2-vpn[583] successfully checked out Apr 01 19:36:30 vps760438 ipsec[398212]: 10[IKE] destroying duplicate IKE_SA for peer 'Fortigate_Objectif_2048', received INITIAL_CONTACT Apr 01 19:36:30 vps760438 ipsec[398212]: 10[MGR] checkin and destroy IKE_SA ipsec-ikev2-vpn[583] Apr 01 19:36:30 vps760438 ipsec[398212]: 10[IKE] IKE_SA ipsec-ikev2-vpn[583] state change: ESTABLISHED => DESTROYING Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG] selecting traffic selectors for other: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] deleting policy 0.0.0.0/0 === 192.168.0.0/16 out Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] getting iface index for ens3 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] deleting policy 192.168.0.0/16 === 0.0.0.0/0 in Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] deleting policy 192.168.0.0/16 === 0.0.0.0/0 fwd Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] deleting SAD entry with SPI c4eaa9b9 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] deleted SAD entry with SPI c4eaa9b9 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] deleting SAD entry with SPI b16bd695 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] deleted SAD entry with SPI b16bd695 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[MGR] checkin and destroy of IKE_SA successful Apr 01 19:36:30 vps760438 ipsec[398212]: 10[IKE] IKE_SA ipsec-ikev2-vpn[584] established between 51.91.255.106[vps760438.ovh.net]...185.228.228.86[Fortigate_Objectif_204> Apr 01 19:36:30 vps760438 ipsec[398212]: 10[IKE] IKE_SA ipsec-ikev2-vpn[584] state change: CONNECTING => ESTABLISHED Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] looking for a child config for 0.0.0.0/0 === 192.168.0.0/16 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] proposing traffic selectors for us: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG]  0.0.0.0/0 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] proposing traffic selectors for other: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG]  192.168.0.0/16 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG]   candidate "ipsec-ikev2-vpn" with prio 5+5 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] found matching child config "ipsec-ikev2-vpn" with prio 10 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selecting proposal: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG]   proposal matches Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:CHACHA20_POLY1305_2> Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] configured proposals: ESP:CHACHA20_POLY1305/NO_EXT_SEQ, ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2> Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ Apr 01 19:36:30 vps760438 ipsec[398212]: 10[KNL] got SPI c67fad6a Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selecting traffic selectors for us: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG]  config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0 Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG] selecting traffic selectors for other: Apr 01 19:36:30 vps760438 ipsec[398212]: 10[CFG]  config: 192.168.0.0/16, received: 192.168.0.0/16 => match: 192.168.0.0/16 Apr 01 19:36:30 vps760438 charon[398212]: 10[CFG]  config: 192.168.0.0/16, received: 192.168.0.0/16 => match: 192.168.0.0/16 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] adding SAD entry with SPI c67fad6a and reqid {584} Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL]   using encryption algorithm AES_GCM_16 with key size 288 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL]   using replay window of 32 packets Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL]   HW offload: no Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] adding SAD entry with SPI b16bd696 and reqid {584} Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL]   using encryption algorithm AES_GCM_16 with key size 288 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL]   using replay window of 0 packets Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL]   HW offload: no Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] adding policy 192.168.0.0/16 === 0.0.0.0/0 in [priority 391807, refcount 1] Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] adding policy 192.168.0.0/16 === 0.0.0.0/0 fwd [priority 391807, refcount 1] Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] adding policy 0.0.0.0/0 === 192.168.0.0/16 out [priority 391807, refcount 1] Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] getting a local address in traffic selector 0.0.0.0/0 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] using host %any Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] getting iface name for index 2 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] using 51.91.248.1 as nexthop and ens3 as dev to reach 185.228.228.86/32 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] installing route: 192.168.0.0/16 via 51.91.248.1 src %any dev ens3 Apr 01 19:36:30 vps760438 charon[398212]: 10[KNL] getting iface index for ens3 Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] CHILD_SA ipsec-ikev2-vpn{584} established with SPIs c67fad6a_i b16bd696_o and TS 0.0.0.0/0 === 192.168.0.0/16 Apr 01 19:36:30 vps760438 charon[398212]: 10[IKE] CHILD_SA ipsec-ikev2-vpn{584} established with SPIs c67fad6a_i b16bd696_o and TS 0.0.0.0/0 === 192.168.0.0/16 Apr 01 19:36:30 vps760438 charon[398212]: 10[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ] Apr 01 19:36:30 vps760438 charon[398212]: 10[NET] sending packet: from 51.91.255.106[4500] to 185.228.228.86[39221] (686 bytes) Apr 01 19:36:30 vps760438 charon[398212]: 04[NET] sending packet: from 51.91.255.106[4500] to 185.228.228.86[39221] Apr 01 19:36:30 vps760438 charon[398212]: 10[MGR] checkin IKE_SA ipsec-ikev2-vpn[584] Apr 01 19:36:30 vps760438 charon[398212]: 10[MGR] checkin of IKE_SA successful Apr 01 19:36:30 vps760438 charon[398212]: 16[MGR] checkout IKEv2 SA with SPIs 6c3a6b48b9bdc31e_i f9c5ba4b82d79332_r Apr 01 19:36:30 vps760438 charon[398212]: 16[MGR] IKE_SA checkout not successful Apr 01 19:36:31 vps760438 charon[398212]: 14[MGR] checkout IKEv2 SA with SPIs 0165b10847331dee_i 8997151eed4c282b_r Apr 01 19:36:31 vps760438 charon[398212]: 14[MGR] IKE_SA checkout not successful

Would somebody have suggestions on things to look at?

 

Thanks in advance!

1 REPLY 1
mmutz
New Contributor

I finally found the issue and would like to log it here in case somebody does the same mistake I did.

 

Issue was simply that the strongswan server was not set properly in PSK mode and would therefore reply with a certificate instead of a PSK. This cause the FGT to hang up due to authentication failure on its side.

Labels
Top Kudoed Authors