[Openswan Users] Openswan and Fortigate

Hugues CHARBONNIER hcharbonnier at dotriver.eu
Mon Aug 18 11:59:11 EDT 2008 

Hi every body, i''m trying to connect a fortyGate bax with Openswan, but 
every thing goes bad...

These are my conf. files , and the errors i have.

Please, can anyone help me ?????!

Fortigate (remote) conf:
Phase 1:
   Main mode
   PSK
   Encryption/Authentication. 3Des-SHA1
   DH group 5
   Disable XAUTH
Phase 2:
    Disable PFS
    DH group 5

OpenSwan (local) conf :

#/etc/ipsec.conf
version 2
config setup
  interfaces="ipsec0=eth0"
  klipsdebug=none
  plutodebug=none
  plutostderrlog=/var/log/ipsec_myconnec.log
  nat_traversal=yes
include /etc/ipsec.d/*.conf



#/etc/ipsec.d/myconnec.conf
conn myconnec
auto=add
leftid=@home
left=xx.xx.xx.xx
leftsubnet=192.168.1.0/24
right=xx.xx.xx.xx
rightsubnet=ww.ww.ww.ww/24
keyexchange=ike
ike=3des-sha1
auth=esp
authby=secret
#specify encryption FortiGate VPN uses
esp=3des-sha1


Screen errors:         /usr/sbin/ipsec auto --up myconnec
   104 "myconnec" #1: STATE_MAIN_I1: initiate
   003 "myconnec" #1: received Vendor ID payload [Dead Peer Detection]
   003 "myconnec" #1: ignoring unknown Vendor ID payload 
[afcad71368a1f1c96b8696fc77570100]
   003 "myconnec" #1: ignoring unknown Vendor ID payload 
[1d6d178f6c2c0be284985465450fe9d4]
   003 "myconnec" #1: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
   106 "myconnec" #1: STATE_MAIN_I2: sent MI2, expecting MR2
   003 "myconnec" #1: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
   108 "myconnec" #1: STATE_MAIN_I3: sent MI3, expecting MR3
   004 "myconnec" #1: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1536}
   117 "myconnec" #2: STATE_QUICK_I1: initiate
   010 "myconnec" #2: STATE_QUICK_I1: retransmission; will wait 20s for 
response
   010 "myconnec" #2: STATE_QUICK_I1: retransmission; will wait 40s for 
response
   031 "myconnec" #2: max number of retransmissions (2) reached 
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: 
perhaps peer likes no proposal
   000 "myconnec" #2: starting keying attempt 2 of an unlimited number, 
but releasing whack

Screen errors:          ipsec auto --status
   ....
   000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36} 
trans={0,3,480} attrs={0,3,320}
   000
   000 "myconnec": 
192.168.1.0/24===xx.xx.xx.xx[@home]...xx.xx.xx.xx===xx.xx.xx.xx/24; 
unrouted; eroute owner: #0
   000 "myconnec":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
   000 "myconnec":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 0
   000 "myconnec":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 
24,24; interface: eth0; encap: esp;
   000 "myconnec":   newest ISAKMP SA: #1; newest IPsec SA: #0;
   000 "myconnec":   IKE algorithms wanted: 
3DES_CBC(5)_000-SHA1(2)-MODP1536(5), 
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
   000 "myconnec":   IKE algorithms found: 
3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
   000 "myconnec":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1536
   000 "myconnec":   ESP algorithms wanted: 3DES(3)_000-SHA1(2); 
flags=strict
   000 "myconnec":   ESP algorithms loaded: 3DES(3)_000-SHA1(2); 
flags=strict
   000
   000 #3: "myconnec":500 STATE_QUICK_I1 (sent QI1, expecting QR1); 
EVENT_RETRANSMIT in 1s; lastdpd=-1s(seq in:0 out:0)
   000 #1: "myconnec":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 2787s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
   000

IPSec log file:
   loading secrets from "/etc/ipsec.secrets"
   "myconnec" #1: initiating Main Mode
   "myconnec" #1: received Vendor ID payload [Dead Peer Detection]
   "myconnec" #1: ignoring unknown Vendor ID payload 
[afca071368a1f1c96b8696fc77570100]
   "myconnec" #1: ignoring unknown Vendor ID payload 
[1d6e178f6c2c0be284985465450fe9d4]
   "myconnec" #1: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
   "myconnec" #1: enabling possible NAT-traversal with method 
draft-ietf-ipsec-nat-t-ike-02/03
   "myconnec" #1: transition from state STATE_MAIN_I1 to state 
STATE_MAIN_I2
   "myconnec" #1: STATE_MAIN_I2: sent MI2, expecting MR2
   "myconnec" #1: I did not send a certificate because I do not have one.
   "myconnec" #1: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
   "myconnec" #1: transition from state STATE_MAIN_I2 to state 
STATE_MAIN_I3
   "myconnec" #1: STATE_MAIN_I3: sent MI3, expecting MR3
   "myconnec" #1: Main mode peer ID is ID_IPV4_ADDR: 'xx.xx.xx.xx'
   "myconnec" #1: transition from state STATE_MAIN_I3 to state 
STATE_MAIN_I4
   "myconnec" #1: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1536}
   "myconnec" #2: initiating Quick Mode 
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
   "myconnec" #1: ignoring informational payload, type 
INVALID_ID_INFORMATION
   "myconnec" #1: received and ignored informational message
   "myconnec" #2: max number of retransmissions (2) reached 
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: 
perhaps peer likes no proposal
   "myconnec" #2: starting keying attempt 2 of an unlimited number, but 
releasing whack
   "myconnec" #3: initiating Quick Mode 
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace #2 {using isakmp#1}
   "myconnec" #1: ignoring informational payload, type 
INVALID_ID_INFORMATION
   "myconnec" #1: received and ignored informational message
   "myconnec" #3: max number of retransmissions (2) reached 
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: 
perhaps peer likes no proposal
   "myconnec" #3: starting keying attempt 3 of an unlimited number
   "myconnec" #4: initiating Quick Mode 
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace #3 {using isakmp#1}
   "myconnec" #1: ignoring informational payload, type 
INVALID_ID_INFORMATION
   "myconnec" #1: received and ignored informational message
   "myconnec" #4: max number of retransmissions (2) reached 
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: 
perhaps peer likes no proposal
   "myconnec" #4: starting keying attempt 4 of an unlimited number
   "myconnec" #5: initiating Quick Mode 
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace #4 {using isakmp#1}
   "myconnec" #1: ignoring informational payload, type 
INVALID_ID_INFORMATION
   "myconnec" #1: received and ignored informational message


	
Hugues CHARBONNIER <hcharbonnier at dotriver.com 
<mailto:hcharbonnier at dotriver.com>>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: hcharbonnier.vcf
Type: text/x-vcard
Size: 211 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080818/146db3c7/attachment.vcf

More information about the Users mailing list