[Openswan Users] Openswan + Fortigate shared key problem
Marcin J. Kowalczyk
marcin.kowalczyk at ccig.pl
Tue Sep 30 07:11:11 EDT 2008
Hi Paul,
I've asked VPN admin to check some settings, and he was blocking my IP.
But still I cannot setup sesion, now I have following error:
SSep 30 13:07:20 vpn ipsec_setup: Starting Openswan IPsec 2.4.12...
Sep 30 13:07:21 vpn pluto[6236]: Changing to directory
'/etc/ipsec.d/cacerts'
Sep 30 13:07:21 vpn pluto[6236]: Changing to directory
'/etc/ipsec.d/aacerts'
Sep 30 13:07:21 vpn pluto[6236]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Sep 30 13:07:21 vpn pluto[6236]: Changing to directory '/etc/ipsec.d/crls'
Sep 30 13:07:21 vpn pluto[6236]: Warning: empty directory
Sep 30 13:07:21 vpn pluto[6236]: added connection description "niemcy"
Sep 30 13:07:21 vpn pluto[6236]: listening for IKE messages
Sep 30 13:07:21 vpn pluto[6236]: adding interface tun0/tun0 10.4.0.1:500
Sep 30 13:07:21 vpn pluto[6236]: adding interface tun0/tun0 10.4.0.1:4500
Sep 30 13:07:21 vpn pluto[6236]: adding interface eth0:3/eth0:3 10.5.0.0:500
Sep 30 13:07:21 vpn pluto[6236]: adding interface eth0:3/eth0:3
10.5.0.0:4500
Sep 30 13:07:21 vpn pluto[6236]: adding interface eth0:1/eth0:1
192.168.0.15:500
Sep 30 13:07:21 vpn pluto[6236]: adding interface eth0:1/eth0:1
192.168.0.15:4500
Sep 30 13:07:21 vpn pluto[6236]: adding interface eth0:2/eth0:2
192.168.127.15:500
Sep 30 13:07:21 vpn pluto[6236]: adding interface eth0:2/eth0:2
192.168.127.15:4500
Sep 30 13:07:21 vpn pluto[6236]: adding interface eth0/eth0 78.xx.xx.20:500
Sep 30 13:07:21 vpn pluto[6236]: adding interface eth0/eth0 78.xx.xx.20:4500
Sep 30 13:07:21 vpn pluto[6236]: adding interface lo/lo 127.0.0.1:500
Sep 30 13:07:21 vpn pluto[6236]: adding interface lo/lo 127.0.0.1:4500
Sep 30 13:07:21 vpn pluto[6236]: adding interface lo/lo ::1:500
Sep 30 13:07:21 vpn pluto[6236]: loading secrets from "/etc/ipsec.secrets"
Sep 30 13:07:21 vpn pluto[6236]: loaded private key file
'/etc/ipsec.d/private/vpnKey.pem' (1675 bytes)
Sep 30 13:07:21 vpn pluto[6236]: loading secrets from
"/etc/ipsec.d/niemcy.secrets"
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: initiating Main Mode
Sep 30 13:07:21 vpn ipsec__plutorun: 104 "niemcy" #1: STATE_MAIN_I1:
initiate
Sep 30 13:07:21 vpn ipsec__plutorun: ...could not start conn "niemcy"
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: received Vendor ID payload
[Dead Peer Detection]
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: ignoring unknown Vendor ID
payload [afca071368a1f1c96b8696fc77570100]
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: ignoring unknown Vendor ID
payload [5062b335bc20db32c0d54465a2f70100]
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: ignoring unknown Vendor ID
payload [1d6e178f6c2c0be284985465450fe9d4]
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: received Vendor ID payload
[RFC 3947] method set to=109
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: I did not send a
certificate because I do not have one.
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: Main mode peer ID is
ID_IPV4_ADDR: '81.xx.xx.66'
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1024}
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN
Sep 30 13:07:21 vpn pluto[6236]: "niemcy" #1: received and ignored
informational message
Sep 30 13:07:27 vpn pluto[6236]: packet from 81.xx.xx.66:500: received
Vendor ID payload [Dead Peer Detection]
Sep 30 13:07:27 vpn pluto[6236]: packet from 81.xx.xx.66:500: ignoring
unknown Vendor ID payload [afca071368a1f1c96b8696fc77570100]
Sep 30 13:07:27 vpn pluto[6236]: packet from 81.xx.xx.66:500: ignoring
unknown Vendor ID payload [5062b335bc20db32c0d54465a2f70100]
Sep 30 13:07:27 vpn pluto[6236]: packet from 81.xx.xx.66:500: ignoring
unknown Vendor ID payload [1d6e178f6c2c0be284985465450fe9d4]
Sep 30 13:07:27 vpn pluto[6236]: packet from 81.xx.xx.66:500: received
Vendor ID payload [RFC 3947] method set to=109
Sep 30 13:07:27 vpn pluto[6236]: packet from 81.xx.xx.66:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
using method 109
Sep 30 13:07:27 vpn pluto[6236]: packet from 81.xx.xx.66:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: responding to Main Mode
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: STATE_MAIN_R1: sent MR1,
expecting MI2
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: STATE_MAIN_R2: sent MR2,
expecting MI3
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: ignoring informational
payload, type IPSEC_INITIAL_CONTACT
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: Main mode peer ID is
ID_IPV4_ADDR: '81.xx.xx.66'
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: I did not send a
certificate because I do not have one.
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 30 13:07:27 vpn pluto[6236]: "niemcy" #3: STATE_MAIN_R3: sent MR3,
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Sep 30 13:08:31 vpn pluto[6236]: "niemcy" #2: max number of
retransmissions (2) reached STATE_QUICK_I1. No acceptable response to
our first Quick Mode message: perhaps peer likes no proposal
Sep 30 13:08:31 vpn pluto[6236]: "niemcy" #2: starting keying attempt 2
of an unlimited number
Sep 30 13:08:31 vpn pluto[6236]: "niemcy" #4: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP to replace #2 {using isakmp#3}
Sep 30 13:08:31 vpn pluto[6236]: "niemcy" #3: next payload type of
ISAKMP Hash Payload has an unknown value: 196
Sep 30 13:08:31 vpn pluto[6236]: "niemcy" #3: malformed payload in packet
Sep 30 13:08:31 vpn pluto[6236]: | payload malformed after IV
Sep 30 13:08:31 vpn pluto[6236]: | fd 96 3b 1d 3a 21 53 11
Sep 30 13:08:31 vpn pluto[6236]: "niemcy" #3: sending notification
PAYLOAD_MALFORMED to 81.xx.xx.66:500
vpn:~# ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 78.xx.xx.20
000 interface eth0/eth0 78.xx.xx.20
000 interface eth0:2/eth0:2 192.168.127.15
000 interface eth0:2/eth0:2 192.168.127.15
000 interface eth0:1/eth0:1 192.168.0.15
000 interface eth0:1/eth0:1 192.168.0.15
000 interface eth0:3/eth0:3 10.5.0.0
000 interface eth0:3/eth0:3 10.5.0.0
000 interface tun0/tun0 10.4.0.1
000 interface tun0/tun0 10.4.0.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36}
trans={0,2,540} attrs={0,2,360}
000
000 "niemcy":
10.5.0.0/24===78.xx.xx.20---78.xx.xx.1...81.xx.xx.66===192.168.2.0/24;
prospective erouted; eroute owner: #0
000 "forti": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "forti": ike_life: 86400s; ipsec_life: 86400s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "forti": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface:
eth0; encap: esp;
000 "forti": newest ISAKMP SA: #3; newest IPsec SA: #0;
000 "forti": IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2);
flags=strict
000 "forti": IKE algorithms found:
3DES_CBC(5)_192-MD5(1)_128-MODP1536(5),
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "forti": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "forti": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "forti": ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000
000 #3: "forti":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 86089s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000 #2: "forti":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 23s; lastdpd=-1s(seq in:0 out:0)
000 #1: "forti":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 85749s; lastdpd=1s(seq in:0 out:0)
000
vpn:~#
Paul Wouters pisze:
> On Mon, 29 Sep 2008, Marcin J. Kowalczyk wrote:
>
>>
>> Hi,
>> I've tried to setup like you said but I log I can see:
>>
>>
>> Sep 29 12:57:38 vpn ipsec__plutorun: 104 "forti" #1: STATE_MAIN_I1:
>> initiate
>> Sep 29 12:57:38 vpn ipsec__plutorun: ...could not start conn "forti"
>> Sep 29 12:57:38 vpn pluto[25143]: packet from 81.xx.xx.66:500:
>> ignoring informational payload, type
>> NO_PROPOSAL_CHOSEN
>> Sep 29 12:57:38 vpn pluto[25143]: packet from 81.xx.xx.66:500:
>> received and ignored informational
>> message
>> Sep 29 12:57:47 vpn pluto[25143]: packet from 81.xx.xx.66:500:
>> ignoring informational payload, type
>> NO_PROPOSAL_CHOSEN
>> Sep 29 12:57:47 vpn pluto[25143]: packet from 81.xx.xx.66:500:
>> received and ignored informational
>> message
>> Sep 29 12:58:08 vpn pluto[25143]: packet from 81.xx.xx.66:500:
>> ignoring informational payload, type
>> NO_PROPOSAL_CHOSEN
>> Sep 29 12:58:08 vpn pluto[25143]: packet from 81.xx.xx.66:500:
>> received and ignored informational
>> message
>
> So the configuration does not match the remote. Looks like the
> information is incorrect
> then. You can change your end to auto=add and let them initiate to see
> what they propose,
> and then match it.
>
> Paul
>
>> vpn:~# ipsec auto --status
>> 000 interface lo/lo ::1
>> 000 interface lo/lo 127.0.0.1
>> 000 interface lo/lo 127.0.0.1
>> 000 interface eth0/eth0 78.xx.xx.20
>> 000 interface eth0/eth0 78.xx.xx.20
>> 000 interface eth0:2/eth0:2 192.168.127.15
>> 000 interface eth0:2/eth0:2 192.168.127.15
>> 000 interface eth0:1/eth0:1 192.168.0.15
>> 000 interface eth0:1/eth0:1 192.168.0.15
>> 000 interface tun0/tun0 10.4.0.1
>> 000 interface tun0/tun0 10.4.0.1
>> 000 %myid = (none)
>> 000 debug none
>> 000
>> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
>> keysizemin=64, keysizemax=64
>> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
>> keysizemin=192, keysizemax=192
>> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
>> keysizemin=40, keysizemax=448
>> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
>> keysizemin=0, keysizemax=0
>> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=13, name=(null), ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
>> keysizemin=128, keysizemax=128
>> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
>> keysizemin=160, keysizemax=160
>> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
>> keysizemin=256, keysizemax=256
>> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
>> keysizemin=128, keysizemax=128
>> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
>> keysizemax=0
>> 000
>> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
>> keydeflen=192
>> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
>> keydeflen=128
>> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
>> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
>> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
>> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
>> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
>> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
>> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
>> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
>> 000
>> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,1,36}
>> trans={0,1,540} attrs={0,1,360}
>> 000
>> 000 "forti": 78.xx.xx.20---78.xx.xx.1...81.xx.xx.66===192.168.2.0/24;
>> prospective erouted; eroute
>> owner: #0
>> 000 "forti": srcip=unset; dstip=unset; srcup=ipsec _updown;
>> dstup=ipsec _updown;
>> 000 "forti": ike_life: 86400s; ipsec_life: 86400s; rekey_margin:
>> 540s; rekey_fuzz: 100%;
>> keyingtries: 0
>> 000 "forti": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 32,24; interface:
>> eth0; encap: esp;
>> 000 "forti": newest ISAKMP SA: #0; newest IPsec SA: #0;
>> 000 "forti": IKE algorithms wanted:
>> 3DES_CBC(5)_000-MD5(1)-MODP1536(5),
>> 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
>> 000 "forti": IKE algorithms found:
>> 3DES_CBC(5)_192-MD5(1)_128-MODP1536(5),
>> 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
>> 000 "forti": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
>> 000 "forti": ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
>> 000
>> 000 #1: "forti":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
>> EVENT_RETRANSMIT in 11s; nodpd
>> 000 #1: pending Phase 2 for "forti" replacing #0
>> 000
>> vpn:~#
>>
>> configuration I received from VPN admin
>>
>> Our External IP: 81.xx.xx.66
>> Our internal net : 192.168.2.0/255.255.255.0
>> authentication pre-share
>> Pre shared key: keyXXXXXXXX
>> Encryption: 3des
>> Hash: md5
>> Lifetime:86400
>>
>> modified: forti.conf
>>
>> conn forti
>> type= tunnel
>> authby= secret
>> #RRT
>> left= 78.xx.xx.20 (my external IP)
>> leftnexthop= %defaultroute
>> #SAA
>> right= 81.xx.xx.66
>> rightsubnet= 192.168.2.0/24
>> esp=3des-md5
>> ike=3des-md5
>> keyexchange= ike
>> ikelifetime=86400
>> keylife=86400
>> pfs= no
>> auto= start
>>
>> #Disable Opportunistic Encryption
>> include /etc/ipsec.d/examples/no_oe.conf
>>
>> Felipe Rasputin suggested to use:
>> esp=3des-md5
>> ike=3des-md5-modp1024
>> but also did not work.
>>
>> Do you have any idea how to configure this ipsec-2-forti tunel?
>>
>>
>> Paul Wouters pisze:
>>
>> On Sun, 28 Sep 2008, Marcin J. Kowalczyk wrote:
>>
>>
>>
>> I'm trying to setup connection between Openswan 2.4.12 and fortigate
>> VPN. Only information I received from person who administrates Forti
>> is:
>>
>> "Remote Peer: 81.xx.xx.66
>> Inside-Net: 192.168.0.0/255.255.255.0
>> Pre shared key:
>> esp-3des esp-md5-hmac
>> authentication pre-share
>> encryption 3des
>> hash md5
>> group 2
>> lifetime 86400 "
>>
>>
>> conn forti
>> type= tunnel
>> authby= secret
>> #RRT
>> left= 78.xx.xx.20
>> leftsubnet= 192.168.127.0/24
>>
>>
>> Does the other admin have this subnet defined for you?
>>
>>
>>
>> leftnexthop= %defaultroute
>> #SAA
>> right= 81.xx.xx.66
>> rightsubnet= 192.168.0.0/255.255.255.0
>> esp= esp-md5-hmac
>>
>>
>> esp=3des-md5
>>
>>
>>
>> ike= 3des-md5-hmac
>>
>>
>> ike=3des-md5
>>
>>
>>
>> keyexchange= ike
>> pfs= no
>> auto= start
>> #Disable Opportunistic Encryption
>> include /etc/ipsec.d/examples/no_oe.conf
>>
>> in /etc/ipsec.d/forti.secret I've put password I received from VPN
>> admin. Can anybody help me with configuration of this connection?
>>
>>
>> If this does not work, you should show the logs so we can see
>> the problem. Or even better, have them connect to you and show
>> the problem because then you receive their proposal and you can
>> match it.
>>
>> Paul
>>
>>
>>
>>
>>
>>
>> -- Pozdrawiam serdecznie
>> Marcin Kowalczyk
>>
>> System Administrator
>>
>> Call Center Inter Galactica
>> ul. Jana Kilinskiego 30, 50-264 Wroclaw, Poland
>> telefon: +48 71 722 72 91 e-mail: marcin.kowalczyk at ccig.pl
>>
>
>
--
Pozdrawiam serdecznie
Marcin Kowalczyk
System Administrator
Call Center Inter Galactica
ul. Jana Kilinskiego 30, 50-264 Wroclaw, Poland
telefon: +48 71 722 72 91 e-mail: marcin.kowalczyk at ccig.pl
More information about the Users
mailing list