[Openswan Users] Open Swan and Fortigate.

Hugues CHARBONNIER hcharbonnier at dotriver.eu
Mon Aug 18 11:53:55 EDT 2008


Hi every body, i''m trying to connect a fortyGate bax with Openswan, but 
every thing goes bad...

These are my conf. files , and the errors i have.

Please, can anyone help me ?????!

Fortigate (remote) conf:
Phase 1:
    Main mode
    PSK
    Encryption/Authentication. 3Des-SHA1
    DH group 5
    Disable XAUTH
 Phase 2:
     Disable PFS
     DH group 5

OpenSwan (local) conf :

#/etc/ipsec.conf
version 2
config setup
   interfaces="ipsec0=eth0"
   klipsdebug=none
   plutodebug=none
   plutostderrlog=/var/log/ipsec_myconnec.log
   nat_traversal=yes
include /etc/ipsec.d/*.conf



#/etc/ipsec.d/myconnec.conf
conn myconnec
auto=add
leftid=@home
left=xx.xx.xx.xx
leftsubnet=192.168.1.0/24
right=xx.xx.xx.xx
rightsubnet=ww.ww.ww.ww/24
keyexchange=ike
ike=3des-sha1
auth=esp
authby=secret
#specify encryption FortiGate VPN uses
esp=3des-sha1


Screen errors:         /usr/sbin/ipsec auto --up myconnec
    104 "myconnec" #1: STATE_MAIN_I1: initiate
    003 "myconnec" #1: received Vendor ID payload [Dead Peer Detection]
    003 "myconnec" #1: ignoring unknown Vendor ID payload 
[afcad71368a1f1c96b8696fc77570100]
    003 "myconnec" #1: ignoring unknown Vendor ID payload 
[1d6d178f6c2c0be284985465450fe9d4]
    003 "myconnec" #1: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
    106 "myconnec" #1: STATE_MAIN_I2: sent MI2, expecting MR2
    003 "myconnec" #1: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
    108 "myconnec" #1: STATE_MAIN_I3: sent MI3, expecting MR3
    004 "myconnec" #1: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1536}
    117 "myconnec" #2: STATE_QUICK_I1: initiate
    010 "myconnec" #2: STATE_QUICK_I1: retransmission; will wait 20s for 
response
    010 "myconnec" #2: STATE_QUICK_I1: retransmission; will wait 40s for 
response
    031 "myconnec" #2: max number of retransmissions (2) reached 
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: 
perhaps peer likes no proposal
    000 "myconnec" #2: starting keying attempt 2 of an unlimited number, 
but releasing whack

Screen errors:          ipsec auto --status
    ....
    000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36} 
trans={0,3,480} attrs={0,3,320}
    000
    000 "myconnec": 
192.168.1.0/24===xx.xx.xx.xx[@home]...xx.xx.xx.xx===xx.xx.xx.xx/24; 
unrouted; eroute owner: #0
    000 "myconnec":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
    000 "myconnec":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 0
    000 "myconnec":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 
24,24; interface: eth0; encap: esp;
    000 "myconnec":   newest ISAKMP SA: #1; newest IPsec SA: #0;
    000 "myconnec":   IKE algorithms wanted: 
3DES_CBC(5)_000-SHA1(2)-MODP1536(5), 
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
    000 "myconnec":   IKE algorithms found: 
3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
    000 "myconnec":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1536
    000 "myconnec":   ESP algorithms wanted: 3DES(3)_000-SHA1(2); 
flags=strict
    000 "myconnec":   ESP algorithms loaded: 3DES(3)_000-SHA1(2); 
flags=strict
    000
    000 #3: "myconnec":500 STATE_QUICK_I1 (sent QI1, expecting QR1); 
EVENT_RETRANSMIT in 1s; lastdpd=-1s(seq in:0 out:0)
    000 #1: "myconnec":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 2787s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
    000

IPSec log file:
    loading secrets from "/etc/ipsec.secrets"
    "myconnec" #1: initiating Main Mode
    "myconnec" #1: received Vendor ID payload [Dead Peer Detection]
    "myconnec" #1: ignoring unknown Vendor ID payload 
[afca071368a1f1c96b8696fc77570100]
    "myconnec" #1: ignoring unknown Vendor ID payload 
[1d6e178f6c2c0be284985465450fe9d4]
    "myconnec" #1: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
    "myconnec" #1: enabling possible NAT-traversal with method 
draft-ietf-ipsec-nat-t-ike-02/03
    "myconnec" #1: transition from state STATE_MAIN_I1 to state 
STATE_MAIN_I2
    "myconnec" #1: STATE_MAIN_I2: sent MI2, expecting MR2
    "myconnec" #1: I did not send a certificate because I do not have one.
    "myconnec" #1: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
    "myconnec" #1: transition from state STATE_MAIN_I2 to state 
STATE_MAIN_I3
    "myconnec" #1: STATE_MAIN_I3: sent MI3, expecting MR3
    "myconnec" #1: Main mode peer ID is ID_IPV4_ADDR: 'xx.xx.xx.xx'
    "myconnec" #1: transition from state STATE_MAIN_I3 to state 
STATE_MAIN_I4
    "myconnec" #1: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1536}
    "myconnec" #2: initiating Quick Mode 
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
    "myconnec" #1: ignoring informational payload, type 
INVALID_ID_INFORMATION
    "myconnec" #1: received and ignored informational message
    "myconnec" #2: max number of retransmissions (2) reached 
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: 
perhaps peer likes no proposal
    "myconnec" #2: starting keying attempt 2 of an unlimited number, but 
releasing whack
    "myconnec" #3: initiating Quick Mode 
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace #2 {using isakmp#1}
    "myconnec" #1: ignoring informational payload, type 
INVALID_ID_INFORMATION
    "myconnec" #1: received and ignored informational message
    "myconnec" #3: max number of retransmissions (2) reached 
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: 
perhaps peer likes no proposal
    "myconnec" #3: starting keying attempt 3 of an unlimited number
    "myconnec" #4: initiating Quick Mode 
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace #3 {using isakmp#1}
    "myconnec" #1: ignoring informational payload, type 
INVALID_ID_INFORMATION
    "myconnec" #1: received and ignored informational message
    "myconnec" #4: max number of retransmissions (2) reached 
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: 
perhaps peer likes no proposal
    "myconnec" #4: starting keying attempt 4 of an unlimited number
    "myconnec" #5: initiating Quick Mode 
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace #4 {using isakmp#1}
    "myconnec" #1: ignoring informational payload, type 
INVALID_ID_INFORMATION
    "myconnec" #1: received and ignored informational message

-------------- next part --------------
A non-text attachment was scrubbed...
Name: hcharbonnier.vcf
Type: text/x-vcard
Size: 211 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080818/8f6dd025/attachment.vcf 


More information about the Users mailing list