Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Cant setup Fortigate 111c IPSEC from OpenSwan

  1. #1
    Join Date
    Sep 2011
    Beans
    54

    Cant setup Fortigate 111c IPSEC from OpenSwan

    Hello,

    We have a VPN connection at work setup from where people with OSX have got it to work. But I cant get it to work on ubuntu Ubuntu 12.04.4 LTS.

    On OSX the settings that work are: Server: 123.123.123.123, accountname: pelle, password: pwd_pelle, with a shared key: pwd_group (and empty group name). [as a cisco vpn tunnel]

    This is my /etc/ipsec.conf
    Code:
    # /etc/ipsec.conf - Openswan IPsec configuration file
    # $Id$
    
    # Manual: ipsec.conf(5)
    
    # Created: Tue Mar 25 09:08:06 2014
    #      by: The L2TP IPsec VPN Manager application version 1.0.6
    #
    # WARNING! All changes made in this file will be lost!
    
    version    2.0    # conforms to second version of ipsec.conf specification
    
    config setup
        # plutodebug="parsing emitting control private"
        plutodebug=none
        strictcrlpolicy=no
        nat_traversal=yes
        interfaces=%defaultroute
        oe=off
        # which IPsec stack to use. netkey,klips,mast,auto or none
        protostack=netkey
    
    conn %default
        keyingtries=3
        pfs=no
        rekey=yes
        type=transport
        left=%defaultroute
        leftprotoport=17/1701
        rightprotoport=17/1701
    
    # Add connections here.
    
    
    conn Work
      leftid=@VPN_Group_2
      leftxauthusername=pelle
        left=%defaultroute
        right=123.123.123.123
      keyexchange=ike
      auto=start
      auth=esp
      authby=secret
      ikelifetime=28800s
      esp=3des-sha1;modp1024
      ike=3des-sha1,aes128-sha1;modp1024
      pfs=yes
      compress=no
      forceencaps=yes
      remote_peer_type=cisco
      rightxauthserver=yes
    And this is my ipsec.secrets
    Code:
    # /etc/ipsec.secrets - secrets for IKE/IPsec authentication
    # $Id$
    
    # Manual: ipsec.secrets(5)
    
    # Created: Tue Mar 25 09:08:06 2014
    #      by: The L2TP IPsec VPN Manager application version 1.0.6
    #
    # WARNING! All changes made in this file will be lost!
    #
    #
    # This file holds shared secrets or RSA private keys for inter-Pluto
    # authentication.  See ipsec_pluto(8) manpage, and HTML documentation.
    
    # RSA private key for this host, authenticating it to any other host
    # which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
    # or configuration of other implementations, can be extracted conveniently
    # with "ipsec showhostkey".
    #
    %any : PSK "pwd_group" 
    @pelle : XAUTH "pwd_pelle"

    I get this while connecting:
    Code:
    root@pc:~# ipsec auto --add Work
    root@pc:~# ipsec auto --up Work
    104 "Work" #4: STATE_MAIN_I1: initiate
    003 "Work" #4: received Vendor ID payload [RFC 3947] method set to=109 
    003 "Work" #4: received Vendor ID payload [Dead Peer Detection]
    003 "Work" #4: ignoring unknown Vendor ID payload [8299031757a36082c6a621de000500b3]
    106 "Work" #4: STATE_MAIN_I2: sent MI2, expecting MR2
    003 "Work" #4: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
    108 "Work" #4: STATE_MAIN_I3: sent MI3, expecting MR3
    010 "Work" #4: STATE_MAIN_I3: retransmission; will wait 20s for response
    010 "Work" #4: STATE_MAIN_I3: retransmission; will wait 40s for response
    031  "Work" #4: max number of retransmissions (2) reached STATE_MAIN_I3.    Possible authentication failure: no acceptable response to our first   encrypted message
    000 "Work" #4: starting keying attempt 2 of at most 3, but releasing whack
    And these are the settings in the fortigate 111c web-UI as seen from the people who set up the tunnel.

    FortiGate sto fw 01 vpn 01.jpg

    Note: using vpnc with cisco vpn does not work either. My settings are:
    root@pc:~# cat /etc/vpnc/myvpn.conf
    Code:
    IPSec gateway  123.123.123.123
    IPSec secret pwd_group
    IKE Authmode psk
    Xauth username pelle
    Xauth password pwd_pelle
    Debug 200
    IKE DH Group dh2

  2. #2
    Join Date
    Sep 2011
    Beans
    54

    Re: Cant setup Fortigate 111c IPSEC from OpenSwan

    bump

  3. #3
    Join Date
    Sep 2011
    Beans
    54

    Re: Cant setup Fortigate 111c IPSEC from OpenSwan

    bump bump

  4. #4
    Join Date
    Sep 2011
    Beans
    54

    Re: Cant setup Fortigate 111c IPSEC from OpenSwan

    I think I almost solved it, just need the last push

  5. #5
    Join Date
    Sep 2011
    Beans
    54

    Re: Cant setup Fortigate 111c IPSEC from OpenSwan

    Help!

  6. #6
    Join Date
    Sep 2011
    Beans
    54

    Re: Cant setup Fortigate 111c IPSEC from OpenSwan

    help!

  7. #7
    Join Date
    Sep 2011
    Beans
    54

    Re: Cant setup Fortigate 111c IPSEC from OpenSwan

    heeeeelp

  8. #8
    Join Date
    Sep 2011
    Beans
    54

    Re: Cant setup Fortigate 111c IPSEC from OpenSwan

    bump

  9. #9
    Join Date
    Apr 2014
    Beans
    Hidden!
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Cant setup Fortigate 111c IPSEC from OpenSwan

    The only thing I can think of is that in your Phase 2 settings, PFS might not be enabled... Is it?

  10. #10
    Join Date
    Sep 2011
    Beans
    54

    Re: Cant setup Fortigate 111c IPSEC from OpenSwan

    Quote Originally Posted by Danger_Monkey View Post
    The only thing I can think of is that in your Phase 2 settings, PFS might not be enabled... Is it?
    Sorry, with pfs=no I still get this:
    Code:
    104 "Work" #2: STATE_MAIN_I1: initiate
    003 "Work" #2: received Vendor ID payload [RFC 3947] method set to=109 
    003 "Work" #2: received Vendor ID payload [Dead Peer Detection]
    003 "Work" #2: ignoring unknown Vendor ID payload [8299031757a36082c6a621de000500b3]
    106 "Work" #2: STATE_MAIN_I2: sent MI2, expecting MR2
    003 "Work" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
    108 "Work" #2: STATE_MAIN_I3: sent MI3, expecting MR3
    010 "Work" #2: STATE_MAIN_I3: retransmission; will wait 20s for response
    010 "Work" #2: STATE_MAIN_I3: retransmission; will wait 40s for response
    031 "Work" #2: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
    000 "Work" #2: starting keying attempt 2 of at most 3, but releasing whack

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •