[Openswan Users] Openswan to Fortigate 60B - VPN
Erick Chinchilla Berrocal
erick at netcrc.net
Mon Sep 6 11:47:50 EDT 2010
Hi Paul
Thanks for your reply
Make changes according to your recommendation, but the problem persists
See below the Information
#This si the current setup
#conn vpn
type=tunnel
auth=esp
authby=secret
esp=3des
ikelifetime=1800s
keyingtries=10
keylife=28800s
pfs=yes
left=Public IP Server Openswan
leftsubnet=LAN
leftid=Public IP Server #
leftnexthop=Gateway IP # %defaultroute correct in many
situations
right=Fortigate IP # Remote vitals
rightsubnet=Fortigate LAN IP's
rightid=Fortigate IP Public #
rightnexthop=%defaultroute # correct in many situations
ike=3des
keyexchange=ike # connection at startup
auto=start
~
#Syslog
Sep 6 11:29:41 VPN1 ipsec_setup: ...Openswan IPsec started
Sep 6 11:29:41 VPN1 ipsec_setup: Starting Openswan IPsec 2.4.12...
Sep 6 11:29:42 VPN1 ipsec__plutorun: 104 "nb-vpn" #1: STATE_MAIN_I1:
initiate
Sep 6 11:29:42 VPN1 ipsec__plutorun: ...could not start conn "nb-vpn"
# /etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.4.12...
# /etc/init.d/ipsec status
IPsec running - pluto pid: 14468
pluto pid 14468
No tunnels up
# ipsec auto --up vpn (wait,,wait...)
# ipsec auto --status
000 "vpn": 192.168.250.0/24===(Public IP Openswan Server)---(Gateway
OPenswan Server)...(Gateway Openswan Server)---(Fortigate
I)===192.168.0.0/24; prospective erouted; eroute owner: #0
000 "vpn": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec
_updown;
000 "vpn": ike_life: 1800s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 10
000 "vpn": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface:
eth0; encap: esp;
000 "vpn": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "vpn": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5),
3DES_CBC(5)_000-SHA1(2)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2),
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "vpn": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1536(5),
3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5),
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2),
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "vpn": ESP algorithms wanted: 3DES(3)_000-MD5(1), 3DES(3)_000-SHA1(2);
flags=strict
000 "vpn": ESP algorithms loaded: 3DES(3)_000-MD5(1), 3DES(3)_000-SHA1(2);
flags=strict
000
000 #1: "vpn":500 STATE_MAIN_I1 (sent MI1, expecting MR1); none in -1s;
lastdpd=-1s(seq in:0 out:0)
000 #1: pending Phase 2 for "vpn" replacing #0
000
-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Sunday, September 05, 2010 11:14 AM
To: Erick Chinchilla Berrocal
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Openswan to Fortigate 60B - VPN
On Sat, 4 Sep 2010, Erick Chinchilla Berrocal wrote:
> P2 Proposal
> 1- Encryption = 3DES Authentication = MD5
> 2- Encryption = 3DES Authentication = SHA1
> Enable replay detection = yes
> Enable perfect forward secrecy (PFS) = yes
> DH Group = 5
> - Source address = 192.168.x.x/24 (LAN this side)
The x.x/24 is odd, you are sure that's not a /16 ?
> Initiator: sent x.x.x.x (public IP openswan) main mode message #1 (OK)
> conn nb-vpn # Nombre de la conexion
> type=tunnel
> auth=esp
> authby=secret
> esp=3des-md5!;modp1536
Do not use "!" anywhere.
esp=3des
> leftrsasigkey=abc # key
You are not using RSA (authby=secret) so remove this
> rightrsasigkey=abc # key
same here
> ike=3des-md5!
no "!", use ike=3des
And use auto=start to startup on default.
It looks like you dont get an answer to the first packet, which
usually means a firewall problem.
Paul
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 5427 (20100906) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 5427 (20100906) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
More information about the Users
mailing list