Re: [Swan] Trying to connect using libreswan to a Fortigate IPsec VPN

Thu, 08 Jul 2021 14:49:52 -0700 

On Thu, 8 Jul 2021, Dan Stromberg wrote:


$ ike-scan --ikev2 vpn.nohats.ca
Starting ike-scan 1.9.4 with 1 hosts 
(http://www.nta-monitor.com/tools/ike-scan/)
193.110.157.148 Notify message 14 (NO_PROPOSAL_CHOSEN) 
HDR=(CKY-R=ac594eee123b34c5, IKEv2)

Ending ike-scan 1.9.4: 1 hosts scanned in 0.469 seconds (2.13 hosts/sec).  0 
returned handshake; 1 returned notify


Does this mean there's no firewall on my system?  I don't see any occurrences of 
"firewall" in ps -ef, and iptables --list gives me:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         


Yes.

I saw both your IKEv1 and IKEv2 attempts hitting the server. Note:

Jul  8 15:03:53.259967: "vpn.nohats.ca"[312] x.x.x.x #854: no local proposal 
matches remote proposals 
1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;ENCR=3DES;ENCR=DES(UNUSED);PRF=HMAC_SHA1;PRF=HMAC_MD5;INTEG=HMAC_SHA1_96;INTEG=HMAC_MD5_96;DH=MODP1024;DH=MODP1536;DH=MODP2048

I would drop the DES, 3DES, DH2 and MD5 from your proposals. Still, like
my server they _should_ send you an error back.


I'm not 100% sure how to interpret this.  If it's a firewall blocking my 
traffic, I don't think it's on my Debian system, nor do I think it's on my home
router, but please help me interpret these results.  It seems like if there's a 
firewall, it would have to be on my corporate network or the Fortigate
system itself.


It's not a firewall, unless it is a firewall in front of the machine you
are trying to reach. If that machine has other clients, then it seems it
would not have a firewall there either.


My IT guy said that the Fortigate server is "in stealth mode", and he seems to 
be avoiding telling me what that means more specifically.  If I had to
guess, I'd say maybe he's turned off ICMP, since the server is not ping'able.


Ask the fortigate people for a log from your IP address? It seems likely
you _are_ hitting their server, so they should have a log entry.

And double check your IKE parameters with them - likely there is a
mismatch between what you have configured and what they have configured.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to