[Openswan Users] Trying to set Openswan with FortiGate

Tejas Jin txjin at intelliepi.com
Thu Aug 9 19:15:20 EDT 2007 

The configuration I got from an example on their web site
http://kc.forticare.com/default.asp?id=1835&Lang=1&SID=
The article doesn't say anything about what the setting should be on the 
ForiGate system and I am not getting any log information from it currently.

I'd appreciate it if someone could tell me what is going on or how I 
could get more information about what is going on/wrong. 


-----------------------------------------------------------
ipsec.conf
------------------------------------------------------------
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version    2.0    # conforms to second version of ipsec.conf specification

# basic configuration
config setup
    # plutodebug / klipsdebug = "all", "none" or a combation from below:
    # "raw crypt parsing emitting control klips pfkey natt x509 private"
    # eg: plutodebug="control parsing"
    #
    # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
    #
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    nat_traversal=yes
    # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    #
    # enable this if you see "failed to find any available worker"
    nhelpers=0

# Add connections here
conn office
 #left side is home
 left=%defaultroute
 #right side is work
 right=64.221.201.108
 rightsubnet=10.10.2.0/24
 keyexchange=ike
 authby=secret
 esp=3des
 compress=yes
   
# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

-----------------------------------------------------------
ipsec.secrets
------------------------------------------------------------
: PSK "my_secret_key"

-----------------------------------
logs
------------------------------------
Aug  9 18:42:30 Eagle pluto[10361]: loading secrets from 
"/etc/ipsec.secrets"
Aug  9 18:42:32 Eagle pluto[10361]: added connection description "office"
Aug  9 18:42:36 Eagle pluto[10361]: "office" #1: initiating Main Mode
Aug  9 18:42:36 Eagle pluto[10361]: "office" #1: received Vendor ID 
payload [Dead Peer Detection]
Aug  9 18:42:36 Eagle pluto[10361]: "office" #1: ignoring unknown Vendor 
ID payload [afca071368a1f1c96b8696fc77570100]
Aug  9 18:42:36 Eagle pluto[10361]: "office" #1: ignoring unknown Vendor 
ID payload [1d6e178f6c2c0be284985465450fe9d4]
Aug  9 18:42:36 Eagle pluto[10361]: "office" #1: received Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Aug  9 18:42:36 Eagle pluto[10361]: "office" #1: enabling possible 
NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
Aug  9 18:42:36 Eagle pluto[10361]: "office" #1: transition from state 
STATE_MAIN_I1 to state STATE_MAIN_I2
Aug  9 18:42:36 Eagle pluto[10361]: "office" #1: STATE_MAIN_I2: sent 
MI2, expecting MR2
Aug  9 18:42:36 Eagle pluto[10361]: "office" #1: I did not send a 
certificate because I do not have one.
Aug  9 18:42:36 Eagle pluto[10361]: "office" #1: NAT-Traversal: Result 
using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Aug  9 18:42:36 Eagle pluto[10361]: "office" #1: transition from state 
STATE_MAIN_I2 to state STATE_MAIN_I3
Aug  9 18:42:36 Eagle pluto[10361]: "office" #1: STATE_MAIN_I3: sent 
MI3, expecting MR3
Aug  9 18:42:36 Eagle pluto[10361]: "office" #1: Main mode peer ID is 
ID_IPV4_ADDR: '64.221.219.108'
Aug  9 18:42:36 Eagle pluto[10361]: "office" #1: transition from state 
STATE_MAIN_I3 to state STATE_MAIN_I4
Aug  9 18:42:36 Eagle pluto[10361]: "office" #1: STATE_MAIN_I4: ISAKMP 
SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 
prf=oakley_md5 group=modp1536}
Aug  9 18:42:36 Eagle pluto[10361]: "office" #2: initiating Quick Mode 
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
Aug  9 18:42:36 Eagle pluto[10361]: "office" #1: ignoring informational 
payload, type INVALID_ID_INFORMATION
Aug  9 18:42:36 Eagle pluto[10361]: "office" #1: received and ignored 
informational message
Aug  9 18:43:46 Eagle pluto[10361]: "office" #2: max number of 
retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to 
our first Quick Mode message: perhaps peer likes no proposal
Aug  9 18:43:46 Eagle pluto[10361]: "office" #2: starting keying attempt 
2 of an unlimited number, but releasing whack
Aug  9 18:43:46 Eagle pluto[10361]: "office" #3: initiating Quick Mode 
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace #2 {using isakmp#1}
Aug  9 18:43:46 Eagle pluto[10361]: "office" #1: ignoring informational 
payload, type INVALID_ID_INFORMATION
Aug  9 18:43:46 Eagle pluto[10361]: "office" #1: received and ignored 
informational message
Aug  9 18:44:56 Eagle pluto[10361]: "office" #3: max number of 
retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to 
our first Quick Mode message: perhaps peer likes no proposal
---------------------------------------------------------
tcpdump
--------------------------------------------------------
17:38:52.764181 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 
17, length: 400) 64.221.201.98.ptr.us.xo.net.isakmp > 
64.221.201.108.ptr.us.xo.net.isakmp: isakmp 1.0 msgid : phase 2/others ? 
oakley-quick[E]: [encrypted hash]
17:39:20.234618 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 
17, length: 104) 64.221.201.98.ptr.us.xo.net.isakmp > 
64.221.201.108.ptr.us.xo.net.isakmp: isakmp 1.0 msgid : phase 2/others ? 
inf[E]: [encrypted hash]
17:39:20.235981 IP (tos 0x0, ttl  64, id 63675, offset 0, flags [none], 
proto 17, length: 104) 64.221.201.108.ptr.us.xo.net.isakmp > 
64.221.201.98.ptr.us.xo.net.isakmp: isakmp 1.0 msgid : phase 2/others ? 
inf[E]: [encrypted hash]
17:39:25.230214 arp who-has 64.221.201.98.ptr.us.xo.net tell 
64.221.201.108.ptr.us.xo.net
17:39:25.230304 arp reply 64.221.201.98.ptr.us.xo.net is-at 
00:0d:56:ec:6f:a9
17:39:29.078852 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 
17, length: 340) 64.221.201.98.ptr.us.xo.net.isakmp > 
64.221.201.108.ptr.us.xo.net.isakmp: isakmp 1.0 msgid : phase 1 I ident: 
[|sa]
17:39:29.081221 IP (tos 0x0, ttl  64, id 63676, offset 0, flags [none], 
proto 17, length: 188) 64.221.201.108.ptr.us.xo.net.isakmp > 
64.221.201.98.ptr.us.xo.net.isakmp: isakmp 1.0 msgid : phase 1 R ident: 
[|sa]
17:39:29.100073 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 
17, length: 312) 64.221.201.98.ptr.us.xo.net.isakmp > 
64.221.201.108.ptr.us.xo.net.isakmp: isakmp 1.0 msgid : phase 1 I ident: 
[|ke]
17:39:29.208035 IP (tos 0x0, ttl  64, id 63677, offset 0, flags [none], 
proto 17, length: 312) 64.221.201.108.ptr.us.xo.net.isakmp > 
64.221.201.98.ptr.us.xo.net.isakmp: isakmp 1.0 msgid : phase 1 R ident: 
[|ke]
17:39:29.224804 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 
17, length: 88) 64.221.201.98.ptr.us.xo.net.isakmp > 
64.221.201.108.ptr.us.xo.net.isakmp: isakmp 1.0 msgid : phase 1 I 
ident[E]: [encrypted id]
17:39:29.225539 IP (tos 0x0, ttl  64, id 63678, offset 0, flags [none], 
proto 17, length: 88) 64.221.201.108.ptr.us.xo.net.isakmp > 
64.221.201.98.ptr.us.xo.net.isakmp: isakmp 1.0 msgid : phase 1 R 
ident[E]: [encrypted id]
17:39:29.268053 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 
17, length: 400) 64.221.201.98.ptr.us.xo.net.isakmp > 
64.221.201.108.ptr.us.xo.net.isakmp: isakmp 1.0 msgid : phase 2/others I 
oakley-quick[E]: [encrypted hash]
17:39:29.275156 IP (tos 0x0, ttl  64, id 63679, offset 0, flags [none], 
proto 17, length: 88) 64.221.201.108.ptr.us.xo.net.isakmp > 
64.221.201.98.ptr.us.xo.net.isakmp: isakmp 1.0 msgid : phase 2/others R 
inf[E]: [encrypted hash]
17:39:34.077271 arp who-has 64.221.201.108.ptr.us.xo.net tell 
64.221.201.98.ptr.us.xo.net
17:39:34.077339 arp reply 64.221.201.108.ptr.us.xo.net is-at 
00:09:0f:13:88:3a
17:39:39.281563 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 
17, length: 400) 64.221.201.98.ptr.us.xo.net.isakmp > 
64.221.201.108.ptr.us.xo.net.isakmp: isakmp 1.0 msgid : phase 2/others I 
oakley-quick[E]: [encrypted hash]
17:39:59.262359 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 
17, length: 400) 64.221.201.98.ptr.us.xo.net.isakmp > 
64.221.201.108.ptr.us.xo.net.isakmp: isakmp 1.0 msgid : phase 2/others I 
oakley-quick[E]: [encrypted hash]
17:40:04.261368 arp who-has 64.221.201.108.ptr.us.xo.net tell 
64.221.201.98.ptr.us.xo.net
17:40:04.261424 arp reply 64.221.201.108.ptr.us.xo.net is-at 
00:09:0f:13:88:3a

More information about the Users mailing list