[Openswan Users] Openswan + Fortigate shared key problem

Marcin J. Kowalczyk marcin.kowalczyk at ccig.pl
Tue Sep 30 07:11:11 EDT 2008


Hi Paul,

 I've asked VPN admin to check some settings, and he was blocking my IP. 
But still I cannot setup sesion, now I have following error:

SSep 30 13:07:20 vpn ipsec_setup: Starting Openswan IPsec 2.4.12...
Sep 30 13:07:21 vpn pluto[6236]: Changing to directory 
'/etc/ipsec.d/cacerts'
Sep 30 13:07:21 vpn pluto[6236]: Changing to directory 
'/etc/ipsec.d/aacerts'
Sep 30 13:07:21 vpn pluto[6236]: Changing to directory 
'/etc/ipsec.d/ocspcerts'
Sep 30 13:07:21 vpn pluto[6236]: Changing to directory '/etc/ipsec.d/crls'
Sep 30 13:07:21 vpn pluto[6236]:   Warning: empty directory
Sep 30 13:07:21 vpn pluto[6236]: added connection description "niemcy"
Sep 30 13:07:21 vpn pluto[6236]: listening for IKE messages
Sep 30 13:07:21 vpn pluto[6236]: adding interface tun0/tun0 10.4.0.1:500
Sep 30 13:07:21 vpn pluto[6236]: adding interface tun0/tun0 10.4.0.1:4500
Sep 30 13:07:21 vpn pluto[6236]: adding interface eth0:3/eth0:3 10.5.0.0:500
Sep 30 13:07:21 vpn pluto[6236]: adding interface eth0:3/eth0:3 
10.5.0.0:4500
Sep 30 13:07:21 vpn pluto[6236]: adding interface eth0:1/eth0:1 
192.168.0.15:500
Sep 30 13:07:21 vpn pluto[6236]: adding interface eth0:1/eth0:1 
192.168.0.15:4500
Sep 30 13:07:21 vpn pluto[6236]: adding interface eth0:2/eth0:2 
192.168.127.15:500
Sep 30 13:07:21 vpn pluto[6236]: adding interface eth0:2/eth0:2 
192.168.127.15:4500
Sep 30 13:07:21 vpn pluto[6236]: adding interface eth0/eth0 78.xx.xx.20:500
Sep 30 13:07:21 vpn pluto[6236]: adding interface eth0/eth0 78.xx.xx.20:4500
Sep 30 13:07:21 vpn pluto[6236]: adding interface lo/lo 127.0.0.1:500
Sep 30 13:07:21 vpn pluto[6236]: adding interface lo/lo 127.0.0.1:4500
Sep 30 13:07:21 vpn pluto[6236]: adding interface lo/lo ::1:500
Sep 30 13:07:21 vpn pluto[6236]: loading secrets from "/etc/ipsec.secrets"
Sep 30 13:07:21 vpn pluto[6236]:   loaded private key file 
'/etc/ipsec.d/private/vpnKey.pem' (1675 bytes)
Sep 30 13:07:21 vpn pluto[6236]: loading secrets from 
"/etc/ipsec.d/niemcy.secrets"
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: initiating Main Mode
Sep 30 13:07:21 vpn ipsec__plutorun: 104 "niemcy" #1: STATE_MAIN_I1: 
initiate
Sep 30 13:07:21 vpn ipsec__plutorun: ...could not start conn "niemcy"
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: received Vendor ID payload 
[Dead Peer Detection]
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: ignoring unknown Vendor ID 
payload [afca071368a1f1c96b8696fc77570100]
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: ignoring unknown Vendor ID 
payload [5062b335bc20db32c0d54465a2f70100]
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: ignoring unknown Vendor ID 
payload [1d6e178f6c2c0be284985465450fe9d4]
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: received Vendor ID payload 
[RFC 3947] method set to=109
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: enabling possible 
NAT-traversal with method RFC 3947 (NAT-Traversal)
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: transition from state 
STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: STATE_MAIN_I2: sent MI2, 
expecting MR2
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: I did not send a 
certificate because I do not have one.
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: NAT-Traversal: Result 
using RFC 3947 (NAT-Traversal): no NAT detected
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: transition from state 
STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: STATE_MAIN_I3: sent MI3, 
expecting MR3
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: Main mode peer ID is 
ID_IPV4_ADDR: '81.xx.xx.66'
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: transition from state 
STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: STATE_MAIN_I4: ISAKMP SA 
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 
prf=oakley_md5 group=modp1024}
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #2: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: ignoring informational 
payload, type NO_PROPOSAL_CHOSEN
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: received and ignored 
informational message
Sep 30 13:07:27 vpn pluto[6236]: packet from 81.xx.xx.66:500: received 
Vendor ID payload [Dead Peer Detection]
Sep 30 13:07:27 vpn pluto[6236]: packet from 81.xx.xx.66:500: ignoring 
unknown Vendor ID payload [afca071368a1f1c96b8696fc77570100]
Sep 30 13:07:27 vpn pluto[6236]: packet from 81.xx.xx.66:500: ignoring 
unknown Vendor ID payload [5062b335bc20db32c0d54465a2f70100]
Sep 30 13:07:27 vpn pluto[6236]: packet from 81.xx.xx.66:500: ignoring 
unknown Vendor ID payload [1d6e178f6c2c0be284985465450fe9d4]
Sep 30 13:07:27 vpn pluto[6236]: packet from 81.xx.xx.66:500: received 
Vendor ID payload [RFC 3947] method set to=109
Sep 30 13:07:27 vpn pluto[6236]: packet from 81.xx.xx.66:500: received 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already 
using method 109
Sep 30 13:07:27 vpn pluto[6236]: packet from 81.xx.xx.66:500: received 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: responding to Main Mode
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: transition from state 
STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: STATE_MAIN_R1: sent MR1, 
expecting MI2
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: NAT-Traversal: Result 
using RFC 3947 (NAT-Traversal): no NAT detected
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: transition from state 
STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: STATE_MAIN_R2: sent MR2, 
expecting MI3
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: ignoring informational 
payload, type IPSEC_INITIAL_CONTACT
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: Main mode peer ID is 
ID_IPV4_ADDR: '81.xx.xx.66'
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: I did not send a 
certificate because I do not have one.
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: transition from state 
STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: STATE_MAIN_R3: sent MR3, 
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Sep 30 13:08:31 vpn pluto[6236]: "niemcy" #2: max number of 
retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to 
our first Quick Mode message: perhaps peer likes no proposal
Sep 30 13:08:31 vpn pluto[6236]: "niemcy" #2: starting keying attempt 2 
of an unlimited number
Sep 30 13:08:31 vpn pluto[6236]: "niemcy" #4: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+UP to replace #2 {using isakmp#3}
Sep 30 13:08:31 vpn pluto[6236]: "niemcy" #3: next payload type of 
ISAKMP Hash Payload has an unknown value: 196
Sep 30 13:08:31 vpn pluto[6236]: "niemcy" #3: malformed payload in packet
Sep 30 13:08:31 vpn pluto[6236]: | payload malformed after IV
Sep 30 13:08:31 vpn pluto[6236]: |   fd 96 3b 1d  3a 21 53 11
Sep 30 13:08:31 vpn pluto[6236]: "niemcy" #3: sending notification 
PAYLOAD_MALFORMED to 81.xx.xx.66:500




vpn:~#  ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 78.xx.xx.20
000 interface eth0/eth0 78.xx.xx.20
000 interface eth0:2/eth0:2 192.168.127.15
000 interface eth0:2/eth0:2 192.168.127.15
000 interface eth0:1/eth0:1 192.168.0.15
000 interface eth0:1/eth0:1 192.168.0.15
000 interface eth0:3/eth0:3 10.5.0.0
000 interface eth0:3/eth0:3 10.5.0.0
000 interface tun0/tun0 10.4.0.1
000 interface tun0/tun0 10.4.0.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, 
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, 
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, 
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36} 
trans={0,2,540} attrs={0,2,360}
000
000 "niemcy": 
10.5.0.0/24===78.xx.xx.20---78.xx.xx.1...81.xx.xx.66===192.168.2.0/24; 
prospective erouted; eroute owner: #0
000 "forti":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "forti":   ike_life: 86400s; ipsec_life: 86400s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 0
000 "forti":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: 
eth0; encap: esp;
000 "forti":   newest ISAKMP SA: #3; newest IPsec SA: #0;
000 "forti":   IKE algorithms wanted: 
3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); 
flags=strict
000 "forti":   IKE algorithms found: 
3DES_CBC(5)_192-MD5(1)_128-MODP1536(5), 
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "forti":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "forti":   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "forti":   ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000
000 #3: "forti":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); 
EVENT_SA_REPLACE in 86089s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000 #2: "forti":500 STATE_QUICK_I1 (sent QI1, expecting QR1); 
EVENT_RETRANSMIT in 23s; lastdpd=-1s(seq in:0 out:0)
000 #1: "forti":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 85749s; lastdpd=1s(seq in:0 out:0)
000
vpn:~#


Paul Wouters pisze:
> On Mon, 29 Sep 2008, Marcin J. Kowalczyk wrote:
>
>>
>> Hi,
>>  I've tried to setup like you said but I log I can see:
>>
>>
>> Sep 29 12:57:38 vpn ipsec__plutorun: 104 "forti" #1: STATE_MAIN_I1: 
>> initiate
>> Sep 29 12:57:38 vpn ipsec__plutorun: ...could not start conn "forti"
>> Sep 29 12:57:38 vpn pluto[25143]: packet from 81.xx.xx.66:500: 
>> ignoring informational payload, type
>> NO_PROPOSAL_CHOSEN
>> Sep 29 12:57:38 vpn pluto[25143]: packet from 81.xx.xx.66:500: 
>> received and ignored informational
>> message
>> Sep 29 12:57:47 vpn pluto[25143]: packet from 81.xx.xx.66:500: 
>> ignoring informational payload, type
>> NO_PROPOSAL_CHOSEN
>> Sep 29 12:57:47 vpn pluto[25143]: packet from 81.xx.xx.66:500: 
>> received and ignored informational
>> message
>> Sep 29 12:58:08 vpn pluto[25143]: packet from 81.xx.xx.66:500: 
>> ignoring informational payload, type
>> NO_PROPOSAL_CHOSEN
>> Sep 29 12:58:08 vpn pluto[25143]: packet from 81.xx.xx.66:500: 
>> received and ignored informational
>> message
>
> So the configuration does not match the remote. Looks like the 
> information is incorrect
> then. You can change your end to auto=add and let them initiate to see 
> what they propose,
> and then match it.
>
> Paul
>
>> vpn:~# ipsec auto --status
>> 000 interface lo/lo ::1
>> 000 interface lo/lo 127.0.0.1
>> 000 interface lo/lo 127.0.0.1
>> 000 interface eth0/eth0 78.xx.xx.20
>> 000 interface eth0/eth0 78.xx.xx.20
>> 000 interface eth0:2/eth0:2 192.168.127.15
>> 000 interface eth0:2/eth0:2 192.168.127.15
>> 000 interface eth0:1/eth0:1 192.168.0.15
>> 000 interface eth0:1/eth0:1 192.168.0.15
>> 000 interface tun0/tun0 10.4.0.1
>> 000 interface tun0/tun0 10.4.0.1
>> 000 %myid = (none)
>> 000 debug none
>> 000
>> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, 
>> keysizemin=64, keysizemax=64
>> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, 
>> keysizemin=192, keysizemax=192
>> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, 
>> keysizemin=40, keysizemax=448
>> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, 
>> keysizemin=0, keysizemax=0
>> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, 
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, 
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, 
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
>> keysizemin=128, keysizemax=128
>> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
>> keysizemin=160, keysizemax=160
>> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
>> keysizemin=256, keysizemax=256
>> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, 
>> keysizemin=128, keysizemax=128
>> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, 
>> keysizemax=0
>> 000
>> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
>> keydeflen=192
>> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
>> keydeflen=128
>> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
>> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
>> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
>> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
>> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
>> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
>> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
>> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
>> 000
>> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,1,36} 
>> trans={0,1,540} attrs={0,1,360}
>> 000
>> 000 "forti": 78.xx.xx.20---78.xx.xx.1...81.xx.xx.66===192.168.2.0/24; 
>> prospective erouted; eroute
>> owner: #0
>> 000 "forti":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
>> dstup=ipsec _updown;
>> 000 "forti":   ike_life: 86400s; ipsec_life: 86400s; rekey_margin: 
>> 540s; rekey_fuzz: 100%;
>> keyingtries: 0
>> 000 "forti":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 32,24; interface: 
>> eth0; encap: esp;
>> 000 "forti":   newest ISAKMP SA: #0; newest IPsec SA: #0;
>> 000 "forti":   IKE algorithms wanted: 
>> 3DES_CBC(5)_000-MD5(1)-MODP1536(5),
>> 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
>> 000 "forti":   IKE algorithms found: 
>> 3DES_CBC(5)_192-MD5(1)_128-MODP1536(5),
>> 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
>> 000 "forti":   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
>> 000 "forti":   ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
>> 000
>> 000 #1: "forti":500 STATE_MAIN_I1 (sent MI1, expecting MR1); 
>> EVENT_RETRANSMIT in 11s; nodpd
>> 000 #1: pending Phase 2 for "forti" replacing #0
>> 000
>> vpn:~#
>>
>> configuration I received from VPN admin
>>
>> Our External IP:  81.xx.xx.66
>> Our internal net     : 192.168.2.0/255.255.255.0
>> authentication pre-share
>> Pre shared key: keyXXXXXXXX
>> Encryption: 3des
>> Hash: md5
>> Lifetime:86400
>>
>> modified: forti.conf
>>
>> conn forti
>>         type=           tunnel
>>         authby=         secret
>>         #RRT
>>         left=           78.xx.xx.20 (my external IP)
>>         leftnexthop=    %defaultroute
>>         #SAA
>>         right=          81.xx.xx.66
>>         rightsubnet= 192.168.2.0/24
>>         esp=3des-md5
>>         ike=3des-md5
>>         keyexchange=    ike
>>         ikelifetime=86400
>>         keylife=86400
>>         pfs=            no
>>         auto=           start
>>
>> #Disable Opportunistic Encryption
>> include /etc/ipsec.d/examples/no_oe.conf
>>
>> Felipe Rasputin suggested to use:
>>      esp=3des-md5
>>      ike=3des-md5-modp1024
>> but also did not work.
>>
>> Do you have any idea how to configure this ipsec-2-forti tunel?
>>
>>
>> Paul Wouters pisze:
>>
>>  On Sun, 28 Sep 2008, Marcin J. Kowalczyk wrote:
>>
>>
>>
>>  I'm trying to setup connection between Openswan 2.4.12 and fortigate 
>> VPN.  Only information I received from person who administrates Forti 
>> is:
>>
>> "Remote Peer:  81.xx.xx.66
>> Inside-Net: 192.168.0.0/255.255.255.0
>> Pre shared key:
>> esp-3des esp-md5-hmac
>> authentication pre-share
>> encryption 3des
>> hash md5
>> group 2
>> lifetime 86400 "
>>
>>
>>  conn forti
>>         type=           tunnel
>>         authby=         secret
>>         #RRT
>>         left=           78.xx.xx.20
>>         leftsubnet=     192.168.127.0/24
>>
>>
>>  Does the other admin have this subnet defined for you?
>>
>>
>>
>>  leftnexthop=    %defaultroute
>>         #SAA
>>         right=          81.xx.xx.66
>>         rightsubnet=    192.168.0.0/255.255.255.0
>>         esp=            esp-md5-hmac
>>
>>
>>  esp=3des-md5
>>
>>
>>
>>  ike=            3des-md5-hmac
>>
>>
>>  ike=3des-md5
>>
>>
>>
>>  keyexchange=    ike
>>         pfs=            no
>>         auto=           start
>> #Disable Opportunistic Encryption
>> include /etc/ipsec.d/examples/no_oe.conf
>>
>> in /etc/ipsec.d/forti.secret I've put password I received from VPN 
>> admin. Can anybody help me with configuration of this connection?
>>
>>
>>  If this does not work, you should show the logs so we can see
>> the problem. Or even better, have them connect to you and show
>> the problem because then you receive their proposal and you can
>> match it.
>>
>> Paul
>>
>>
>>
>>
>>
>>
>>  -- Pozdrawiam serdecznie
>> Marcin Kowalczyk
>>
>> System Administrator
>>
>> Call Center Inter Galactica
>> ul. Jana Kilinskiego 30, 50-264 Wroclaw, Poland
>> telefon: +48 71 722 72 91 e-mail: marcin.kowalczyk at ccig.pl
>>
>
>


-- 
Pozdrawiam serdecznie
Marcin Kowalczyk

System Administrator

Call Center Inter Galactica
ul. Jana Kilinskiego 30, 50-264 Wroclaw, Poland
telefon: +48 71 722 72 91 e-mail: marcin.kowalczyk at ccig.pl 





More information about the Users mailing list