<div dir="ltr"><br>Hi,<br>First of all check that your PSKs (Pre shared keys) are the same. In the configuration that you have already sent they are NOT. (one is key and the other is test).<br>I have no idea for inter operating between Fortigate and Openswan.<br>
Also check Fortigate for PFS (Perfect forward Secracy) support.<br>Hope you got it. Let me know.<br><br>Mehran Toreihi.<br><br><br><br><br><br><br><br><div class="gmail_quote">On Tue, Aug 26, 2008 at 10:47 AM, <a href="http://MM.ST">MM.ST</a> <span dir="ltr"><<a href="mailto:jfendrody@mm.st">jfendrody@mm.st</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="FR">
<div>
<p><span lang="EN-US">Dear Openswan experts,</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">I am brand new to openswan (and VPN in
generals) and have been googling with no success for 2 days trying to fix my
problem.</span></p>
<p><span lang="EN-US">Any help from the community would be
most welcome.</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">I am trying to connect 1 server to a
network protected by a Fortigate firewall through a VPN.</span></p>
<p><span lang="EN-US">I managed to get openswan running on
linux (Ubuntu) --at least I guess so...</span></p>
<p><span lang="EN-US">But I cannot get the VPN up and
running...</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">Ok here comes the technical details. </span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">>> Let's start with the Fortigate
configuration:</span></p>
<p><span lang="EN-US">Phase 1:</span></p>
<p><span lang="EN-US"> - remote IP <a href="http://1.2.3.4" target="_blank">1.2.3.4</a></span></p>
<p><span lang="EN-US"> - pre-shared key : "key"</span></p>
<p><span lang="EN-US"> - Encryption : 3DES</span></p>
<p><span lang="EN-US"> - Authentication : SHA1</span></p>
<p><span lang="EN-US"> - Key lifetime : 28800 seconds</span></p>
<p><span lang="EN-US">Phase 2:</span></p>
<p><span lang="EN-US"> - Encryption : 3DES</span></p>
<p><span lang="EN-US"> - Authentication : SHA1</span></p>
<p><span lang="EN-US"> - Key lifetime : 1800 seconds</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">>> Now the openswan configuration:</span></p>
<p><span lang="EN-US">/etc/ipsec.conf:</span></p>
<p><span lang="EN-US"> config setup</span></p>
<p><span lang="EN-US"> interfaces="ipsec0=eth0"</span></p>
<p><span lang="EN-US"> nat_traversal=yes</span></p>
<p><span lang="EN-US"> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:172.16.0.0/12,%v4:%21192.168.254.0/24" target="_blank">10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.254.0/24</a></span></p>
<p><span lang="EN-US"> conn innov2demain</span></p>
<p><span lang="EN-US"> left=<a href="http://1.2.3.4" target="_blank">1.2.3.4</a></span></p>
<p><span lang="EN-US"> right=<a href="http://99.98.97.96" target="_blank">99.98.97.96</a></span></p>
<p><span lang="EN-US"> rightsubnet=<a href="http://192.168.254.0/24" target="_blank">192.168.254.0/24</a></span></p>
<p><span lang="EN-US"> keyexchange=ike</span></p>
<p><span lang="EN-US"> auto=start</span></p>
<p><span lang="EN-US"> authby=secret</span></p>
<p><span lang="EN-US"> esp=3des</span></p>
<p><span lang="EN-US"> compress=yes</span></p>
<p><span lang="EN-US"> ikelifetime=1800</span></p>
<p><span lang="EN-US"> # Disable Opportunistic Encryption</span></p>
<p><span lang="EN-US"> include
/etc/ipsec.d/examples/no_oe.conf</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">/etc/ipsec.secrets</span></p>
<p><span lang="EN-US"> <a href="http://1.2.3.4" target="_blank">1.2.3.4</a> <a href="http://99.98.97.96" target="_blank">99.98.97.96</a> : PSK
"test"</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">>> Here come the logs :</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">root@ks2228:/proc/sys/net/ipv4/conf#
ipsec verify</span></p>
<p><span lang="EN-US"> Checking your system to see if IPsec
got installed and started</span></p>
<p><span lang="EN-US"> correctly:</span></p>
<p><span lang="EN-US"> Version check and ipsec
on-path [OK]</span></p>
<p><span lang="EN-US"> Linux Openswan
U2.4.6/K2.6.24.2-xxxx-std-ipv4-32 (netkey)</span></p>
<p><span lang="EN-US"> Checking for IPsec support in
kernel [OK]</span></p>
<p><span lang="EN-US"> NETKEY detected, testing for disabled
ICMP send_redirects [OK]</span></p>
<p><span lang="EN-US"> NETKEY detected, testing for disabled
ICMP accept_redirects [OK]</span></p>
<p><span lang="EN-US"> Checking for RSA private key
(/etc/ipsec.secrets) </span></p>
<p><span lang="EN-US"> [DISABLED]</span></p>
<p><span lang="EN-US"> ipsec showhostkey: no default key in
"/etc/ipsec.secrets"</span></p>
<p><span lang="EN-US"> Checking that pluto is
running [OK]</span></p>
<p><span lang="EN-US"> Two or more interfaces found, checking
IP forwarding [OK]</span></p>
<p><span lang="EN-US"> Checking NAT and
MASQUERADEing [OK]</span></p>
<p><span lang="EN-US"> Checking for 'ip'
command [OK]</span></p>
<p><span lang="EN-US"> Checking for 'iptables'
command [OK]</span></p>
<p><span lang="EN-US"> </span>Opportunistic Encryption
Support </p>
<p> [DISABLED]</p>
<p> </p>
<p>root@ks2228:/proc/sys/net/ipv4/conf# /etc/init.d/ipsec
status</p>
<p> <span lang="EN-US">IPsec running - pluto pid: 22136</span></p>
<p><span lang="EN-US"> pluto pid 22136</span></p>
<p><span lang="EN-US"> No tunnels up</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">root@ks2228:/var/log# ipsec auto
--verbose --up innov2demain</span></p>
<p><span lang="EN-US"> I have no feedback at all. Nothing
happens ...</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">root@ks2228:/proc/sys/net/ipv4/conf#
ipsec auto --status</span></p>
<p><span lang="EN-US"> 000 interface lo/lo <a href="http://127.0.0.1" target="_blank">127.0.0.1</a></span></p>
<p><span lang="EN-US"> 000 interface lo/lo <a href="http://127.0.0.1" target="_blank">127.0.0.1</a></span></p>
<p><span lang="EN-US"> 000 interface eth0/eth0 <a href="http://1.2.3.4" target="_blank">1.2.3.4</a></span></p>
<p><span lang="EN-US"> 000 interface eth0/eth0 <a href="http://1.2.3.4" target="_blank">1.2.3.4</a></span></p>
<p><span lang="EN-US"> 000 %myid = (none)</span></p>
<p><span lang="EN-US"> 000 debug none</span></p>
<p><span lang="EN-US"> 000</span></p>
<p><span lang="EN-US"> 000 algorithm ESP encrypt: id=2,
name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64</span></p>
<p><span lang="EN-US"> 000 algorithm ESP encrypt: id=3,
name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192</span></p>
<p><span lang="EN-US"> 000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128</span></p>
<p><span lang="EN-US"> 000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160</span></p>
<p><span lang="EN-US"> 000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256</span></p>
<p><span lang="EN-US"> 000</span></p>
<p><span lang="EN-US"> 000 algorithm IKE encrypt: id=5,
name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192</span></p>
<p><span lang="EN-US"> 000 algorithm IKE encrypt: id=7,
name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128</span></p>
<p><span lang="EN-US"> 000 algorithm IKE hash: id=1,
name=OAKLEY_MD5, hashsize=16</span></p>
<p><span lang="EN-US"> 000 algorithm IKE hash: id=2,
name=OAKLEY_SHA1, hashsize=20</span></p>
<p><span lang="EN-US"> 000 algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024</span></p>
<p><span lang="EN-US"> 000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536</span></p>
<p><span lang="EN-US"> 000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048</span></p>
<p><span lang="EN-US"> 000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072</span></p>
<p><span lang="EN-US"> 000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096</span></p>
<p><span lang="EN-US"> 000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144</span></p>
<p><span lang="EN-US"> 000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192</span></p>
<p><span lang="EN-US"> 000</span></p>
<p><span lang="EN-US"> 000 stats db_ops.c: {curr_cnt,
total_cnt, maxsz} :context={0,3,36} trans={0,3,72} attrs={0,3,48}</span></p>
<p><span lang="EN-US"> 000</span></p>
<p><span lang="EN-US"> 000 "innov2demain": 1.2.3.4...8199.98.97.96===<a href="http://192.168.254.0/24" target="_blank">192.168.254.0/24</a>;
prospective erouted; eroute owner: #0</span></p>
<p><span lang="EN-US"> 000 "innov2demain":
srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;</span></p>
<p><span lang="EN-US"> 000 "innov2demain":
ike_life: 1800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0</span></p>
<p><span lang="EN-US"> 000 "innov2demain":
policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 32,24; interface: eth0;</span></p>
<p> 000 "innov2demain": newest ISAKMP SA: #0;
newest IPsec SA: #0;</p>
<p><span lang="EN-US"> 000 "innov2demain": ESP
algorithms wanted: 3_000-1, 3_000-2, flags=strict</span></p>
<p><span lang="EN-US"> 000 "innov2demain": ESP
algorithms loaded: 3_000-1, 3_000-2, flags=strict</span></p>
<p><span lang="EN-US"> 000</span></p>
<p><span lang="EN-US"> 000 #41: "innov2demain":500
STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 2s; nodpd</span></p>
<p><span lang="EN-US"> 000 #41: pending Phase 2 for
"innov2demain" replacing #0</span></p>
<p><span lang="EN-US"> 000 #41: pending Phase 2 for
"innov2demain" replacing #0</span></p>
<p><span lang="EN-US"> 000 #41: pending Phase 2 for
"innov2demain" replacing #0</span></p>
<p><span lang="EN-US"> 000</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">root@ks2228:/proc/sys/net/ipv4/conf#
tail -n 1000 /var/log/syslog | grep -i ipsec</span></p>
<p><span lang="EN-US"> Aug 26 08:01:16 ks2228 ipsec_setup:
...Openswan IPsec stopped</span></p>
<p><span lang="EN-US"> Aug 26 08:01:16 ks2228 ipsec_setup:
Stopping Openswan IPsec...</span></p>
<p><span lang="EN-US"> Aug 26 08:01:24 ks2228 ipsec_setup:
KLIPS ipsec0 on eth0 <a href="http://1.2.3.4/255.255.255.0" target="_blank">1.2.3.4/255.255.255.0</a> broadcast <a href="http://1.2.3.255" target="_blank">1.2.3.255</a></span></p>
<p><span lang="EN-US"> Aug 26 08:01:24 ks2228 ipsec_setup:
...Openswan IPsec started</span></p>
<p><span lang="EN-US"> Aug 26 08:01:24 ks2228 ipsec_setup:
Starting Openswan IPsec U2.4.6/K2.6.24.2-xxxx-std-ipv4-32...</span></p>
<p><span lang="EN-US"> Aug 26 08:01:25 ks2228
ipsec__plutorun: 104 "innov2demain" #1: STATE_MAIN_I1: initiate</span></p>
<p><span lang="EN-US"> Aug 26 08:01:25 ks2228
ipsec__plutorun: ...could not start conn "innov2demain"</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">root@ks2228:~# tail -n 100000
/var/log/auth.log | grep -i pluto</span></p>
<p><span lang="EN-US"> Aug 26 08:01:15 ks2228 pluto[22836]:
shutting down</span></p>
<p><span lang="EN-US"> Aug 26 08:01:15 ks2228 pluto[22836]:
forgetting secrets</span></p>
<p><span lang="EN-US"> Aug 26 08:01:15 ks2228 pluto[22836]:
"innov2demain": deleting connection</span></p>
<p><span lang="EN-US"> Aug 26 08:01:15 ks2228 pluto[22836]:
"innov2demain" #42: deleting state (STATE_MAIN_I1)</span></p>
<p><span lang="EN-US"> Aug 26 08:01:15 ks2228 pluto[22836]:
shutting down interface lo/lo <a href="http://127.0.0.1:4500" target="_blank">127.0.0.1:4500</a></span></p>
<p><span lang="EN-US"> Aug 26 08:01:15 ks2228 pluto[22836]:
shutting down interface lo/lo <a href="http://127.0.0.1:500" target="_blank">127.0.0.1:500</a></span></p>
<p><span lang="EN-US"> Aug 26 08:01:15 ks2228 pluto[22836]:
shutting down interface eth0/eth0 <a href="http://1.2.3.4:4500" target="_blank">1.2.3.4:4500</a></span></p>
<p><span lang="EN-US"> Aug 26 08:01:15 ks2228 pluto[22836]:
shutting down interface eth0/eth0 <a href="http://1.2.3.4:500" target="_blank">1.2.3.4:500</a></span></p>
<p><span lang="EN-US"> Aug 26 08:01:24 ks2228
ipsec__plutorun: Starting Pluto subsystem...</span></p>
<p><span lang="EN-US"> Aug 26 08:01:24 ks2228 pluto[27748]:
Starting Pluto (Openswan Version 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR; Vendor ID OElLO]RdWNRD)</span></p>
<p><span lang="EN-US"> Aug 26 08:01:24 ks2228 pluto[27748]:
Setting NAT-Traversal port-4500 floating to on</span></p>
<p><span lang="EN-US"> Aug 26 08:01:24 ks2228
pluto[27748]: port floating activation criteria nat_t=1/port_fload=1</span></p>
<p><span lang="EN-US"> Aug 26 08:01:24 ks2228 pluto[27748]:
including NAT-Traversal patch (Version 0.6c)</span></p>
<p><span lang="EN-US"> Aug 26 08:01:24 ks2228 pluto[27748]:
WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate
sources of random</span></p>
<p><span lang="EN-US"> Aug 26 08:01:24 ks2228 pluto[27748]:
WARNING: Using /dev/urandom as the source of random</span></p>
<p><span lang="EN-US"> Aug 26 08:01:24 ks2228 pluto[27748]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)</span></p>
<p><span lang="EN-US"> Aug 26 08:01:24 ks2228 pluto[27748]:
starting up 1 cryptographic helpers</span></p>
<p><span lang="EN-US"> Aug 26 08:01:24 ks2228 pluto[27764]: WARNING:
Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of
random</span></p>
<p><span lang="EN-US"> Aug 26 08:01:24 ks2228 pluto[27764]:
WARNING: Using /dev/urandom as the source of random</span></p>
<p><span lang="EN-US"> Aug 26 08:01:24 ks2228 pluto[27748]:
started helper pid=27764 (fd:6)</span></p>
<p><span lang="EN-US"> Aug 26 08:01:24 ks2228 pluto[27748]:
Using Linux 2.6 IPsec interface code on 2.6.24.2-xxxx-std-ipv4-32</span></p>
<p><span lang="EN-US"> Aug 26 08:01:25 ks2228 pluto[27748]:
Changing to directory '/etc/ipsec.d/cacerts'</span></p>
<p><span lang="EN-US"> Aug 26 08:01:25 ks2228 pluto[27748]:
Changing to directory '/etc/ipsec.d/aacerts'</span></p>
<p><span lang="EN-US"> Aug 26 08:01:25 ks2228 pluto[27748]:
Changing to directory '/etc/ipsec.d/ocspcerts'</span></p>
<p><span lang="EN-US"> Aug 26 08:01:25 ks2228 pluto[27748]:
Changing to directory '/etc/ipsec.d/crls'</span></p>
<p><span lang="EN-US"> Aug 26 08:01:25 ks2228 pluto[27748]:
Warning: empty directory</span></p>
<p><span lang="EN-US"> Aug 26 08:01:25 ks2228 pluto[27748]:
added connection description "innov2demain"</span></p>
<p><span lang="EN-US"> Aug 26 08:01:25 ks2228 pluto[27748]:
listening for IKE messages</span></p>
<p><span lang="EN-US"> Aug 26 08:01:25 ks2228 pluto[27748]:
adding interface eth0/eth0 <a href="http://1.2.3.4:500" target="_blank">1.2.3.4:500</a></span></p>
<p><span lang="EN-US"> Aug 26 08:01:25 ks2228 pluto[27748]:
adding interface eth0/eth0 <a href="http://1.2.3.4:4500" target="_blank">1.2.3.4:4500</a></span></p>
<p><span lang="EN-US"> Aug 26 08:01:25 ks2228 pluto[27748]:
adding interface lo/lo <a href="http://127.0.0.1:500" target="_blank">127.0.0.1:500</a></span></p>
<p><span lang="EN-US"> Aug 26 08:01:25 ks2228 pluto[27748]:
adding interface lo/lo <a href="http://127.0.0.1:4500" target="_blank">127.0.0.1:4500</a></span></p>
<p><span lang="EN-US"> Aug 26 08:01:25 ks2228 pluto[27748]:
loading secrets from "/etc/ipsec.secrets"</span></p>
<p><span lang="EN-US"> Aug 26 08:01:25 ks2228 pluto[27748]:
"innov2demain" #1: initiating Main Mode</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">I probably missed something around 3DES,
SHA1 and the likes but I can't figure out what's wrong ... </span></p>
<p><span lang="EN-US">Any clue ??</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US"> </span></p>
</div>
</div>
<br>_______________________________________________<br>
<a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div><br></div>