[Openswan Users] Openswan + Fortigate shared key problem

Marcin J. Kowalczyk marcin.kowalczyk at ccig.pl
Tue Sep 30 14:54:25 EDT 2008 

I did some configuration changes and now it stucks at point:

Sep 30 20:43:12 vpn pluto[1869]: "fortigate200a" #1: received Vendor ID 
payload [Dead Peer Detection]
Sep 30 20:43:12 vpn pluto[1869]: "fortigate200a" #1: ignoring unknown 
Vendor ID payload [afca071368a1f1c96b8696fc77570100]
Sep 30 20:43:12 vpn pluto[1869]: "fortigate200a" #1: ignoring unknown 
Vendor ID payload [1d6e178f6c2c0be284985465450fe9d4]
Sep 30 20:43:12 vpn pluto[1869]: "fortigate200a" #1: received Vendor ID 
payload [RFC 3947] method set to=109
Sep 30 20:43:12 vpn pluto[1869]: "fortigate200a" #1: enabling possible 
NAT-traversal with method RFC 3947 (NAT-Traversal)
Sep 30 20:43:12 vpn pluto[1869]: "fortigate200a" #1: transition from 
state STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 30 20:43:12 vpn pluto[1869]: "fortigate200a" #1: STATE_MAIN_I2: sent 
MI2, expecting MR2
Sep 30 20:43:12 vpn pluto[1869]: "fortigate200a" #1: I did not send a 
certificate because I do not have one.
Sep 30 20:43:12 vpn pluto[1869]: "fortigate200a" #1: NAT-Traversal: 
Result using RFC 3947 (NAT-Traversal): no NAT detected
Sep 30 20:43:12 vpn pluto[1869]: "fortigate200a" #1: transition from 
state STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 30 20:43:12 vpn pluto[1869]: "fortigate200a" #1: STATE_MAIN_I3: sent 
MI3, expecting MR3
Sep 30 20:43:12 vpn pluto[1869]: "fortigate200a" #1: Main mode peer ID 
is ID_IPV4_ADDR: '81.xx.xx.66'
Sep 30 20:43:12 vpn pluto[1869]: "fortigate200a" #1: transition from 
state STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 30 20:43:12 vpn pluto[1869]: "fortigate200a" #1: STATE_MAIN_I4: 
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Sep 30 20:43:12 vpn pluto[1869]: "fortigate200a" #2: initiating Quick 
Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Sep 30 20:43:12 vpn pluto[1869]: "fortigate200a" #2: transition from 
state STATE_QUICK_I1 to state STATE_QUICK_I2
Sep 30 20:43:12 vpn pluto[1869]: "fortigate200a" #2: STATE_QUICK_I2: 
sent QI2, IPsec SA established {ESP=>0xefa29e5b <0x6a371cb3 
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}


vpn:/etc/racoon# ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 78.xx.xx.20
000 interface eth0/eth0 78.xx.xx.20
000 interface eth0:2/eth0:2 192.168.127.15
000 interface eth0:2/eth0:2 192.168.127.15
000 interface eth0:1/eth0:1 192.168.0.15
000 interface eth0:1/eth0:1 192.168.0.15
000 interface tun0/tun0 10.4.0.1
000 interface tun0/tun0 10.4.0.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, 
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, 
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, 
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36} 
trans={0,2,540} attrs={0,2,360}
000
000 "fortigate200a": 
10.5.0.0/24===78.xx.xx.20---78.xx.xx.1...81.xx.xx.66===192.168.2.0/24; 
erouted; eroute owner: #2
000 "fortigate200a":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "fortigate200a":   ike_life: 86400s; ipsec_life: 3600s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "fortigate200a":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; 
interface: eth0; encap: esp;
000 "fortigate200a":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "fortigate200a":   IKE algorithms wanted: 
3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); 
flags=strict
000 "fortigate200a":   IKE algorithms found: 
3DES_CBC(5)_192-MD5(1)_128-MODP1536(5), 
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "fortigate200a":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "fortigate200a":   ESP algorithms wanted: 3DES(3)_000-MD5(1), 
3DES(3)_000-SHA1(2); pfsgroup=MODP1024(2); flags=strict
000 "fortigate200a":   ESP algorithms loaded: 3DES(3)_000-MD5(1), 
3DES(3)_000-SHA1(2); pfsgroup=MODP1024(2); flags=strict
000 "fortigate200a":   ESP algorithm newest: 3DES_0-HMAC_MD5; 
pfsgroup=MODP1024
000
000 #2: "fortigate200a":500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2314s; newest IPSEC; eroute owner
000 #2: "fortigate200a" esp.efa29e5b at 81.xx.xx.66 
esp.6a371cb3 at 78.xx.xx.20 tun.0 at 81.xx.xx.66 tun.0 at 78.xx.xx.20
000 #1: "fortigate200a":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 85440s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
vpn:/etc/racoon#

and durring that tcpdump shows
20:51:52.671001 IP 78.xx.xx.20.500 > 81.xx.xx.66.500: isakmp: phase 1 I 
ident
20:51:52.709311 IP 81.xx.xx.66.500 > 78.xx.xx.20.500: isakmp: phase 1 R 
ident
20:51:52.711989 IP 78.xx.xx.20.500 > 81.xx.xx.66.500: isakmp: phase 1 I 
ident
20:51:52.786250 IP 81.xx.xx.66.500 > 78.xx.xx.20.500: isakmp: phase 1 R 
ident
20:51:52.788132 IP 78.xx.xx.20.500 > 81.xx.xx.66.500: isakmp: phase 1 I 
ident[E]
20:51:52.825728 IP 81.xx.xx.66.500 > 78.xx.xx.20.500: isakmp: phase 1 R 
ident[E]
20:51:52.828368 IP 78.xx.xx.20.500 > 81.xx.xx.66.500: isakmp: phase 
2/others I oakley-quick[E]
20:51:52.886937 IP 81.xx.xx.66.500 > 78.xx.xx.20.500: isakmp: phase 
2/others R oakley-quick[E]
20:51:52.904236 IP 78.xx.xx.20.500 > 81.xx.xx.66.500: isakmp: phase 
2/others I oakley-quick[E]


and tunel does not go up. Any idea why it can work like that? Can 
running openvpn server cause problems like that?

Best Regards,
Marcin Kowalczyk

More information about the Users mailing list