[Openswan Users] Openswan + Fortigate shared key problem

Paul Wouters paul at xelerance.com
Mon Sep 29 22:37:01 EDT 2008 

On Mon, 29 Sep 2008, Marcin J. Kowalczyk wrote:

> 
> Hi,
>  I've tried to setup like you said but I log I can see:
> 
> 
> Sep 29 12:57:38 vpn ipsec__plutorun: 104 "forti" #1: STATE_MAIN_I1: initiate
> Sep 29 12:57:38 vpn ipsec__plutorun: ...could not start conn "forti"
> Sep 29 12:57:38 vpn pluto[25143]: packet from 81.xx.xx.66:500: ignoring informational payload, type
> NO_PROPOSAL_CHOSEN
> Sep 29 12:57:38 vpn pluto[25143]: packet from 81.xx.xx.66:500: received and ignored informational
> message
> Sep 29 12:57:47 vpn pluto[25143]: packet from 81.xx.xx.66:500: ignoring informational payload, type
> NO_PROPOSAL_CHOSEN
> Sep 29 12:57:47 vpn pluto[25143]: packet from 81.xx.xx.66:500: received and ignored informational
> message
> Sep 29 12:58:08 vpn pluto[25143]: packet from 81.xx.xx.66:500: ignoring informational payload, type
> NO_PROPOSAL_CHOSEN
> Sep 29 12:58:08 vpn pluto[25143]: packet from 81.xx.xx.66:500: received and ignored informational
> message

So the configuration does not match the remote. Looks like the information is incorrect
then. You can change your end to auto=add and let them initiate to see what they propose,
and then match it.

Paul

> vpn:~# ipsec auto --status
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 78.xx.xx.20
> 000 interface eth0/eth0 78.xx.xx.20
> 000 interface eth0:2/eth0:2 192.168.127.15
> 000 interface eth0:2/eth0:2 192.168.127.15
> 000 interface eth0:1/eth0:1 192.168.0.15
> 000 interface eth0:1/eth0:1 192.168.0.15
> 000 interface tun0/tun0 10.4.0.1
> 000 interface tun0/tun0 10.4.0.1
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,1,36} trans={0,1,540} attrs={0,1,360}
> 000
> 000 "niemcy": 78.xx.xx.20---78.xx.xx.1...81.xx.xx.66===192.168.2.0/24; prospective erouted; eroute
> owner: #0
> 000 "niemcy":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
> 000 "niemcy":   ike_life: 86400s; ipsec_life: 86400s; rekey_margin: 540s; rekey_fuzz: 100%;
> keyingtries: 0
> 000 "niemcy":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 32,24; interface: eth0; encap: esp;
> 000 "niemcy":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "niemcy":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5),
> 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
> 000 "niemcy":   IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1536(5),
> 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
> 000 "niemcy":   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
> 000 "niemcy":   ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
> 000
> 000 #1: "forti":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 11s; nodpd
> 000 #1: pending Phase 2 for "forti" replacing #0
> 000
> vpn:~#
> 
> configuration I received from VPN admin
> 
> Our External IP:  81.xx.xx.66
> Our internal net     : 192.168.2.0/255.255.255.0
> authentication pre-share
> Pre shared key: keyXXXXXXXX
> Encryption: 3des
> Hash: md5
> Lifetime:86400
> 
> modified: forti.conf
> 
> conn niemcy
>         type=           tunnel
>         authby=         secret
>         #RRT
>         left=           78.xx.xx.20 (my external IP)
>         leftnexthop=    %defaultroute
>         #SAA
>         right=          81.xx.xx.66
>         rightsubnet= 192.168.2.0/24
>         esp=3des-md5
>         ike=3des-md5
>         keyexchange=    ike
>         ikelifetime=86400
>         keylife=86400
>         pfs=            no
>         auto=           start
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> Felipe Rasputin suggested to use:
>      esp=3des-md5
>      ike=3des-md5-modp1024
> but also did not work.
> 
> Do you have any idea how to configure this ipsec-2-forti tunel?
> 
> 
> Paul Wouters pisze:
>
>  On Sun, 28 Sep 2008, Marcin J. Kowalczyk wrote:
>
> 
>
>  I'm trying to setup connection between Openswan 2.4.12 and fortigate 
> VPN.  Only information I received from person who administrates Forti is:
> 
> "Remote Peer:  81.xx.xx.66
> Inside-Net: 192.168.0.0/255.255.255.0
> Pre shared key:
> esp-3des esp-md5-hmac
> authentication pre-share
> encryption 3des
> hash md5
> group 2
> lifetime 86400 "
> 
>
>  conn forti
>         type=           tunnel
>         authby=         secret
>         #RRT
>         left=           78.xx.xx.20
>         leftsubnet=     192.168.127.0/24
> 
>
>  Does the other admin have this subnet defined for you?
>
> 
>
>  leftnexthop=    %defaultroute
>         #SAA
>         right=          81.xx.xx.66
>         rightsubnet=    192.168.0.0/255.255.255.0
>         esp=            esp-md5-hmac
> 
>
>  esp=3des-md5
>
> 
>
>  ike=            3des-md5-hmac
> 
>
>  ike=3des-md5
>
> 
>
>  keyexchange=    ike
>         pfs=            no
>         auto=           start
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> in /etc/ipsec.d/forti.secret I've put password I received from VPN 
> admin. Can anybody help me with configuration of this connection?
> 
>
>  If this does not work, you should show the logs so we can see
> the problem. Or even better, have them connect to you and show
> the problem because then you receive their proposal and you can
> match it.
> 
> Paul
> 
>
> 
> 
> 
>
>  -- 
> Pozdrawiam serdecznie
> Marcin Kowalczyk
> 
> System Administrator
> 
> Call Center Inter Galactica
> ul. Jana Kilinskiego 30, 50-264 Wroclaw, Poland
> telefon: +48 71 722 72 91 e-mail: marcin.kowalczyk at ccig.pl 
> 
>

More information about the Users mailing list