<div dir="ltr">Hi<div><br></div><div>Trying to setup a VPN connection to Office Fortigate but I can't pass phase 2.</div><div><br></div><div>Received info from sysadmins:</div><div><br></div><div><ul><li>PSK<br></li><li>IKE v1<br></li><li>Aggressive mode<br><br></li><li>Phase1 3DES-SHA1<br></li><li>DH group 5<br></li><li>Key lifetime 28800<br><br></li><li>XAUTH PAP Server (not sure if this necessary to know)<br><br></li><li>Phase2 3DES-SHA1<br></li><li>PFS no<br></li></ul></div><div><br></div><div><br></div><div><b>This is one of many configuration attempts, I've tried adding/removing different parameters.</b></div><div><br></div><div><div><font face="monospace, monospace">config setup</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>interfaces=%defaultroute</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>plutodebug="control parsing"</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>#klipsdebug=all</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>plutoopts="--interface=wlan0"</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>dumpdir=/var/run/pluto/</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>nat_traversal=no</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10</a></font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>oe=off</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>protostack=netkey</font></div><div><br></div><div><font face="monospace, monospace">conn office </font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span> left=%defaultroute</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span> right=<my gateway ip></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span> phase2=ah</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span> phase2alg=sha1;modp1536</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span> type=transport</font></div><div><span class="" style="white-space:pre"><font face="monospace, monospace"> </font></span></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span> authby=secret</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span> pfs=no</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span> compress=no</font></div><div><font face="monospace, monospace"> <span class="" style="white-space:pre"> </span>keyingtries=%forever</font></div></div><div><br></div><div><b>This is the output</b></div><div><div>➜ /etc sudo service ipsec restart </div><div>➜ /etc sudo ipsec auto --add office && sudo ipsec auto --up office</div><div>104 "office" #1: STATE_MAIN_I1: initiate</div><div>003 "office" #1: received Vendor ID payload [Dead Peer Detection]</div><div>003 "office" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de00050282]</div><div>106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2</div><div>108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3</div><div>003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3</div><div>010 "office" #1: STATE_MAIN_I3: retransmission; will wait 20s for response</div><div>003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3</div><div>010 "office" #1: STATE_MAIN_I3: retransmission; will wait 40s for response</div><div>031 "office" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message</div><div>000 "office" #1: starting keying attempt 2 of an unlimited number, but releasing whack</div></div><div><br></div><div><br></div><div><br></div><div><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Med vänliga hälsningar / Best Regards<div>Hajder</div></div>
</div></div>