[Openswan Users] IPSec VPN Fortigate Phase 2 stuck

Hajder Rabiee hajderr at gmail.com
Fri May 1 09:04:31 EDT 2015


Hi

In my secrets conf I already had
%any <vpn ip> : PSK "key"

but after adding, it still didn't work

@mykey: PSK "key"

➜  ~  sudo ipsec auto --add office
➜  ~  sudo ipsec auto --up office
104 "office" #1: STATE_MAIN_I1: initiate
003 "office" #1: received Vendor ID payload [Dead Peer Detection]
003 "office" #1: ignoring unknown Vendor ID payload
[8299031757a36082c6a621de00050282]
106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "office" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "office" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
031 "office" #1: max number of retransmissions (2) reached STATE_MAIN_I3.
Possible authentication failure: no acceptable response to our first
encrypted message
000 "office" #1: starting keying attempt 2 of an unlimited number, but
releasing whack

On Fri, May 1, 2015 at 12:17 PM, Hajder Rabiee <hajderr at gmail.com> wrote:

> Hi
>
> In my secrets conf I already had
> %any <vpn ip> : PSK "key"
>
> but after adding, it still didn't work
>
> @mykey: PSK "key"
>
> ➜  ~  sudo ipsec auto --add office
> ➜  ~  sudo ipsec auto --up office
> 104 "office" #1: STATE_MAIN_I1: initiate
> 003 "office" #1: received Vendor ID payload [Dead Peer Detection]
> 003 "office" #1: ignoring unknown Vendor ID payload
> [8299031757a36082c6a621de00050282]
> 106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
> 010 "office" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
> 003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
> 010 "office" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
> 031 "office" #1: max number of retransmissions (2) reached STATE_MAIN_I3.
> Possible authentication failure: no acceptable response to our first
> encrypted message
> 000 "office" #1: starting keying attempt 2 of an unlimited number, but
> releasing whack
>
>
>
> On Fri, May 1, 2015 at 10:47 AM, Paul Young <paul at arkig.com> wrote:
>
>> I think - not entirely sure!
>>
>> you need a leftid to tie in your secret key.
>>
>> So in the conn:
>>
>> *leftid=@something*
>>
>> and then in the secret file:
>>
>> *@something: PSK "<blah>"*
>>
>> Cheers,
>> Paul Young
>>
>>
>>
>> On 1 May 2015 at 17:17, Hajder Rabiee <hajderr at gmail.com> wrote:
>>
>>> Hi
>>>
>>> Trying to setup a VPN connection to Office Fortigate but I can't pass
>>> phase 2.
>>>
>>> Received info from sysadmins:
>>>
>>>
>>>    - PSK
>>>    - IKE v1
>>>    - Aggressive mode
>>>
>>>    - Phase1 3DES-SHA1
>>>    - DH group 5
>>>    - Key lifetime 28800
>>>
>>>    - XAUTH PAP Server (not sure if this necessary to know)
>>>
>>>    - Phase2 3DES-SHA1
>>>    - PFS no
>>>
>>>
>>>
>>> *This is one of many configuration attempts, I've tried adding/removing
>>> different parameters.*
>>>
>>> config setup
>>> interfaces=%defaultroute
>>> plutodebug="control parsing"
>>> #klipsdebug=all
>>> plutoopts="--interface=wlan0"
>>> dumpdir=/var/run/pluto/
>>> nat_traversal=no
>>> virtual_private=%v4:
>>> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>>> oe=off
>>> protostack=netkey
>>>
>>> conn office
>>>  left=%defaultroute
>>>  right=<my gateway ip>
>>>
>>>  phase2=ah
>>>  phase2alg=sha1;modp1536
>>>  type=transport
>>>  authby=secret
>>>  pfs=no
>>>  compress=no
>>>     keyingtries=%forever
>>>
>>> *This is the output*
>>> ➜  /etc  sudo service ipsec restart
>>> ➜  /etc  sudo ipsec auto --add office && sudo ipsec auto --up office
>>> 104 "office" #1: STATE_MAIN_I1: initiate
>>> 003 "office" #1: received Vendor ID payload [Dead Peer Detection]
>>> 003 "office" #1: ignoring unknown Vendor ID payload
>>> [8299031757a36082c6a621de00050282]
>>> 106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>>> 108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>>> 003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
>>> 010 "office" #1: STATE_MAIN_I3: retransmission; will wait 20s for
>>> response
>>> 003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
>>> 010 "office" #1: STATE_MAIN_I3: retransmission; will wait 40s for
>>> response
>>> 031 "office" #1: max number of retransmissions (2) reached
>>> STATE_MAIN_I3.  Possible authentication failure: no acceptable response to
>>> our first encrypted message
>>> 000 "office" #1: starting keying attempt 2 of an unlimited number, but
>>> releasing whack
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Med vänliga hälsningar / Best Regards
>>> Hajder
>>>
>>> _______________________________________________
>>> Users at lists.openswan.org
>>> https://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>
>>>
>>
>
>
> --
> Med vänliga hälsningar / Best Regards
> Hajder
>



-- 
Med vänliga hälsningar / Best Regards
Hajder
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150501/5dfbdb27/attachment.html>


More information about the Users mailing list