[Openswan Users] Open Swan and Fortigate.
Hugues CHARBONNIER
hcharbonnier at dotriver.eu
Mon Aug 18 11:53:55 EDT 2008
Hi every body, i''m trying to connect a fortyGate bax with Openswan, but
every thing goes bad...
These are my conf. files , and the errors i have.
Please, can anyone help me ?????!
Fortigate (remote) conf:
Phase 1:
Main mode
PSK
Encryption/Authentication. 3Des-SHA1
DH group 5
Disable XAUTH
Phase 2:
Disable PFS
DH group 5
OpenSwan (local) conf :
#/etc/ipsec.conf
version 2
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutostderrlog=/var/log/ipsec_myconnec.log
nat_traversal=yes
include /etc/ipsec.d/*.conf
#/etc/ipsec.d/myconnec.conf
conn myconnec
auto=add
leftid=@home
left=xx.xx.xx.xx
leftsubnet=192.168.1.0/24
right=xx.xx.xx.xx
rightsubnet=ww.ww.ww.ww/24
keyexchange=ike
ike=3des-sha1
auth=esp
authby=secret
#specify encryption FortiGate VPN uses
esp=3des-sha1
Screen errors: /usr/sbin/ipsec auto --up myconnec
104 "myconnec" #1: STATE_MAIN_I1: initiate
003 "myconnec" #1: received Vendor ID payload [Dead Peer Detection]
003 "myconnec" #1: ignoring unknown Vendor ID payload
[afcad71368a1f1c96b8696fc77570100]
003 "myconnec" #1: ignoring unknown Vendor ID payload
[1d6d178f6c2c0be284985465450fe9d4]
003 "myconnec" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
106 "myconnec" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "myconnec" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
108 "myconnec" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "myconnec" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1536}
117 "myconnec" #2: STATE_QUICK_I1: initiate
010 "myconnec" #2: STATE_QUICK_I1: retransmission; will wait 20s for
response
010 "myconnec" #2: STATE_QUICK_I1: retransmission; will wait 40s for
response
031 "myconnec" #2: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal
000 "myconnec" #2: starting keying attempt 2 of an unlimited number,
but releasing whack
Screen errors: ipsec auto --status
....
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36}
trans={0,3,480} attrs={0,3,320}
000
000 "myconnec":
192.168.1.0/24===xx.xx.xx.xx[@home]...xx.xx.xx.xx===xx.xx.xx.xx/24;
unrouted; eroute owner: #0
000 "myconnec": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "myconnec": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "myconnec": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio:
24,24; interface: eth0; encap: esp;
000 "myconnec": newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "myconnec": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)-MODP1536(5),
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "myconnec": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5),
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "myconnec": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1536
000 "myconnec": ESP algorithms wanted: 3DES(3)_000-SHA1(2);
flags=strict
000 "myconnec": ESP algorithms loaded: 3DES(3)_000-SHA1(2);
flags=strict
000
000 #3: "myconnec":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 1s; lastdpd=-1s(seq in:0 out:0)
000 #1: "myconnec":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2787s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
IPSec log file:
loading secrets from "/etc/ipsec.secrets"
"myconnec" #1: initiating Main Mode
"myconnec" #1: received Vendor ID payload [Dead Peer Detection]
"myconnec" #1: ignoring unknown Vendor ID payload
[afca071368a1f1c96b8696fc77570100]
"myconnec" #1: ignoring unknown Vendor ID payload
[1d6e178f6c2c0be284985465450fe9d4]
"myconnec" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
"myconnec" #1: enabling possible NAT-traversal with method
draft-ietf-ipsec-nat-t-ike-02/03
"myconnec" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
"myconnec" #1: STATE_MAIN_I2: sent MI2, expecting MR2
"myconnec" #1: I did not send a certificate because I do not have one.
"myconnec" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
"myconnec" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
"myconnec" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"myconnec" #1: Main mode peer ID is ID_IPV4_ADDR: 'xx.xx.xx.xx'
"myconnec" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
"myconnec" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1536}
"myconnec" #2: initiating Quick Mode
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
"myconnec" #1: ignoring informational payload, type
INVALID_ID_INFORMATION
"myconnec" #1: received and ignored informational message
"myconnec" #2: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal
"myconnec" #2: starting keying attempt 2 of an unlimited number, but
releasing whack
"myconnec" #3: initiating Quick Mode
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace #2 {using isakmp#1}
"myconnec" #1: ignoring informational payload, type
INVALID_ID_INFORMATION
"myconnec" #1: received and ignored informational message
"myconnec" #3: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal
"myconnec" #3: starting keying attempt 3 of an unlimited number
"myconnec" #4: initiating Quick Mode
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace #3 {using isakmp#1}
"myconnec" #1: ignoring informational payload, type
INVALID_ID_INFORMATION
"myconnec" #1: received and ignored informational message
"myconnec" #4: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal
"myconnec" #4: starting keying attempt 4 of an unlimited number
"myconnec" #5: initiating Quick Mode
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace #4 {using isakmp#1}
"myconnec" #1: ignoring informational payload, type
INVALID_ID_INFORMATION
"myconnec" #1: received and ignored informational message
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hcharbonnier.vcf
Type: text/x-vcard
Size: 211 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080818/8f6dd025/attachment.vcf
More information about the Users
mailing list