<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br>Am 09.01.2011 um 21:15 schrieb Paul Wouters:<br><br><blockquote type="cite">On Sun, 9 Jan 2011, Johannes Scholz wrote:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><blockquote type="cite">I am trying to establish an ipsec connection between a Fortigate 50 and openswan on centos (Linux Openswan U2.6.21/K2.6.18-194.32.1.el5 (netkey)).<br></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I'd upgrade, 2.6.21 is really old and buggy.<br></blockquote><br>Upgraded to 2.6.31, same results.<div><br><blockquote type="cite"><br></blockquote><blockquote type="cite"><blockquote type="cite">The setup of the fortigate:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Internet <> ADSL router (80.14.x.x, 192.168.5.254) <> Fortigate 50B (wan iface 192.168.5.11, lan iface 192.168.10.0/24)<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">The fortigate is in the dmz of the adsl router, all packages arrive directly on the fortigate, however, the fortigate uses 192.168.5.254 (the adsl router) as default gw (static route 0.0.0.0 to 192.168.5.11).<br></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I would not call that "directly on the fortigate", as it is behind NAT and a port forward.<br></blockquote><br>NAT yes, portforward no.</div><div><br><blockquote type="cite"><br></blockquote><blockquote type="cite"><blockquote type="cite">The computer running centos is directly connected to the internet. Config:<br></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Does you config setup contain nat_traversal=yes?<br></blockquote><blockquote type="cite">Does virtual_private contain 192.168.5.0/24?<br></blockquote><br>yes and yes </div><div><br><blockquote type="cite"><br></blockquote><blockquote type="cite"><blockquote type="cite">conn vinci<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> authby=secret # Key exchange method<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> left=213.239.x.x # Public Internet IP address of the LEFT VPN device<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> leftsubnet=192.168.0.0/24 # Subnet protected by the LEFT VPN device<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> leftnexthop=%defaultroute # correct in many situations<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> right=80.14.x.x # Public Internet IP address ofthe RIGHT VPN device<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> rightsubnet=192.168.10.0/24 # Subnet protected by the RIGHT VPN device<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> rightnexthop=%defaultroute # correct in many situations<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> <a href="mailto:rightid=@ipsectest.example.com">rightid=@ipsectest.example.com</a><span class="Apple-tab-span" style="white-space: pre; "> </span><span class="Apple-tab-span" style="white-space: pre; "> </span># needed, because if I use id address, the fortigate will send 192.168.5.11<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"> auto=add<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Now phase one seems to be successful, an SA gets established:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [RFC 3947] method set to=109<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [Dead Peer Detection]<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: responding to Main Mode<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: STATE_MAIN_R1: sent MR1, expecting MI2<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: pluto_do_crypto: helper (0) is exiting<br></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">That is not good, the helper should not exit.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: STATE_MAIN_R2: sent MR2, expecting MI3<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: pluto_do_crypto: helper (0) is exiting<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: Main mode peer ID is ID_FQDN: <a href="mailto:'@ipsectest.example.com">'@ipsectest.example.com</a><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: new NAT mapping for #1, was 80.14.x.x:500, now 80.14.x.x:4500<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Jan 9 20:14:05 neoen pluto[20906]: "vinci" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}<br></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">The Fortigate is supposed to start Quick Mode (phase2) now but does not. Check its logs why it is<br></blockquote><blockquote type="cite">not doing that.<br></blockquote><br>Unfortunately the logs do not give away more than I already posted.</div><div><br><blockquote type="cite"><br></blockquote><blockquote type="cite">Paul<br></blockquote><br>Johannes Scholz<br><a href="mailto:js@vinci-info.com">js@vinci-info.com</a><br>+33 64 301 34 52<br></div></body></html>