[Openswan Users] IPSec VPN Fortigate Phase 2 stuck

Jun Yin hansyin at gmail.com
Tue May 5 16:13:04 EDT 2015


Hi,

If Fortigate side has this setting:
XAUTH PAP Server (not sure if this necessary to know)

then you should have xauth user/pass in your secrets file:

user_name : XAUTH "password"


On Sat, May 2, 2015 at 4:40 AM, Hajder Rabiee <hajderr at gmail.com> wrote:

> Posting updated configuration, adding aggresive mode in accordance to info
> received. Suddenly I get an error about invalid hash information. Thought
> the parameters were correctly set...
>
> *ipsec auto --status*
>
> 000 "office":     myip=unset; hisip=unset;
> 000 "office":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 0
> 000 "office":   policy:
> PSK+AUTHENTICATE+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio:
> 32,24; interface: wlan0;
> 000 "office":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "office":   IKE algorithms wanted:
> 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5); flags=-strict
> 000 "office":   IKE algorithms found:
>  3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5)
> 000 "office":   AH algorithms wanted: SHA1(2)_000; pfsgroup=MODP1536(5);
> flags=-strict
> 000 "office":   AH algorithms loaded: SHA1(2)_160
> 000
> 000 #3: "office":500 STATE_AGGR_I1 (sent AI1, expecting AR1); none in -1s;
> lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> 000 #3: pending Phase 2 for "office" replacing #0
>
> *Trying to up the connection*
>
> ➜  /etc  sudo ipsec auto --up office
> 112 "office" #1: STATE_AGGR_I1: initiate
> 003 "office" #1: received Vendor ID payload [Dead Peer Detection]
> 003 "office" #1: received Vendor ID payload [XAUTH]
> 003 "office" #1: ignoring unknown Vendor ID payload
> [8299031757a36082c6a621de00050282]
> 003 "office" #1: received Hash Payload does not match computed value
> 223 "office" #1: STATE_AGGR_I1: INVALID_HASH_INFORMATION
>
> *Updated config*
>
> conn office
>     aggrmode=yes
>      left=%defaultroute
>      right=<vpn gateway>
>      phase2=ah
>      phase2alg=sha1;modp1536
>      type=transport
>      ike=3des-sha1;modp1536
>
>      authby=secret
>      pfs=no
>      compress=no
>      keyingtries=%forever
>
> On Fri, May 1, 2015 at 3:04 PM, Hajder Rabiee <hajderr at gmail.com> wrote:
>
>> Hi
>>
>> In my secrets conf I already had
>> %any <vpn ip> : PSK "key"
>>
>> but after adding, it still didn't work
>>
>> @mykey: PSK "key"
>>
>> ➜  ~  sudo ipsec auto --add office
>> ➜  ~  sudo ipsec auto --up office
>> 104 "office" #1: STATE_MAIN_I1: initiate
>> 003 "office" #1: received Vendor ID payload [Dead Peer Detection]
>> 003 "office" #1: ignoring unknown Vendor ID payload
>> [8299031757a36082c6a621de00050282]
>> 106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>> 108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>> 003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
>> 010 "office" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
>> 003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
>> 010 "office" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
>> 031 "office" #1: max number of retransmissions (2) reached
>> STATE_MAIN_I3.  Possible authentication failure: no acceptable response to
>> our first encrypted message
>> 000 "office" #1: starting keying attempt 2 of an unlimited number, but
>> releasing whack
>>
>> On Fri, May 1, 2015 at 12:17 PM, Hajder Rabiee <hajderr at gmail.com> wrote:
>>
>>> Hi
>>>
>>> In my secrets conf I already had
>>> %any <vpn ip> : PSK "key"
>>>
>>> but after adding, it still didn't work
>>>
>>> @mykey: PSK "key"
>>>
>>> ➜  ~  sudo ipsec auto --add office
>>> ➜  ~  sudo ipsec auto --up office
>>> 104 "office" #1: STATE_MAIN_I1: initiate
>>> 003 "office" #1: received Vendor ID payload [Dead Peer Detection]
>>> 003 "office" #1: ignoring unknown Vendor ID payload
>>> [8299031757a36082c6a621de00050282]
>>> 106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>>> 108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>>> 003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
>>> 010 "office" #1: STATE_MAIN_I3: retransmission; will wait 20s for
>>> response
>>> 003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
>>> 010 "office" #1: STATE_MAIN_I3: retransmission; will wait 40s for
>>> response
>>> 031 "office" #1: max number of retransmissions (2) reached
>>> STATE_MAIN_I3.  Possible authentication failure: no acceptable response to
>>> our first encrypted message
>>> 000 "office" #1: starting keying attempt 2 of an unlimited number, but
>>> releasing whack
>>>
>>>
>>>
>>> On Fri, May 1, 2015 at 10:47 AM, Paul Young <paul at arkig.com> wrote:
>>>
>>>> I think - not entirely sure!
>>>>
>>>> you need a leftid to tie in your secret key.
>>>>
>>>> So in the conn:
>>>>
>>>> *leftid=@something*
>>>>
>>>> and then in the secret file:
>>>>
>>>> *@something: PSK "<blah>"*
>>>>
>>>> Cheers,
>>>> Paul Young
>>>>
>>>>
>>>>
>>>> On 1 May 2015 at 17:17, Hajder Rabiee <hajderr at gmail.com> wrote:
>>>>
>>>>> Hi
>>>>>
>>>>> Trying to setup a VPN connection to Office Fortigate but I can't pass
>>>>> phase 2.
>>>>>
>>>>> Received info from sysadmins:
>>>>>
>>>>>
>>>>>    - PSK
>>>>>    - IKE v1
>>>>>    - Aggressive mode
>>>>>
>>>>>    - Phase1 3DES-SHA1
>>>>>    - DH group 5
>>>>>    - Key lifetime 28800
>>>>>
>>>>>    - XAUTH PAP Server (not sure if this necessary to know)
>>>>>
>>>>>    - Phase2 3DES-SHA1
>>>>>    - PFS no
>>>>>
>>>>>
>>>>>
>>>>> *This is one of many configuration attempts, I've tried
>>>>> adding/removing different parameters.*
>>>>>
>>>>> config setup
>>>>> interfaces=%defaultroute
>>>>> plutodebug="control parsing"
>>>>> #klipsdebug=all
>>>>> plutoopts="--interface=wlan0"
>>>>> dumpdir=/var/run/pluto/
>>>>> nat_traversal=no
>>>>> virtual_private=%v4:
>>>>> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>>>>> oe=off
>>>>> protostack=netkey
>>>>>
>>>>> conn office
>>>>>  left=%defaultroute
>>>>>  right=<my gateway ip>
>>>>>
>>>>>  phase2=ah
>>>>>  phase2alg=sha1;modp1536
>>>>>  type=transport
>>>>>  authby=secret
>>>>>  pfs=no
>>>>>  compress=no
>>>>>     keyingtries=%forever
>>>>>
>>>>> *This is the output*
>>>>> ➜  /etc  sudo service ipsec restart
>>>>> ➜  /etc  sudo ipsec auto --add office && sudo ipsec auto --up office
>>>>> 104 "office" #1: STATE_MAIN_I1: initiate
>>>>> 003 "office" #1: received Vendor ID payload [Dead Peer Detection]
>>>>> 003 "office" #1: ignoring unknown Vendor ID payload
>>>>> [8299031757a36082c6a621de00050282]
>>>>> 106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>>>>> 108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>>>>> 003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
>>>>> 010 "office" #1: STATE_MAIN_I3: retransmission; will wait 20s for
>>>>> response
>>>>> 003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
>>>>> 010 "office" #1: STATE_MAIN_I3: retransmission; will wait 40s for
>>>>> response
>>>>> 031 "office" #1: max number of retransmissions (2) reached
>>>>> STATE_MAIN_I3.  Possible authentication failure: no acceptable response to
>>>>> our first encrypted message
>>>>> 000 "office" #1: starting keying attempt 2 of an unlimited number, but
>>>>> releasing whack
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Med vänliga hälsningar / Best Regards
>>>>> Hajder
>>>>>
>>>>> _______________________________________________
>>>>> Users at lists.openswan.org
>>>>> https://lists.openswan.org/mailman/listinfo/users
>>>>> Micropayments:
>>>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>>>
>>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Med vänliga hälsningar / Best Regards
>>> Hajder
>>>
>>
>>
>>
>> --
>> Med vänliga hälsningar / Best Regards
>> Hajder
>>
>
>
>
> --
> Med vänliga hälsningar / Best Regards
> Hajder
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>


-- 
Rgds,

Hans Yin
Web:   http://sourceforge.net/projects/autotestnet/
Email:  hansyin at gmail.com
MSN:   hansyin at hotmail.com
Skype: hans_yin_vancouver
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150505/44123301/attachment-0001.html>


More information about the Users mailing list