Re: [strongSwan] Multiple Win10 roadwarrior clients on the same NATted network
> Just use IKEv2 and you won't have those NAT issues that occur with L2TP > and IPsec in transport mode (although, the Windows IKEv2 client has > other issues and limitations [1]). Thank you for the detailed update. -- Lorenzo Milesi - lorenzo.mil...@yetopen.com CTO @ YetOpen Srl YetOpen - https://www.yetopen.com/ Via Salerno 18 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info...@yetopen.com | Phone +1 919-817-8106 - info...@yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary D.Lgs. 196/2003 e GDPR 679/2016 Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
[strongSwan] Multiple Win10 roadwarrior clients on the same NATted network
Hi. I remember about the inability to have more than one IPSec roadwarrior client on the same NATted network. I've been searching for hours but couldn't find if this is "still" a thing. The more explicit and recent article on the subject I found is this[1], which basically lowers the security of the VPN client, but should allow multiple clients in the same network to connect. I cannot make tests at the moment, I'm just investigating on possible solution, so I was wondering if someone knows more in detail how it works. Thanks. P.S. I have a network with a stable tunnel from a firewall to StrongSwan, I connected a Win10 client inside this network to the VPN and they both appeared to work fine (except for a quick reconnect of the firewall tunnel). But they're two different tunnels, the client was on the roadwarrior one while the firewall has a dedicated one. [1] http://woshub.com/l2tp-ipsec-vpn-server-behind/ -- Lorenzo Milesi - lorenzo.mil...@yetopen.com CTO @ YetOpen Srl YetOpen - https://www.yetopen.com/ Via Salerno 18 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info...@yetopen.com | Phone +1 919-817-8106 - info...@yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary D.Lgs. 196/2003 e GDPR 679/2016 Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
Re: [strongSwan] reconect "loop" with: invalid HASH_V1 payload length, decryption failed
> I'll try to collect logs from the Fortigate once the disconnect loop starts > again. I've captured the log on the fortigate. The tunnel stopped working around 14:11:40 and was restored at 14:13:40. The fortigate has a private public IP (192.168.1.2), NATted behind a modem. [05/08/2021, 2:09:24,112 PM] ike 0: comes vpnserver_ip:4500->192.168.1.2:4500,ifindex=4 [05/08/2021, 2:09:24,112 PM] ike 0: IKEv1 exchange=Quick id=23b9d182be92989a/0fb0e3f0a31a603b:fc3d1cbd len=588 [05/08/2021, 2:09:24,112 PM] ike 0: in 23B9D182BE92989A0FB0E3F0A31A603B08102001FC3D1CBD024C6F5F2AE5AD7E3A1206018E7BC0D08E48047C4B2815477ADEE986E1D61AC99A3C278DAF8A4AC15C0FF23438F06F1014B8DBDD9EC48535C074E4F6CEB38D8325F29E9CD02E3C47CDE7754FF36B263D863489E06C5462B0143FA1CE3DDFDEEC7630037CC5AF8C2157561BA0F3D79CC97CD37C03058AC0013EB2A7582CB18B821588F28BF44C9EA8E47350102147949438B34A4A18C59244514D05D63697B40654299FF6BEEDD57B955E386EBCB93447787E5EB942F02987EDF334E1D70B6CEBD4FFAFF63918662C21CF7C2E59C8A633392C4D00C0EDF829390F86574C2C69B7B3F0332FE9D865456AADEEEFE1C55B01A0B788DC40872A6690162A19A7C6EE660EDEA7120506F8EC3E8B30DEF27D91F2B4E5D0F714A418A7FBD6F80D3596671B29D05598F9AC1A1256B5CDC102FD716F16D90BA32F343A5B26A346D16942688AF39F42E199F6A8DF41E91E264487E24C5B741944EB8435BC4CE2DD04DB15A33BA70A4344DA60C8EA403CA2147EC58B41E2F7CC21DB2375A99FEF8F090A09F850A3A9BE7D2795C7437125BE953F5F8DC5743E8BC4ADA6450252B9C9B0571BE7795A183BED5609B030E23DEB8F525B00201B674932B18694F4B125B8F307A0722E9D8DB184DA078B6D4AAC3B27E4D4B81A187B5F949CD05B4BEEFBDCEB4186F7378662089054C809BE03A842B9A51A2BA66C831C3E10B626CE1C0B8E7383BEA08D44B5BC10B8D3B5F30821F431567789393034933C9DD350747C35BE9D2BD098B68BD48DFAF223F20903F29BFBC0287EDE5D09 [05/08/2021, 2:09:24,112 PM] ike 0:arubacloud:34854:400234: responder received first quick-mode message [05/08/2021, 2:09:24,112 PM] ike 0:arubacloud:34854: dec 23B9D182BE92989A0FB0E3F0A31A603B08102001FC3D1CBD024C0124754E7EB7EC1DEFEA42C66DCDA646729086B9232B5F85662C9375E0E4682B9E110A3C0001000100330401C0D9CED90024010C80060100800500058003000F8004000380010001000200040001518004248A60DC99A50A30D74E7C32AAE88150474B0B306DBD8CC9DF7633912D8238E1AE05000184FCC614E6A2235C4D0B74F713293E784B4DC663F7D6694B4E274B6BC6A7F49D0C14E4195A8B7A7EB3FF06D895CBD28F238016C8042E1995F6F61769B16618F7E1A1525CEDB8179A93D6C2A949383200D8D1A62E08F5247B1CDA4DEA02B218ED8738DC2C28F0032F05F732196E98735A7A914CBBE9A66A8D42E4263C6DFB77AA0C66A4A06A882E3F9A1E764E9321EAD88E92D1B2C0EE1A474B4C7F94E5999A1125101C4C654CBC57B97C20E532531CCD4071A1C0D616DC064C284A60C822FD9884D2CFA8DA7ECDC0F98F95390F4F0F384ADBD672F4122815516C216FCE6CED426FFA44AEBBB2F8CFA3DCE573946B11E63F16BFE9716F7F7878AFAB2FD3554B6E2682CFE552E1B8431CDA3BBF6BA5D0EF83F199440CCE4F777A57D9D9BC3E9E6A44AF67AC03A6BFB02F511714EA6FA649B81698246D0FF3DEA46D94339CA36CC57C166333F56477BC8C68F763154D75B16AE52262BF08BC8A1419C1DBB053A96ACF13B557EAD518454D8FE904B0D70E1150C771E78B22E4E43F44988313EAB4FFB505100400AC200100FF0C01000223B5DA [05/08/2021, 2:09:24,113 PM] ike 0:arubacloud:34854:400234: peer proposal is: peer:0:172.32.1.0-172.32.1.255:0, me:0:FORTIGATE_PUBLIC_IP-FORTIGATE_PUBLIC_IP:0 [05/08/2021, 2:09:24,113 PM] ike 0:arubacloud:34854:exme-lan1:400234: trying [05/08/2021, 2:09:24,113 PM] ike 0:arubacloud:34854:400234: specified selectors mismatch [05/08/2021, 2:09:24,113 PM] ike 0:arubacloud:34854:400234: peer: type=7/7, local=0:FORTIGATE_PUBLIC_IP-FORTIGATE_PUBLIC_IP:0, remote=0:172.32.1.0-172.32.1.255:0 [05/08/2021, 2:09:24,113 PM] ike 0:arubacloud:34854:400234: mine: type=7/7, local=0:192.168.2.0-192.168.2.255:0, remote=0:172.32.1.0-172.32.1.255:0 [05/08/2021, 2:09:24,116 PM] ike 0:arubacloud:34854:exme-lan2:400234: trying [05/08/2021, 2:09:24,116 PM] ike 0:arubacloud:34854:400234: specified selectors mismatch [05/08/2021, 2:09:24,116 PM] ike 0:arubacloud:34854:400234: peer: type=7/7, local=0:FORTIGATE_PUBLIC_IP-FORTIGATE_PUBLIC_IP:0, remote=0:172.32.1.0-172.32.1.255:0 [05/08/2021, 2:09:24,116 PM] ike 0:arubacloud:34854:400234: mine: type=7/7, local=0:192.168.33.0-192.168.33.255:0, remote=0:172.32.1.0-172.32.1.255:0 [05/08/2021, 2:09:24,116 PM] ike 0:arubacloud:34854:400234: no matching phase2 found [05/08/2021, 2:09:24,116 PM] ike 0:arubacloud:34854:400234: failed to get responder proposal [05/08/2021, 2:09:24,116 PM] ike 0:arubacloud:34854: error processing quick-mode message from vpnserver_ip as responder [05/08/2021, 2:09:37,125 PM] ike 0: comes vpnserver_ip:4500->192.168.1.2:4500,ifindex=4 [05/08/2021, 2:09:37,125 PM] ike 0: IKEv1 exchange=Quick id=23b9d182be92989a/0fb0e3f0a31a603b:fc3d1cbd len=588 [05/08/2021, 2:09:37,126 PM] ike 0: in
Re: [strongSwan] reconect "loop" with: invalid HASH_V1 payload length, decryption failed
: 13[ENC] generating QUICK_MODE request 505925992 [ HASH SA No KE ID ID ] Aug 5 10:57:52 vpn01 charon: 13[NET] sending packet: from vpnserver_ip[4500] to unrelatedip1[4500] (588 bytes) Aug 5 10:57:56 vpn01 charon: 06[IKE] sending retransmit 1 of request message ID 505925992, seq 6 Aug 5 10:57:56 vpn01 charon: 06[NET] sending packet: from vpnserver_ip[4500] to unrelatedip1[4500] (588 bytes) Aug 5 10:57:57 vpn01 charon: 09[NET] received packet: from FORTIGATE_IP[4500] to vpnserver_ip[4500] (604 bytes) Aug 5 10:57:57 vpn01 charon: 09[ENC] invalid HASH_V1 payload length, decryption failed? Aug 5 10:57:57 vpn01 charon: 09[ENC] could not decrypt payloads Aug 5 10:57:57 vpn01 charon: 09[IKE] message parsing failed Aug 5 10:57:57 vpn01 charon: 09[ENC] generating INFORMATIONAL_V1 request 818986360 [ HASH N(PLD_MAL) ] Aug 5 10:57:57 vpn01 charon: 09[NET] sending packet: from vpnserver_ip[4500] to FORTIGATE_IP[4500] (92 bytes) Aug 5 10:57:57 vpn01 charon: 09[IKE] QUICK_MODE response with message ID 4147030735 processing failed -- Lorenzo Milesi - lorenzo.mil...@yetopen.com CTO @ YetOpen Srl YetOpen - https://www.yetopen.com/ Via Salerno 18 - 23900 Lecco - ITALY - | 4801 Gle
[strongSwan] reconect "loop" with: invalid HASH_V1 payload length, decryption failed
] sending packet: from strongswan_ip[500] to forti_ip[500] (524 bytes) Aug 4 08:10:03 vpn01 charon: 15[NET] received packet: from forti_ip[500] to strongswan_ip[500] (508 bytes) Aug 4 08:10:03 vpn01 charon: 15[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Aug 4 08:10:04 vpn01 charon: 15[IKE] remote host is behind NAT Aug 4 08:10:04 vpn01 charon: 15[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Aug 4 08:10:04 vpn01 charon: 15[NET] sending packet: from strongswan_ip[4500] to forti_ip[4500] (108 bytes) Aug 4 08:10:04 vpn01 charon: 05[NET] received packet: from forti_ip[4500] to strongswan_ip[4500] (92 bytes) Aug 4 08:10:04 vpn01 charon: 05[ENC] parsed ID_PROT response 0 [ ID HASH ] ipsec.conf: conn remote01-base keyexchange=ikev1 fragmentation=yes dpdaction=restart ike=aes256-sha256-modp3072 esp=aes256-sha256-modp3072 keyingtries=%forever leftsubnet=172.32.1.0/24 lifetime=86400 leftauth=psk rightauth=psk rightid=Exme auto=start right=forti_ip conn remote01-lan also=remote01-base leftsubnet=172.32.1.0/24 rightsubnet=192.168.2.0/24 conn remote01-wifi also=remote01-base leftsubnet=172.32.1.0/24 rightsubnet=192.168.33.0/24 ipsec.secrets: forti_ip : PSK abcde -- Lorenzo Milesi - lorenzo.mil...@yetopen.com CTO @ YetOpen Srl YetOpen - https://www.yetopen.com/ Via Salerno 18 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info...@yetopen.com | Phone +1 919-817-8106 - info...@yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary D.Lgs. 196/2003 e GDPR 679/2016 Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
[strongSwan] Cannot connect from roadwarrior linux client to server with Letsencrypt cert
Hi. I've setup a roadwarrior server with Strongswan 5.8.2. Windows 10 clients connect successfully, while Linux ones don't. When I try to bring up the connection I get: received end entity cert "CN=vpn01.server.it" using certificate "CN=vpn01.server.it" using trusted intermediate ca certificate "C=AT, O=ZeroSSL, CN=ZeroSSL RSA Domain Secure Site CA" checking certificate status of "CN=vpn01.server.it" requesting ocsp status from 'http://zerossl.ocsp.sectigo.com' ... nonce in ocsp response doesn't match ocsp check failed, fallback to crl certificate status is not available no issuer certificate found for "C=AT, O=ZeroSSL, CN=ZeroSSL RSA Domain Secure Site CA" issuer is "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority" no trusted RSA public key found for 'vpn01.server.it' generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] sending packet: from 75.1.1.6[4500] to 95.1.8.6[4500] (65 bytes) establishing connection 'vpn-vpn01' failed In /etc/ipsec.d/cacerts I copied fullchain and ca pem files from the server. The LE certificate has been issued using acme.sh, ZeroSSL comes from that. I tried downloading OCSP cert directly from the website but didn't know how to do... thanks. -- Lorenzo Milesi - lorenzo.mil...@yetopen.com CTO @ YetOpen Srl YetOpen - https://www.yetopen.com/ Via Salerno 18 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info...@yetopen.com | Phone +1 919-817-8106 - info...@yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary D.Lgs. 196/2003 e GDPR 679/2016 Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
Re: [strongSwan] Unable to find PSK for tunnel: no peer config found
I've choosen a new password and copied it directly from the generator to FortiGate and ipsec.conf, finally managed to get P1 up. Unfortunately P2 was still throwing mismatch errors. After changing from: esp=aes256-sha256 to esp=aes256-sha256-modp3072 I was finally able to bring up the full tunnel with both networks. thanks again - Original Message - > From: "Noel Kuntze" > To: "Lorenzo Milesi" , "Noel Kuntze" > > Cc: "users" > Sent: Wednesday, May 26, 2021 5:21:14 PM > Subject: Re: [strongSwan] Unable to find PSK for tunnel: no peer config found > Hello Lorenzo, > > That's one that is also puzzling me at times. > Maybe there's a newline at the end of the PSK in the fortigate and > that's not filtered and also not displayed in the UI. > Try entering the PSK there by hand. That way you can't unknowingly > copy newlines - or enter special characters. > > Kind regards > Noel > > Am 26.05.21 um 16:40 schrieb Lorenzo Milesi: >> Thanks for the quick respose. >> Gee, I feel ashamed, I'm usually the one spotting typos!! :( >> >> Fixed that now I've apparently a PSK mismatch because I get >> >> May 26 16:36:51 vpn01 charon: 03[NET] received packet: from >> 217.133.18.100[4500] >> to 95.110.128.186[4500] >> May 26 16:36:51 vpn01 charon: 10[MGR] checkout IKEv1 SA by message with SPIs >> 4e33bc842b30dd31_i 909c49b7e60be2ac_r >> May 26 16:36:51 vpn01 charon: 10[MGR] IKE_SA sts-base[5] successfully checked >> out >> May 26 16:36:51 vpn01 charon: 10[NET] received packet: from >> 217.133.18.100[4500] >> to 95.110.128.186[4500] (556 bytes) >> May 26 16:36:51 vpn01 charon: 10[ENC] invalid HASH_V1 payload length, >> decryption >> failed? >> May 26 16:36:51 vpn01 charon: 10[ENC] could not decrypt payloads >> >> But I'm puzzled, as I'm directly copying from the secrets file to the >> Fortigate >> GUI! >> My secrets is now: >> >> 2.3.8.1 : PSK"abcde" >> Stelle : PSK abcde >> >> (2.3.8.1 being the fortigate public ip) >> >> - Original Message - >>> From: "Noel Kuntze" >>> To: "Lorenzo Milesi" , "users" >>> >>> Sent: Wednesday, May 26, 2021 4:24:31 PM >>> Subject: Re: [strongSwan] Unable to find PSK for tunnel: no peer config >>> found >>> Hi Lorenzo, >>> >>> You are the victim of a typo. >>> >>>> righid=Stelle >>> Should be rightid. >>> >>> Kind regards >>> Noel >>> >>> Am 26.05.21 um 16:18 schrieb Lorenzo Milesi: >>>> Hi. >>>> I'm (still) trying to configure a tunnel between a StrongSwan 5.6.2 (Ubuntu >>>> 18.04) host and a Fortigate device. I finally came up with a working >>>> configuration, but now I'm unable to have srongswan authenticate, I get the >>>> infamous >>>> May 26 16:05:19 vpn01 charon: 13[IKE] no peer config found >>>> I tried different formats of selectors but they all fail. I checked the >>>> config >>>> several times but I cannot find what's wrong. >>>> >>>> My ipsec.secrets: >>>> 95.1.8.6 %any : PSK "abcde" >>>> 95.1.8.6 2.3.8.1 : PSK "abcde" >>>> 95.1.8.6 : PSK "abcde" >>>> Stelle : PSK "abcde" >>>> >>>> >>>> My ipsec.conf: >>>> conn sts-base >>>> keyexchange=ikev1 >>>> fragmentation=yes >>>> dpdaction=restart >>>> ike=aes256-sha256-modp3072 >>>> esp=aes256-sha256 >>>> keyingtries=%forever >>>> leftsubnet=172.32.1.0/24 >>>> lifetime=86400 >>>> leftauth=psk >>>> rightauth=psk >>>> righid=Stelle >>>> auto=start >>>> right=2.3.8.1 >>>> >>>> conn site-3-1 >>>> also=sts-base >>>> leftsubnet=172.32.1.0/24 >>>> rightsubnet=192.168.8.0/24 >>>> >>>> conn site-3-2 >>>> also=sts-base >>>> leftsubnet=172.32.1.0/24 >>>> rightsubnet=192.168.9.0/24 >>>> >>>> >>>> Log: >>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] remote host is behind NAT >>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[CFG] peer config match local: 1 >>>> (ID_ANY) >>>> May 26 16:05:19 vpn01
Re: [strongSwan] Unable to find PSK for tunnel: no peer config found
Thanks for the quick respose. Gee, I feel ashamed, I'm usually the one spotting typos!! :( Fixed that now I've apparently a PSK mismatch because I get May 26 16:36:51 vpn01 charon: 03[NET] received packet: from 217.133.18.100[4500] to 95.110.128.186[4500] May 26 16:36:51 vpn01 charon: 10[MGR] checkout IKEv1 SA by message with SPIs 4e33bc842b30dd31_i 909c49b7e60be2ac_r May 26 16:36:51 vpn01 charon: 10[MGR] IKE_SA sts-base[5] successfully checked out May 26 16:36:51 vpn01 charon: 10[NET] received packet: from 217.133.18.100[4500] to 95.110.128.186[4500] (556 bytes) May 26 16:36:51 vpn01 charon: 10[ENC] invalid HASH_V1 payload length, decryption failed? May 26 16:36:51 vpn01 charon: 10[ENC] could not decrypt payloads But I'm puzzled, as I'm directly copying from the secrets file to the Fortigate GUI! My secrets is now: 2.3.8.1 : PSK"abcde" Stelle : PSK abcde (2.3.8.1 being the fortigate public ip) - Original Message - > From: "Noel Kuntze" > To: "Lorenzo Milesi" , "users" > > Sent: Wednesday, May 26, 2021 4:24:31 PM > Subject: Re: [strongSwan] Unable to find PSK for tunnel: no peer config found > Hi Lorenzo, > > You are the victim of a typo. > >> righid=Stelle > > Should be rightid. > > Kind regards > Noel > > Am 26.05.21 um 16:18 schrieb Lorenzo Milesi: >> Hi. >> I'm (still) trying to configure a tunnel between a StrongSwan 5.6.2 (Ubuntu >> 18.04) host and a Fortigate device. I finally came up with a working >> configuration, but now I'm unable to have srongswan authenticate, I get the >> infamous >> May 26 16:05:19 vpn01 charon: 13[IKE] no peer config found >> I tried different formats of selectors but they all fail. I checked the >> config >> several times but I cannot find what's wrong. >> >> My ipsec.secrets: >> 95.1.8.6 %any : PSK "abcde" >> 95.1.8.6 2.3.8.1 : PSK "abcde" >> 95.1.8.6 : PSK "abcde" >> Stelle : PSK "abcde" >> >> >> My ipsec.conf: >> conn sts-base >> keyexchange=ikev1 >> fragmentation=yes >> dpdaction=restart >> ike=aes256-sha256-modp3072 >> esp=aes256-sha256 >> keyingtries=%forever >> leftsubnet=172.32.1.0/24 >> lifetime=86400 >> leftauth=psk >> rightauth=psk >> righid=Stelle >> auto=start >> right=2.3.8.1 >> >> conn site-3-1 >> also=sts-base >> leftsubnet=172.32.1.0/24 >> rightsubnet=192.168.8.0/24 >> >> conn site-3-2 >> also=sts-base >> leftsubnet=172.32.1.0/24 >> rightsubnet=192.168.9.0/24 >> >> >> Log: >> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] remote host is behind NAT >> May 26 16:05:19 vpn01 ipsec[1367]: 15[CFG] peer config match local: 1 >> (ID_ANY) >> May 26 16:05:19 vpn01 ipsec[1367]: 15[CFG] peer config match remote: 1 >> (ID_ANY) >> May 26 16:05:19 vpn01 ipsec[1367]: 15[CFG] ike config match: 2076 (95.1.8.6 >> 2.3.8.1 IKEv1) >> May 26 16:05:19 vpn01 ipsec[1367]: 15[CFG] candidate "sts-base", match: >> 1/1/2076 (me/other/ike) >> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] natd_chunk => 22 bytes @ >> 0x7ff92cef4ac0 >> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 0: D6 50 6B F7 85 FD B6 F3 B1 >> F8 >> 20 48 71 AD 06 01 .Pk... Hq... >> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 16: D9 85 12 64 01 F4 >> ...d.. >> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] natd_hash => 32 bytes @ >> 0x7ff91000c150 >> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 0: D1 DB AE ED 2E B2 94 77 32 >> 7E >> 51 CE 9B 0A 49 D5 ...w2~Q...I. >> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 16: 11 8F CC 18 33 70 47 FE D0 >> 04 >> 3B 8E EA DF 9E 3D 3pG...;= >> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] natd_chunk => 22 bytes @ >> 0x7ff92cef4ac0 >> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 0: D6 50 6B F7 85 FD B6 F3 B1 >> F8 >> 20 48 71 AD 06 01 .Pk... Hq... >> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 16: 5F 6E 80 BA 01 F4 >> _n >> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] natd_hash => 32 bytes @ >> 0x7ff91000c150 >> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 0: 27 C0 28 F3 4D E2 DD 93 03 >> 04 >> E6 98 8A 20 02 3B '.(.M .; >> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 16: BA AC FF 7F C6 23 EC 1E 9F >> 77 >> 1A 9E D7 DD EB 11 .#...w.. >> May 26 16:05:19 vpn01 ipse
[strongSwan] Unable to find PSK for tunnel: no peer config found
vpn01 charon: 13[CFG] peer config match local: 1 (ID_ANY) May 26 16:05:19 vpn01 charon: 13[CFG] peer config match remote: 0 (ID_FQDN -> 53:74:65:6c:6c:65) May 26 16:05:19 vpn01 charon: 13[CFG] ike config match: 2076 (95.1.8.6 2.3.8.1 IKEv1) May 26 16:05:19 vpn01 charon: 13[IKE] no peer config found May 26 16:05:19 vpn01 charon: 13[IKE] queueing INFORMATIONAL task May 26 16:05:19 vpn01 charon: 13[IKE] activating new tasks May 26 16:05:19 vpn01 charon: 13[IKE] activating INFORMATIONAL task May 26 16:05:19 vpn01 charon: 13[IKE] Hash => 32 bytes @ 0x7ff910017940 May 26 16:05:19 vpn01 charon: 13[IKE] 0: D0 BD F8 53 09 8C 69 43 BF 35 35 59 D3 72 08 B7 ...S..iC.55Y.r.. May 26 16:05:19 vpn01 charon: 13[IKE] 16: BF 25 1F 4A 79 65 78 55 F5 07 30 F5 E4 8F 7A 7D .%.JyexU..0...z} May 26 16:05:19 vpn01 charon: 13[ENC] generating INFORMATIONAL_V1 request 3029794389 [ HASH N(AUTH_FAILED) ] May 26 16:05:19 vpn01 charon: 13[NET] sending packet: from 95.1.8.6[4500] to 2.3.8.1[4500] (108 bytes) May 26 16:05:19 vpn01 charon: 13[MGR] checkin and destroy IKE_SA (unnamed)[102] May 26 16:05:19 vpn01 charon: 13[IKE] IKE_SA (unnamed)[102] state change: CONNECTING => DESTROYING May 26 16:05:19 vpn01 charon: 13[MGR] checkin and destroy of IKE_SA successful May 26 16:05:19 vpn01 charon: 04[NET] sending packet: from 95.1.8.6[4500] to 2.3.8.1[4500] May 26 16:05:22 vpn01 charon: 03[NET] received packet => 112 bytes @ 0x7ff9326fd440 May 26 16:05:22 vpn01 charon: 03[NET] 0: 00 00 00 00 D6 50 6B F7 85 FD B6 F3 B1 F8 20 48 .Pk... H May 26 16:05:22 vpn01 charon: 03[NET] 16: 71 AD 06 01 05 10 02 01 00 00 00 00 00 00 00 6C q..l May 26 16:05:22 vpn01 charon: 03[NET] 32: DF 47 5C 43 7A CD 60 FF DB 15 51 27 EA 7B 39 1A .G\Cz.`...Q'.{9. May 26 16:05:22 vpn01 charon: 03[NET] 48: D2 4E D8 56 36 6B 3C B6 4D 48 4A 65 B1 8B 90 B9 .N.V6k<.MHJe May 26 16:05:22 vpn01 charon: 03[NET] 64: E9 67 7F E3 0F 5B 38 43 41 6B DA 67 FD 2C 69 4F .g...[8CAk.g.,iO May 26 16:05:22 vpn01 charon: 03[NET] 80: 0D 36 D5 65 67 E5 CE D7 6C D4 44 D3 94 EF 55 CC .6.eg...l.D...U. May 26 16:05:22 vpn01 charon: 03[NET] 96: 4F 84 82 E2 05 A0 DD E9 9F FB F2 B5 DE 54 E1 77 OT.w May 26 16:05:22 vpn01 charon: 03[NET] received packet: from 2.3.8.1[4500] to 95.1.8.6[4500] May 26 16:05:22 vpn01 charon: 03[NET] waiting for data on sockets May 26 16:05:22 vpn01 charon: 12[MGR] checkout IKEv1 SA by message with SPIs d6506bf785fdb6f3_i b1f8204871ad0601_r May 26 16:05:22 vpn01 charon: 12[MGR] IKE_SA checkout not successful May 26 16:05:28 vpn01 charon: 03[NET] received packet => 112 bytes @ 0x7ff9326fd440 May 26 16:05:28 vpn01 charon: 03[NET] 0: 00 00 00 00 D6 50 6B F7 85 FD B6 F3 B1 F8 20 48 .Pk... H May 26 16:05:28 vpn01 charon: 03[NET] 16: 71 AD 06 01 05 10 02 01 00 00 00 00 00 00 00 6C q..l May 26 16:05:28 vpn01 charon: 03[NET] 32: DF 47 5C 43 7A CD 60 FF DB 15 51 27 EA 7B 39 1A .G\Cz.`...Q'.{9. May 26 16:05:28 vpn01 charon: 03[NET] 48: D2 4E D8 56 36 6B 3C B6 4D 48 4A 65 B1 8B 90 B9 .N.V6k<.MHJe May 26 16:05:28 vpn01 charon: 03[NET] 64: E9 67 7F E3 0F 5B 38 43 41 6B DA 67 FD 2C 69 4F .g...[8CAk.g.,iO May 26 16:05:28 vpn01 charon: 03[NET] 80: 0D 36 D5 65 67 E5 CE D7 6C D4 44 D3 94 EF 55 CC .6.eg...l.D...U. May 26 16:05:28 vpn01 charon: 03[NET] 96: 4F 84 82 E2 05 A0 DD E9 9F FB F2 B5 DE 54 E1 77 OT.w May 26 16:05:28 vpn01 charon: 03[NET] received packet: from 2.3.8.1[4500] to 95.1.8.6[4500] May 26 16:05:28 vpn01 charon: 03[NET] waiting for data on sockets May 26 16:05:28 vpn01 charon: 12[MGR] checkout IKEv1 SA by message with SPIs d6506bf785fdb6f3_i b1f8204871ad0601_r May 26 16:05:28 vpn01 charon: 12[MGR] IKE_SA checkout not successful thanks -- Lorenzo Milesi - lorenzo.mil...@yetopen.com CTO @ YetOpen Srl YetOpen - https://www.yetopen.com/ Via Salerno 18 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info...@yetopen.com | Phone +1 919-817-8106 - info...@yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary D.Lgs. 196/2003 e GDPR 679/2016 Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged infor
[strongSwan] Unable to establish connection with Fortigate device
ike 0:to VpnTunnelName:384: out C10B9BE64DC0D904589D6282B4F462C905100201006C0A9523A71AA4D181655F68680E687AAE143646431BCF52A9AAE986F371BD20D0165F406F6525CE7BD4E99E87756AE721C2EA71E8B0D76B6DDAA3BAE63545FE806E4DABC6DBF23D09165665B8EBA17F4B ike 0:to VpnTunnelName:384: sent IKE msg (ident_i3send): 192.168.1.2:4500->95.x.x.x:4500, len=108, id=c10b9be64dc0d904/589d6282b4f462c9 ike 0: comes 95.x.x.x:4500->192.168.1.2:4500,ifindex=4 ike 0: IKEv1 exchange=Informational id=c10b9be64dc0d904/589d6282b4f462c9:3401b0f7 len=108 ike 0: in C10B9BE64DC0D904589D6282B4F462C9081005013401B0F7006CCBD929F01609C09C15FB168C6027327324BD1D6560143B39C69FF01070831099C7520EDB88EBF51AC8CF9AFF5A8649CECE18DADC661F7EB7698D90A5ECEC8DB81EC258089F8E48EEBB2313BE63C33FF5 I'm fairly new to strongswan so I might have missed something in the server configuration. Any hint is welcome. Thanks [1] https://wiki.strongswan.org/projects/strongswan/wiki/Fortinet -- Lorenzo Milesi - lorenzo.mil...@yetopen.com YetOpen - https://www.yetopen.com/ Via Salerno 18 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA - Tel +39 0341 220 205 - info...@yetopen.com | Phone +1 919-817-8106 - info...@yetopen.com Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary D.Lgs. 196/2003 e GDPR 679/2016 Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.