[Openswan Users] Open Swan and Fortigate.

Paul Wouters paul at xelerance.com
Mon Aug 18 14:14:27 EDT 2008 

On Mon, 18 Aug 2008, Hugues CHARBONNIER wrote:

Looks like pfs=no is missing to match the remote, though it is better
to have the remote enable pfs=yes

Paul

> Date: Mon, 18 Aug 2008 17:53:55 +0200
> From: Hugues CHARBONNIER <hcharbonnier at dotriver.eu>
> To: users at openswan.org
> Subject: [Openswan Users] Open Swan and Fortigate.
> 
> Hi every body, i''m trying to connect a fortyGate bax with Openswan, but 
> every thing goes bad...
>
> These are my conf. files , and the errors i have.
>
> Please, can anyone help me ?????!
>
> Fortigate (remote) conf:
> Phase 1:
>   Main mode
>   PSK
>   Encryption/Authentication. 3Des-SHA1
>   DH group 5
>   Disable XAUTH
> Phase 2:
>    Disable PFS
>    DH group 5
>
> OpenSwan (local) conf :
>
> #/etc/ipsec.conf
> version 2
> config setup
>  interfaces="ipsec0=eth0"
>  klipsdebug=none
>  plutodebug=none
>  plutostderrlog=/var/log/ipsec_myconnec.log
>  nat_traversal=yes
> include /etc/ipsec.d/*.conf
>
>
>
> #/etc/ipsec.d/myconnec.conf
> conn myconnec
> auto=add
> leftid=@home
> left=xx.xx.xx.xx
> leftsubnet=192.168.1.0/24
> right=xx.xx.xx.xx
> rightsubnet=ww.ww.ww.ww/24
> keyexchange=ike
> ike=3des-sha1
> auth=esp
> authby=secret
> #specify encryption FortiGate VPN uses
> esp=3des-sha1
>
>
> Screen errors:         /usr/sbin/ipsec auto --up myconnec
>   104 "myconnec" #1: STATE_MAIN_I1: initiate
>   003 "myconnec" #1: received Vendor ID payload [Dead Peer Detection]
>   003 "myconnec" #1: ignoring unknown Vendor ID payload 
> [afcad71368a1f1c96b8696fc77570100]
>   003 "myconnec" #1: ignoring unknown Vendor ID payload 
> [1d6d178f6c2c0be284985465450fe9d4]
>   003 "myconnec" #1: received Vendor ID payload 
> [draft-ietf-ipsec-nat-t-ike-03] method set to=108
>   106 "myconnec" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>   003 "myconnec" #1: NAT-Traversal: Result using 
> draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
>   108 "myconnec" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>   004 "myconnec" #1: STATE_MAIN_I4: ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
> group=modp1536}
>   117 "myconnec" #2: STATE_QUICK_I1: initiate
>   010 "myconnec" #2: STATE_QUICK_I1: retransmission; will wait 20s for 
> response
>   010 "myconnec" #2: STATE_QUICK_I1: retransmission; will wait 40s for 
> response
>   031 "myconnec" #2: max number of retransmissions (2) reached 
> STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: 
> perhaps peer likes no proposal
>   000 "myconnec" #2: starting keying attempt 2 of an unlimited number, but 
> releasing whack
>
> Screen errors:          ipsec auto --status
>   ....
>   000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36} 
> trans={0,3,480} attrs={0,3,320}
>   000
>   000 "myconnec": 
> 192.168.1.0/24===xx.xx.xx.xx[@home]...xx.xx.xx.xx===xx.xx.xx.xx/24; unrouted; 
> eroute owner: #0
>   000 "myconnec":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
> dstup=ipsec _updown;
>   000 "myconnec":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
> rekey_fuzz: 100%; keyingtries: 0
>   000 "myconnec":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 24,24; 
> interface: eth0; encap: esp;
>   000 "myconnec":   newest ISAKMP SA: #1; newest IPsec SA: #0;
>   000 "myconnec":   IKE algorithms wanted: 
> 3DES_CBC(5)_000-SHA1(2)-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); 
> flags=strict
>   000 "myconnec":   IKE algorithms found: 
> 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 
> 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
>   000 "myconnec":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1536
>   000 "myconnec":   ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=strict
>   000 "myconnec":   ESP algorithms loaded: 3DES(3)_000-SHA1(2); flags=strict
>   000
>   000 #3: "myconnec":500 STATE_QUICK_I1 (sent QI1, expecting QR1); 
> EVENT_RETRANSMIT in 1s; lastdpd=-1s(seq in:0 out:0)
>   000 #1: "myconnec":500 STATE_MAIN_I4 (ISAKMP SA established); 
> EVENT_SA_REPLACE in 2787s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
>   000
>
> IPSec log file:
>   loading secrets from "/etc/ipsec.secrets"
>   "myconnec" #1: initiating Main Mode
>   "myconnec" #1: received Vendor ID payload [Dead Peer Detection]
>   "myconnec" #1: ignoring unknown Vendor ID payload 
> [afca071368a1f1c96b8696fc77570100]
>   "myconnec" #1: ignoring unknown Vendor ID payload 
> [1d6e178f6c2c0be284985465450fe9d4]
>   "myconnec" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] 
> method set to=108
>   "myconnec" #1: enabling possible NAT-traversal with method 
> draft-ietf-ipsec-nat-t-ike-02/03
>   "myconnec" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
>   "myconnec" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>   "myconnec" #1: I did not send a certificate because I do not have one.
>   "myconnec" #1: NAT-Traversal: Result using 
> draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
>   "myconnec" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
>   "myconnec" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>   "myconnec" #1: Main mode peer ID is ID_IPV4_ADDR: 'xx.xx.xx.xx'
>   "myconnec" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
>   "myconnec" #1: STATE_MAIN_I4: ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
> group=modp1536}
>   "myconnec" #2: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP 
> {using isakmp#1}
>   "myconnec" #1: ignoring informational payload, type INVALID_ID_INFORMATION
>   "myconnec" #1: received and ignored informational message
>   "myconnec" #2: max number of retransmissions (2) reached STATE_QUICK_I1. 
> No acceptable response to our first Quick Mode message: perhaps peer likes no 
> proposal
>   "myconnec" #2: starting keying attempt 2 of an unlimited number, but 
> releasing whack
>   "myconnec" #3: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to 
> replace #2 {using isakmp#1}
>   "myconnec" #1: ignoring informational payload, type INVALID_ID_INFORMATION
>   "myconnec" #1: received and ignored informational message
>   "myconnec" #3: max number of retransmissions (2) reached STATE_QUICK_I1. 
> No acceptable response to our first Quick Mode message: perhaps peer likes no 
> proposal
>   "myconnec" #3: starting keying attempt 3 of an unlimited number
>   "myconnec" #4: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to 
> replace #3 {using isakmp#1}
>   "myconnec" #1: ignoring informational payload, type INVALID_ID_INFORMATION
>   "myconnec" #1: received and ignored informational message
>   "myconnec" #4: max number of retransmissions (2) reached STATE_QUICK_I1. 
> No acceptable response to our first Quick Mode message: perhaps peer likes no 
> proposal
>   "myconnec" #4: starting keying attempt 4 of an unlimited number
>   "myconnec" #5: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to 
> replace #4 {using isakmp#1}
>   "myconnec" #1: ignoring informational payload, type INVALID_ID_INFORMATION
>   "myconnec" #1: received and ignored informational message
>
>

More information about the Users mailing list