[Openswan Users] Openswan and Fortigate

Peter McGill petermcgill at goco.net
Mon Aug 18 12:11:29 EDT 2008 

Hugues,

Enable PFS in the Fortigate config, it is more secure
and Openswan already has it enabled by default.

Change the esp= line in your Openswan ipsec.conf to
match your Fortigate settings as follows:
	esp=3des-sha1;modp1536

You are getting an INVALID ID error from the Fortigate.
Probably due to mismatched left/rightids.
Try removing the leftid= line in your ipsec.conf.
In any case what you specify in leftid/rightid in ipsec.conf
(which default to value of left/right respectively.) You must
also specify the same values in the Fortigate to identify the
two ends of the connection. Usually leaving them to the defaults
left/right ip addresses works just fine.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Hugues CHARBONNIER
> Sent: August 18, 2008 11:59 AM
> To: users at openswan.org
> Subject: [Openswan Users] Openswan and Fortigate
> 
> Hi every body, i''m trying to connect a fortyGate bax with 
> Openswan, but 
> every thing goes bad...
> 
> These are my conf. files , and the errors i have.
> 
> Please, can anyone help me ?????!
> 
> Fortigate (remote) conf:
> Phase 1:
>    Main mode
>    PSK
>    Encryption/Authentication. 3Des-SHA1
>    DH group 5
>    Disable XAUTH
> Phase 2:
>     Disable PFS
>     DH group 5
> 
> OpenSwan (local) conf :
> 
> #/etc/ipsec.conf
> version 2
> config setup
>   interfaces="ipsec0=eth0"
>   klipsdebug=none
>   plutodebug=none
>   plutostderrlog=/var/log/ipsec_myconnec.log
>   nat_traversal=yes
> include /etc/ipsec.d/*.conf
> 
> 
> 
> #/etc/ipsec.d/myconnec.conf
> conn myconnec
> auto=add
> leftid=@home
> left=xx.xx.xx.xx
> leftsubnet=192.168.1.0/24
> right=xx.xx.xx.xx
> rightsubnet=ww.ww.ww.ww/24
> keyexchange=ike
> ike=3des-sha1
> auth=esp
> authby=secret
> #specify encryption FortiGate VPN uses
> esp=3des-sha1
> 
> 
> Screen errors:         /usr/sbin/ipsec auto --up myconnec
>    104 "myconnec" #1: STATE_MAIN_I1: initiate
>    003 "myconnec" #1: received Vendor ID payload [Dead Peer Detection]
>    003 "myconnec" #1: ignoring unknown Vendor ID payload 
> [afcad71368a1f1c96b8696fc77570100]
>    003 "myconnec" #1: ignoring unknown Vendor ID payload 
> [1d6d178f6c2c0be284985465450fe9d4]
>    003 "myconnec" #1: received Vendor ID payload 
> [draft-ietf-ipsec-nat-t-ike-03] method set to=108
>    106 "myconnec" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>    003 "myconnec" #1: NAT-Traversal: Result using 
> draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
>    108 "myconnec" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>    004 "myconnec" #1: STATE_MAIN_I4: ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
> group=modp1536}
>    117 "myconnec" #2: STATE_QUICK_I1: initiate
>    010 "myconnec" #2: STATE_QUICK_I1: retransmission; will 
> wait 20s for 
> response
>    010 "myconnec" #2: STATE_QUICK_I1: retransmission; will 
> wait 40s for 
> response
>    031 "myconnec" #2: max number of retransmissions (2) reached 
> STATE_QUICK_I1.  No acceptable response to our first Quick 
> Mode message: 
> perhaps peer likes no proposal
>    000 "myconnec" #2: starting keying attempt 2 of an 
> unlimited number, 
> but releasing whack
> 
> Screen errors:          ipsec auto --status
>    ....
>    000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36} 
> trans={0,3,480} attrs={0,3,320}
>    000
>    000 "myconnec": 
> 192.168.1.0/24===xx.xx.xx.xx[@home]...xx.xx.xx.xx===xx.xx.xx.xx/24; 
> unrouted; eroute owner: #0
>    000 "myconnec":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
> dstup=ipsec _updown;
>    000 "myconnec":   ike_life: 3600s; ipsec_life: 28800s; 
> rekey_margin: 
> 540s; rekey_fuzz: 100%; keyingtries: 0
>    000 "myconnec":   policy: 
> PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 
> 24,24; interface: eth0; encap: esp;
>    000 "myconnec":   newest ISAKMP SA: #1; newest IPsec SA: #0;
>    000 "myconnec":   IKE algorithms wanted: 
> 3DES_CBC(5)_000-SHA1(2)-MODP1536(5), 
> 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
>    000 "myconnec":   IKE algorithms found: 
> 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 
> 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
>    000 "myconnec":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1536
>    000 "myconnec":   ESP algorithms wanted: 3DES(3)_000-SHA1(2); 
> flags=strict
>    000 "myconnec":   ESP algorithms loaded: 3DES(3)_000-SHA1(2); 
> flags=strict
>    000
>    000 #3: "myconnec":500 STATE_QUICK_I1 (sent QI1, expecting QR1); 
> EVENT_RETRANSMIT in 1s; lastdpd=-1s(seq in:0 out:0)
>    000 #1: "myconnec":500 STATE_MAIN_I4 (ISAKMP SA established); 
> EVENT_SA_REPLACE in 2787s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
>    000
> 
> IPSec log file:
>    loading secrets from "/etc/ipsec.secrets"
>    "myconnec" #1: initiating Main Mode
>    "myconnec" #1: received Vendor ID payload [Dead Peer Detection]
>    "myconnec" #1: ignoring unknown Vendor ID payload 
> [afca071368a1f1c96b8696fc77570100]
>    "myconnec" #1: ignoring unknown Vendor ID payload 
> [1d6e178f6c2c0be284985465450fe9d4]
>    "myconnec" #1: received Vendor ID payload 
> [draft-ietf-ipsec-nat-t-ike-03] method set to=108
>    "myconnec" #1: enabling possible NAT-traversal with method 
> draft-ietf-ipsec-nat-t-ike-02/03
>    "myconnec" #1: transition from state STATE_MAIN_I1 to state 
> STATE_MAIN_I2
>    "myconnec" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>    "myconnec" #1: I did not send a certificate because I do 
> not have one.
>    "myconnec" #1: NAT-Traversal: Result using 
> draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
>    "myconnec" #1: transition from state STATE_MAIN_I2 to state 
> STATE_MAIN_I3
>    "myconnec" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>    "myconnec" #1: Main mode peer ID is ID_IPV4_ADDR: 'xx.xx.xx.xx'
>    "myconnec" #1: transition from state STATE_MAIN_I3 to state 
> STATE_MAIN_I4
>    "myconnec" #1: STATE_MAIN_I4: ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
> group=modp1536}
>    "myconnec" #2: initiating Quick Mode 
> PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
>    "myconnec" #1: ignoring informational payload, type 
> INVALID_ID_INFORMATION
>    "myconnec" #1: received and ignored informational message
>    "myconnec" #2: max number of retransmissions (2) reached 
> STATE_QUICK_I1.  No acceptable response to our first Quick 
> Mode message: 
> perhaps peer likes no proposal
>    "myconnec" #2: starting keying attempt 2 of an unlimited 
> number, but 
> releasing whack
>    "myconnec" #3: initiating Quick Mode 
> PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace #2 {using isakmp#1}
>    "myconnec" #1: ignoring informational payload, type 
> INVALID_ID_INFORMATION
>    "myconnec" #1: received and ignored informational message
>    "myconnec" #3: max number of retransmissions (2) reached 
> STATE_QUICK_I1.  No acceptable response to our first Quick 
> Mode message: 
> perhaps peer likes no proposal
>    "myconnec" #3: starting keying attempt 3 of an unlimited number
>    "myconnec" #4: initiating Quick Mode 
> PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace #3 {using isakmp#1}
>    "myconnec" #1: ignoring informational payload, type 
> INVALID_ID_INFORMATION
>    "myconnec" #1: received and ignored informational message
>    "myconnec" #4: max number of retransmissions (2) reached 
> STATE_QUICK_I1.  No acceptable response to our first Quick 
> Mode message: 
> perhaps peer likes no proposal
>    "myconnec" #4: starting keying attempt 4 of an unlimited number
>    "myconnec" #5: initiating Quick Mode 
> PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace #4 {using isakmp#1}
>    "myconnec" #1: ignoring informational payload, type 
> INVALID_ID_INFORMATION
>    "myconnec" #1: received and ignored informational message
> 
> 
> 	
> Hugues CHARBONNIER <hcharbonnier at dotriver.com 
> <mailto:hcharbonnier at dotriver.com>>
> 
>

More information about the Users mailing list