[Openswan Users] Openswan + Fortigate shared key problem

Marcin J. Kowalczyk marcin.kowalczyk at ccig.pl
Mon Sep 29 07:05:17 EDT 2008 

Hi,
 I've tried to setup like you said but I log I can see:


Sep 29 12:57:38 vpn ipsec__plutorun: 104 "forti" #1: STATE_MAIN_I1: initiate
Sep 29 12:57:38 vpn ipsec__plutorun: ...could not start conn "forti"
Sep 29 12:57:38 vpn pluto[25143]: packet from 81.xx.xx.66:500: ignoring 
informational payload, type NO_PROPOSAL_CHOSEN
Sep 29 12:57:38 vpn pluto[25143]: packet from 81.xx.xx.66:500: received 
and ignored informational message
Sep 29 12:57:47 vpn pluto[25143]: packet from 81.xx.xx.66:500: ignoring 
informational payload, type NO_PROPOSAL_CHOSEN
Sep 29 12:57:47 vpn pluto[25143]: packet from 81.xx.xx.66:500: received 
and ignored informational message
Sep 29 12:58:08 vpn pluto[25143]: packet from 81.xx.xx.66:500: ignoring 
informational payload, type NO_PROPOSAL_CHOSEN
Sep 29 12:58:08 vpn pluto[25143]: packet from 81.xx.xx.66:500: received 
and ignored informational message

vpn:~# ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 78.xx.xx.20
000 interface eth0/eth0 78.xx.xx.20
000 interface eth0:2/eth0:2 192.168.127.15
000 interface eth0:2/eth0:2 192.168.127.15
000 interface eth0:1/eth0:1 192.168.0.15
000 interface eth0:1/eth0:1 192.168.0.15
000 interface tun0/tun0 10.4.0.1
000 interface tun0/tun0 10.4.0.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, 
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, 
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, 
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,1,36} 
trans={0,1,540} attrs={0,1,360}
000
000 "niemcy": 78.xx.xx.20---78.xx.xx.1...81.xx.xx.66===192.168.2.0/24; 
prospective erouted; eroute owner: #0
000 "niemcy":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "niemcy":   ike_life: 86400s; ipsec_life: 86400s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 0
000 "niemcy":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 32,24; interface: 
eth0; encap: esp;
000 "niemcy":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "niemcy":   IKE algorithms wanted: 
3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); 
flags=strict
000 "niemcy":   IKE algorithms found: 
3DES_CBC(5)_192-MD5(1)_128-MODP1536(5), 
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "niemcy":   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "niemcy":   ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000
000 #1: "forti":500 STATE_MAIN_I1 (sent MI1, expecting MR1); 
EVENT_RETRANSMIT in 11s; nodpd
000 #1: pending Phase 2 for "forti" replacing #0
000
vpn:~#

configuration I received from VPN admin

Our External IP:  81.xx.xx.66
Our internal net     : 192.168.2.0/255.255.255.0
authentication pre-share
Pre shared key: keyXXXXXXXX
Encryption: 3des
Hash: md5
Lifetime:86400

modified: forti.conf

conn niemcy
        type=           tunnel
        authby=         secret
        #RRT
        left=           78.xx.xx.20 (my external IP)
        leftnexthop=    %defaultroute
        #SAA
        right=          81.xx.xx.66
        rightsubnet= 192.168.2.0/24
        esp=3des-md5
        ike=3des-md5
        keyexchange=    ike
        ikelifetime=86400
        keylife=86400
        pfs=            no
        auto=           start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

Felipe Rasputin suggested to use:
     esp=3des-md5
     ike=3des-md5-modp1024
but also did not work.

Do you have any idea how to configure this ipsec-2-forti tunel?


Paul Wouters pisze:
> On Sun, 28 Sep 2008, Marcin J. Kowalczyk wrote:
>
>   
>>  I'm trying to setup connection between Openswan 2.4.12 and fortigate 
>> VPN.  Only information I received from person who administrates Forti is:
>>
>> "Remote Peer:  81.xx.xx.66
>> Inside-Net: 192.168.0.0/255.255.255.0
>> Pre shared key:
>> esp-3des esp-md5-hmac
>> authentication pre-share
>> encryption 3des
>> hash md5
>> group 2
>> lifetime 86400 "
>>     
>
>   
>> conn forti
>>         type=           tunnel
>>         authby=         secret
>>         #RRT
>>         left=           78.xx.xx.20
>>         leftsubnet=     192.168.127.0/24
>>     
>
> Does the other admin have this subnet defined for you?
>
>   
>>         leftnexthop=    %defaultroute
>>         #SAA
>>         right=          81.xx.xx.66
>>         rightsubnet=    192.168.0.0/255.255.255.0
>>         esp=            esp-md5-hmac
>>     
>
> esp=3des-md5
>
>   
>>         ike=            3des-md5-hmac
>>     
>
> ike=3des-md5
>
>   
>>         keyexchange=    ike
>>         pfs=            no
>>         auto=           start
>> #Disable Opportunistic Encryption
>> include /etc/ipsec.d/examples/no_oe.conf
>>
>> in /etc/ipsec.d/forti.secret I've put password I received from VPN 
>> admin. Can anybody help me with configuration of this connection?
>>     
>
> If this does not work, you should show the logs so we can see
> the problem. Or even better, have them connect to you and show
> the problem because then you receive their proposal and you can
> match it.
>
> Paul
>
>
>   


-- 
Pozdrawiam serdecznie
Marcin Kowalczyk

System Administrator

Call Center Inter Galactica
ul. Jana Kilinskiego 30, 50-264 Wroclaw, Poland
telefon: +48 71 722 72 91 e-mail: marcin.kowalczyk at ccig.pl 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080929/a7463bca/attachment.html

More information about the Users mailing list