[Openswan Users] openswan fortigate stuck in EVENT_PENDING_PHASE2
Paul Wouters
paul at xelerance.com
Sun Jan 9 15:15:54 EST 2011
On Sun, 9 Jan 2011, Johannes Scholz wrote:
> I am trying to establish an ipsec connection between a Fortigate 50 and openswan on centos (Linux Openswan U2.6.21/K2.6.18-194.32.1.el5 (netkey)).
I'd upgrade, 2.6.21 is really old and buggy.
> The setup of the fortigate:
>
> Internet <> ADSL router (80.14.x.x, 192.168.5.254) <> Fortigate 50B (wan iface 192.168.5.11, lan iface 192.168.10.0/24)
>
> The fortigate is in the dmz of the adsl router, all packages arrive directly on the fortigate, however, the fortigate uses 192.168.5.254 (the adsl router) as default gw (static route 0.0.0.0 to 192.168.5.11).
I would not call that "directly on the fortigate", as it is behind NAT and a port forward.
> The computer running centos is directly connected to the internet. Config:
Does you config setup contain nat_traversal=yes?
Does virtual_private contain 192.168.5.0/24?
> conn vinci
> authby=secret # Key exchange method
>
> left=213.239.x.x # Public Internet IP address of the LEFT VPN device
> leftsubnet=192.168.0.0/24 # Subnet protected by the LEFT VPN device
> leftnexthop=%defaultroute # correct in many situations
>
> right=80.14.x.x # Public Internet IP address ofthe RIGHT VPN device
> rightsubnet=192.168.10.0/24 # Subnet protected by the RIGHT VPN device
> rightnexthop=%defaultroute # correct in many situations
> rightid=@ipsectest.example.com # needed, because if I use id address, the fortigate will send 192.168.5.11
>
> auto=add
>
>
> Now phase one seems to be successful, an SA gets established:
>
> Jan 9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [RFC 3947] method set to=109
> Jan 9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
> Jan 9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
> Jan 9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
> Jan 9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
> Jan 9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Jan 9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [Dead Peer Detection]
> Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: responding to Main Mode
> Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
> Jan 9 20:14:05 neoen pluto[20906]: pluto_do_crypto: helper (0) is exiting
That is not good, the helper should not exit.
> Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Jan 9 20:14:05 neoen pluto[20906]: pluto_do_crypto: helper (0) is exiting
> Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
> Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: Main mode peer ID is ID_FQDN: '@ipsectest.example.com
> Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: new NAT mapping for #1, was 80.14.x.x:500, now 80.14.x.x:4500
> Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
The Fortigate is supposed to start Quick Mode (phase2) now but does not. Check its logs why it is
not doing that.
Paul
More information about the Users
mailing list