Hi, wishing all forum users, experts and development team a happy and healthy new year ahead. I am new to Libreswan and I am trying to establish a site-to-site VPN between my Centos 8.3 machine running Libreswan (Linux Libreswan 4.1 (netkey) on 4.18.0-240.1.1.el8_3.x86_64) and a Fortigate firewall FGT50E-6.2.6. Initially I did an experiment between two Centos 8.3 machine with RSA authentication and it worked perfectly fine.
With a slight modification of IP and authentication method(Pre-Shared key) , I tried adapting it to the Fortigate firewall. The tunnel gets established perfectly fine, I am able to reach machines behind the Fortigate as well, but since these are testbed machine there's no traffic flowing between them continuously and the tunnel gets disconnected sometime during long hours of inactivity. Every morning, I find the tunnel down, but it's restored with a simple restart of "systemctl restart ipsec". This stays on a the entire day mostly and the next day it's down again... I am attaching the config on the Linux machine; if you need the configuration on the Fortigate, I can post it here, but it's running just the same things I've configured on CentOS. Documentation followed: Almost entirely I've referred to these two documents https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/securing_networks/configuring-a-vpn-with-ipsec_securing-networks https://libreswan.org/wiki/Host_to_host_VPN_with_PSK Changed my public IPs on both ends CentOS 8 (1.2.3.4) and Fortigate (6.7.8.9) # /etc/ipsec.d/EURO-FORT.conf - Europa-Fortigate Centos 8 Libreswan IPsec configuration file # conn SUBNETS also=EURO-FORT leftsubnet=10.10.128.0/20 leftsourceip=10.10.128.1 rightsubnet=192.168.2.0/24 rightsourceip=192.168.2.1 auto=start conn EURO-FORT type=tunnel left=1.2.3.4 right=6.7.8.9 authby=secret ike=aes256-sha2_512+sha2_256-dh19+dh20+dh21+dh14+dh15+dh16+dh18 esp=aes256-sha2_512+sha1+sha2_256 dpddelay=5 dpdtimeout=120 dpdaction=restart encapsulation=yes When I restart the tunnel ec 31 14:25:20.528726: "SUBNETS" #1: initiating IKEv2 connection Dec 31 14:25:20.528737: "SUBNETS": local IKE proposals (IKE SA initiator selecting KE): Dec 31 14:25:20.528744: "SUBNETS": 1:IKE=AES_CBC_256- HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128- ECP_256+ECP_384+ECP_521+MODP2048+MODP3072+MODP4096+MODP8192 Dec 31 14:25:20.530073: "SUBNETS" #1: sent IKE_SA_INIT request Dec 31 14:25:20.576958: "SUBNETS" #1: Received unauthenticated INVALID_KE_PAYLOAD response to DH DH19; resending with suggested DH DH21 Dec 31 14:25:20.588336: "SUBNETS" #1: sent IKE_SA_INIT request Dec 31 14:25:20.642167: "SUBNETS": local ESP/AH proposals (IKE SA initiator emitting ESP/AH proposals): Dec 31 14:25:20.642190: "SUBNETS": 1:ESP=AES_CBC_256- HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128-NONE-DISABLED Dec 31 14:25:20.642237: "SUBNETS" #1: sent IKE_AUTH request {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH21} Dec 31 14:25:20.686561: "SUBNETS" #2: IKEv2 mode peer ID is ID_IPV4_ADDR: '6.7.8.9' Dec 31 14:25:20.686645: "SUBNETS" #1: authenticated using authby=secret Dec 31 14:25:20.721758: "SUBNETS" #2: negotiated connection [10.10.128.0-10.10.143.255:0-65535 0] -> [192.168.2.0-192.168.2.255:0- 65535 0] Dec 31 14:25:20.721784: "SUBNETS" #2: IPsec SA established tunnel mode {ESPinUDP=>0x3255ad64 <0x9e0bb288 xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD=W.X.Y.Z:4500 DPD=active} Dec 31 14:25:23.288022: "SUBNETS" #3: proposal 1:IKE=AES_CBC_256- HMAC_SHA2_512-HMAC_SHA2_512_256-ECP_521 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;INTEG=HMAC_SHA2_512_256;DH=ECP _521[first-match] Dec 31 14:25:23.299271: "SUBNETS" #3: sent IKE_SA_INIT reply {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH21} Dec 31 14:25:23.393882: "SUBNETS" #3: processing decrypted IKE_AUTH request: SK{IDi,AUTH,N,SA,TSi,TSr} Dec 31 14:25:23.393909: "SUBNETS" #3: IKEv2 mode peer ID is ID_IPV4_ADDR: '6.7.8.9' Dec 31 14:25:23.393962: "SUBNETS" #3: authenticated using authby=secret Dec 31 14:25:23.394100: "SUBNETS" #4: proposal 1:ESP=AES_CBC_256- HMAC_SHA2_512_256-DISABLED SPI=3255ad63 chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;ESN=DISABLED[first- match] Dec 31 14:25:23.394122: "SUBNETS" #3: received unsupported NOTIFY v2N_IKEV2_MESSAGE_ID_SYNC_SUPPORTED Dec 31 14:25:23.394330: "SUBNETS" #4: negotiated connection [10.10.128.0-10.10.143.255:0-65535 0] -> [192.168.2.0-192.168.2.255:0- 65535 0] Dec 31 14:25:23.394341: "SUBNETS" #4: IPsec SA established tunnel mode {ESPinUDP=>0x3255ad63 <0xc675393a xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD=6.7.8.9:4500 DPD=active} --------------------------- When the tunnel is down, extracts from the log -------------------------------------------- Dec 31 06:18:08.110453: "SUBNETS" #10639: initiate rekey of IKEv2 CREATE_CHILD_SA IKE Rekey Dec 31 06:18:08.121655: "SUBNETS" #10640: sent CREATE_CHILD_SA request to rekey IKE SA Dec 31 06:18:08.215736: "SUBNETS" #10640: rekeyed #10639 STATE_V2_REKEY_IKE_I1 and expire it remaining life 661.892098s Dec 31 06:18:08.215815: "SUBNETS" #10640: established IKE SA {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH21} Dec 31 06:18:09.217128: "SUBNETS" #10639: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 2939.225711s and sending notification Dec 31 06:18:09.257295: packet from 6.7.8.9:4500: INFORMATIONAL message response has no corresponding IKE SA Dec 31 06:18:15.725447: "SUBNETS" #10640: releasing whack Dec 31 06:18:25.739231: "SUBNETS" #10640: releasing whack Dec 31 06:18:35.744486: "SUBNETS" #10640: releasing whack Dec 31 06:18:45.754257: "SUBNETS" #10640: releasing whack Dec 31 06:18:55.763131: "SUBNETS" #10640: releasing whack Dec 31 06:19:05.770556: "SUBNETS" #10640: releasing whack Dec 31 06:19:15.785723: "SUBNETS" #10640: releasing whack Dec 31 06:19:25.796765: "SUBNETS" #10640: releasing whack Dec 31 06:19:31.846499: "SUBNETS" #10641: sent CREATE_CHILD_SA request to rekey IPsec SA Dec 31 06:19:31.891736: "SUBNETS" #10641: dropping unexpected CREATE_CHILD_SA message containing NO_PROPOSAL_CHOSEN notification; message payloads: SK; encrypted payloads: N; missing payloads: SA,Ni,TSi,TSr Dec 31 06:19:31.891812: "SUBNETS" #10641: encountered fatal error in state STATE_V2_REKEY_CHILD_I1 Dec 31 06:19:31.891834: "SUBNETS" #10641: deleting state (STATE_V2_REKEY_CHILD_I1) aged 0.056457s and NOT sending notification Dec 31 06:36:49.858413: "SUBNETS" #10630: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) aged 28800.675723s and sending notification Dec 31 06:36:49.858476: "SUBNETS" #10630: ESP traffic information: in=0B out=0B Dec 31 06:36:49.904467: "SUBNETS" #10640: received delete request for IKEv2_SEC_PROTO_ESP SA(0x32559c55) but corresponding state not found Dec 31 06:36:49.904496: "SUBNETS" #10640: established IKE SA Dec 31 06:36:49.904548: "SUBNETS" #10642: CHILD SA to rekey #10630 vanished abort this exchange Dec 31 06:36:49.904603: "SUBNETS" #10642: state transition function for STATE_V2_REKEY_CHILD_I0 had internal error Dec 31 06:36:49.918252: "SUBNETS" #10643: no local proposal matches remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;ESN=DISABLED Dec 31 06:36:49.918284: "SUBNETS" #10643: CREATE_CHILD_SA responder matching remote ESP/AH proposals failed, responder SA processing returned STF_FAIL+v2N_NO_PROPOSAL_CHOSEN Dec 31 06:36:49.918294: "SUBNETS" #10643: responding to CREATE_CHILD_SA message (ID 0) from 6.7.8.9:4500 with encrypted notification NO_PROPOSAL_CHOSEN Dec 31 06:36:49.918369: "SUBNETS" #10643: state transition 'Respond to CREATE_CHILD_SA IPsec SA Request' failed Dec 31 06:36:49.918426: "SUBNETS" #10643: deleting state (STATE_V2_NEW_CHILD_R0) aged 0.000174s and NOT sending notification Dec 31 06:36:54.914232: "SUBNETS" #10644: no local proposal matches remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;ESN=DISABLED Dec 31 06:36:54.914253: "SUBNETS" #10644: CREATE_CHILD_SA responder matching remote ESP/AH proposals failed, responder SA processing returned STF_FAIL+v2N_NO_PROPOSAL_CHOSEN Dec 31 06:36:54.914264: "SUBNETS" #10644: responding to CREATE_CHILD_SA message (ID 1) from 6.7.8.9:4500 with encrypted notification NO_PROPOSAL_CHOSEN Thanks, Best
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
