[Openswan Users] openswan fortigate stuck in EVENT_PENDING_PHASE2

Johannes Scholz js at vinci-info.com
Sun Jan 9 16:05:17 EST 2011 

Am 09.01.2011 um 21:15 schrieb Paul Wouters:

> On Sun, 9 Jan 2011, Johannes Scholz wrote:
> 
>> I am trying to establish an ipsec connection between a Fortigate 50 and openswan on centos (Linux Openswan U2.6.21/K2.6.18-194.32.1.el5 (netkey)).
> 
> I'd upgrade, 2.6.21 is really old and buggy.

Upgraded to 2.6.31, same results.

> 
>> The setup of the fortigate:
>> 
>> Internet <> ADSL router (80.14.x.x, 192.168.5.254) <> Fortigate 50B (wan iface 192.168.5.11, lan iface 192.168.10.0/24)
>> 
>> The fortigate is in the dmz of the adsl router, all packages arrive directly on the fortigate, however, the fortigate uses 192.168.5.254 (the adsl router) as default gw (static route 0.0.0.0 to 192.168.5.11).
> 
> I would not call that "directly on the fortigate", as it is behind NAT and a port forward.

NAT yes, portforward no.

> 
>> The computer running centos is directly connected to the internet. Config:
> 
> Does you config setup contain nat_traversal=yes?
> Does virtual_private contain 192.168.5.0/24?

yes and yes 

> 
>> conn vinci
>>  authby=secret                # Key exchange method
>> 
>>  left=213.239.x.x           # Public Internet IP address of the LEFT VPN device
>>  leftsubnet=192.168.0.0/24     # Subnet protected by the LEFT VPN device
>>  leftnexthop=%defaultroute    # correct in many situations
>> 
>>  right=80.14.x.x            # Public Internet IP address ofthe RIGHT VPN device
>>  rightsubnet=192.168.10.0/24      # Subnet protected by the RIGHT VPN device
>>  rightnexthop=%defaultroute    # correct in many situations
>>  rightid=@ipsectest.example.com		# needed, because if I use id address, the fortigate will send 192.168.5.11
>> 
>>  auto=add
>> 
>> 
>> Now phase one seems to be successful, an SA gets established:
>> 
>> Jan  9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [RFC 3947] method set to=109
>> Jan  9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
>> Jan  9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
>> Jan  9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
>> Jan  9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
>> Jan  9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>> Jan  9 20:14:05 neoen pluto[20906]: packet from 80.14.x.x:500: received Vendor ID payload [Dead Peer Detection]
>> Jan  9 20:14:05 neoen pluto[20906]: "vinci" #1: responding to Main Mode
>> Jan  9 20:14:05 neoen pluto[20906]: "vinci" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
>> Jan  9 20:14:05 neoen pluto[20906]: "vinci" #1: STATE_MAIN_R1: sent MR1, expecting MI2
>> Jan  9 20:14:05 neoen pluto[20906]: "vinci" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
>> Jan  9 20:14:05 neoen pluto[20906]: pluto_do_crypto: helper (0) is  exiting
> 
> That is not good, the helper should not exit.
> 
>> Jan  9 20:14:05 neoen pluto[20906]: "vinci" #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>> Jan  9 20:14:05 neoen pluto[20906]: "vinci" #1: STATE_MAIN_R2: sent MR2, expecting MI3
>> Jan  9 20:14:05 neoen pluto[20906]: pluto_do_crypto: helper (0) is  exiting
>> Jan  9 20:14:05 neoen pluto[20906]: "vinci" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
>> Jan  9 20:14:05 neoen pluto[20906]: "vinci" #1: Main mode peer ID is ID_FQDN: '@ipsectest.example.com
>> Jan  9 20:14:05 neoen pluto[20906]: "vinci" #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
>> Jan  9 20:14:05 neoen pluto[20906]: "vinci" #1: new NAT mapping for #1, was 80.14.x.x:500, now 80.14.x.x:4500
>> Jan  9 20:14:05 neoen pluto[20906]: "vinci" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> 
> The Fortigate is supposed to start Quick Mode (phase2) now but does not. Check its logs why it is
> not doing that.

Unfortunately the logs do not give away more than I already posted.

> 
> Paul

Johannes Scholz
js at vinci-info.com
+33 64 301 34 52
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110109/609b5e58/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4755 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20110109/609b5e58/attachment-0001.bin

More information about the Users mailing list