[Openswan Users] Setting up VPN between Linux box and Fortigate firewall

Jim Barber jim.barber at ddihealth.com
Mon Aug 21 19:13:34 EDT 2006


I have exactly the same as this setup working fine.
I don't specify the leftid or rightid parameters at all.
With the fortigate set up to use 3des you need to add the following parameter to your openswan connection definition.

	esp=3des

Without the above I also got the exact same error.

Also in the addresses that you defined in your fortigate policy area, make sure these match exactly with what you defined in openswan.
So in your example they would be set to 192.168.1.0/255.255.255.0

You don't need DH 2 set in the phase one.
Sticking with DH 5 works properly.

Regards,

----------
Jim Barber
DDI Health


Rhys Johnson wrote:
> Hello
> I am trying to set up a VPN between 2 firewall machines with private
> subnets behind them. A have a linux box running openswan2.2 and a
> Fortigate firewall running IPSEC. I am trying to connect from the
> fortigate to the linux box, however the connection is failing on error.
> The fortigate is set up as follows
> Phase 1:
> 	Local IP: 221.133.201.34
> 	Remote IP: 58.6.14.254
> 	Main mode
> 	PSK
> 	Accept any peer id
> 	Encryption/Authentication. try 3DES-MD5, 3DES-SHA1
> 	DH groups 2 and 5
> 	Disable XAUTH
> Phase 2:
> 	Enable PFS
> 	DH group 5
> 
> The linux box has the following configuration
> ipsec.conf
> -----------------------------------
> config setup
>         # Debug-logging controls:
>         klipsdebug=none
>         plutodebug="all"
> 
> conn fortigate
>      auto=add
>      left=58.6.14.254
>      leftsubnet=192.168.100.0/24
>      leftid=@home
>      right=221.133.201.34
>      rightsubnet=192.168.1.0/24
>      rightid=%any
>      keyingtries=0
>      pfs=yes
>      auth=esp
>      authby=secret
> ------------------------------
> 
> ipsec.secrets
> -----------------
> @home 221.133.201.34 58.6.14.254: PSK "************"
> -----------------
> 
> The error I receive on the Fortigate from the linux box is:
> 
> 2006-08-21 15:58:53 error negotiate Received error notification from
> peer: INVALID_ID_INFORMATION type=event subtype=ipsec pri=error
> loc_ip=221.133.201.34 loc_port=500 rem_ip=58.6.14.254 rem_port=500
> out_if=wan1 vpn_tunnel=Caldwell_VPN
> cookies=8f1a03ec12122b32/0d4f5c4330f10e82 action=negotiate
> status=negotiate_error msg="Received error notification from peer:
> INVALID_ID_INFORMATION" negotiate_error 
> 
> What does this error mean?


More information about the Users mailing list