[Openswan Users] Setting up VPN between Linux box and Fortigate firewall

Paul Wouters paul at xelerance.com
Mon Aug 21 10:18:01 EDT 2006 

On Mon, 21 Aug 2006, Rhys Johnson wrote:

> I am trying to set up a VPN between 2 firewall machines with private
> subnets behind them. A have a linux box running openswan2.2 and a
> Fortigate firewall running IPSEC. I am trying to connect from the
> fortigate to the linux box, however the connection is failing on error.
> The fortigate is set up as follows
> Phase 1:
> 	Local IP: 221.133.201.34
> 	Remote IP: 58.6.14.254
> 	Main mode
> 	PSK
> 	Accept any peer id
> 	Encryption/Authentication. try 3DES-MD5, 3DES-SHA1
> 	DH groups 2 and 5
> 	Disable XAUTH
> Phase 2:
> 	Enable PFS
> 	DH group 5

I don't see the subnets listed here, but I assume those are configured
there somehow?

> ipsec.conf
> -----------------------------------
> config setup
>         # Debug-logging controls:
>         klipsdebug=none
>         plutodebug="all"

remove the plutodebug=all line.

> conn fortigate
>      auto=add
>      left=58.6.14.254
>      leftsubnet=192.168.100.0/24
>      leftid=@home
>      right=221.133.201.34
>      rightsubnet=192.168.1.0/24
>      rightid=%any

remove the rightid line.

>      keyingtries=0
>      pfs=yes
>      auth=esp
>      authby=secret
> ------------------------------
>
> ipsec.secrets
> -----------------
> @home 221.133.201.34 58.6.14.254: PSK "************"
> -----------------
>
> The error I receive on the Fortigate from the linux box is:
>
> 2006-08-21 15:58:53 error negotiate Received error notification from
> peer: INVALID_ID_INFORMATION type=event subtype=ipsec pri=error
> loc_ip=221.133.201.34 loc_port=500 rem_ip=58.6.14.254 rem_port=500
> out_if=wan1 vpn_tunnel=Caldwell_VPN
> cookies=8f1a03ec12122b32/0d4f5c4330f10e82 action=negotiate
> status=negotiate_error msg="Received error notification from peer:
> INVALID_ID_INFORMATION" negotiate_error

That you are expecting the wrong id, and sending the other end a
notification of that.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list