On Thu, Jul 8, 2021 at 2:49 PM Paul Wouters <[email protected]> wrote: > On Thu, 8 Jul 2021, Dan Stromberg wrote: > I saw both your IKEv1 and IKEv2 attempts hitting the server. Note: > > Jul 8 15:03:53.259967: "vpn.nohats.ca"[312] x.x.x.x #854: no local > proposal matches remote proposals > 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;ENCR=3DES;ENCR=DES(UNUSED);PRF=HMAC_SHA1;PRF=HMAC_MD5;INTEG=HMAC_SHA1_96;INTEG=HMAC_MD5_96;DH=MODP1024;DH=MODP1536;DH=MODP2048 > > I would drop the DES, 3DES, DH2 and MD5 from your proposals. Still, like > my server they _should_ send you an error back. > How would I do that with ike-scan? Sorry, l'm a real newb at this. I know some shell and some basic TCP/IP and UDP/IP, but IKE and IPsec are pretty new to me.
> > My IT guy said that the Fortigate server is "in stealth mode", and he > seems to be avoiding telling me what that means more specifically. If I > had to > > guess, I'd say maybe he's turned off ICMP, since the server is not > ping'able. > > Ask the fortigate people for a log from your IP address? It seems likely > you _are_ hitting their server, so they should have a log entry. > He said he wasn't seeing authentication attempts at all. And double check your IKE parameters with them - likely there is a > mismatch between what you have configured and what they have configured. > What are some example IKE parameters that should be compared? I'm thinking once I have those, I can google up a list? I'm really wanting this to work, in a big way. Without it, I'll probably have to turn in my Linux Dell for a macOS box, and I just love Linux. :) Is there any way I can set up a small bounty for it? Seriously, I'm to the point where I'd be willing to pay a bit of money to get it working - and it needs to be documented anyway, given the number of people out there trying to connect to Fortigate IPsec servers from Linux. Thanks! -- Dan Stromberg | Senior Software Developer Mobile +1.949-342-6502 <https://keepersecurity.com/> ** This email is confidential and is intended for the recipient(s) addressed herein **
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
