Hello Lorenzo,
if you define DH group 15 (modp3072) only but the peer's proposals
are for MODP1536 and MODP2048 then the negotiatio hast to fail with
ike Negotiate ISAKMP SA Error: ike
0:fc70f37fa6c9ee8d/0000000000000000:383: no SA proposal chosen
Best regards
Andreas
On 01.03.2021 08:03, Lorenzo Milesi wrote:
Hi.
I'm trying to set up a IPSec connection between a StrongSwan server and a
Fortigate device. Auth uses PSK, so according to [1] I've chosen IKEv1. The
Fortigate is behind an ADSL modem.
In Fortinet I've set P1 to enc AES256 auth SHA256, DH 15, key lifetime 86400.
This is ipsec.conf:
config setup
charondebug="ike 3, knl 3, cfg 3, net 3, esp 3, dmn 3, mgr 3"
uniqueids=yes
strictcrlpolicy=no
conn sts-base
fragmentation=yes
dpdaction=restart
ike=aes256-sha256-modp3072
esp=aes256-sha256
keyingtries=%forever
leftsubnet=172.16.12.0/24
lifetime=86400
conn site-3-legacy-base
keyexchange=ikev1
rightid=L***
also=sts-base
ike=aes256-sha256-modp3072
esp=aes256-sha256
rightsubnet=192.168.4.0/24,192.168.5.0/24
right=95.x.x.x
leftauth=psk
auto=start
This is the debug log on fortinet, which seems the problematic side (doesn't
like other party offers):
ike 0:to VpnTunnelName:378: out
8AD3789557DB282D9AA1D56EDDD9184605100201000000000000006C6EFC8335B133C6267388C1A0BEB63B6A2CC4E120DE7627C9166D99AFF9EAE094E5368631BB2626D86B31FFED37F29DB6CC4E5D6B2E8B9A6FA79DF8FC03531CB7EB476EC1CE6240D586943E6A675E4695
ike 0:to VpnTunnelName:378: sent IKE msg (P1_RETRANSMIT):
192.168.1.2:4500->95.x.x.x:4500, len=108, id=8ad3789557db282d/9aa1d56eddd91846
ike 0: comes 62.11.245.232:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=fc70f37fa6c9ee8d/0000000000000000
len=452
ike 0: in
FC70F37FA6C9EE8D00000000000000000110020000000000000001C40D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: responder: main mode get 1st
message...
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID DPD
AFCAD71368A1F1C96B8696FC77570100
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID FRAGMENTATION
4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID FRAGMENTATION
4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: VID FORTIGATE
8299031757A36082C6A621DE00000000
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: incoming proposal:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG,
val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG,
val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD,
val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP,
val=MODP2048.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG,
val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG,
val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD,
val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP,
val=MODP1536.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG,
val=AES_CBC, key-len=256
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG,
val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD,
val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP,
val=MODP2048.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG,
val=AES_CBC, key-len=256
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG,
val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD,
val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP,
val=MODP1536.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG,
val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG,
val=SHA.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD,
val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP,
val=MODP2048.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG,
val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG,
val=SHA.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD,
val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP,
val=MODP1536.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG,
val=AES_CBC, key-len=256
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG,
val=SHA.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD,
val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP,
val=MODP2048.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_ENCRYPT_ALG,
val=AES_CBC, key-len=256
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_HASH_ALG,
val=SHA.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=AUTH_METHOD,
val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: type=OAKLEY_GROUP,
val=MODP1536.
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/0000000000000000:383: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:fc70f37fa6c9ee8d/0000000000000000:383: no
SA proposal chosen
ike 0:to VpnTunnelName:378: negotiation timeout, deleting
ike 0:to VpnTunnelName: connection expiring due to phase1 down
ike 0:to VpnTunnelName: deleting
ike 0:to VpnTunnelName: deleted
ike 0:to VpnTunnelName: schedule auto-negotiate
ike 0:to VpnTunnelName: auto-negotiate connection
ike 0:to VpnTunnelName: created connection: 0x424aff8 4
192.168.1.2->95.x.x.x:500.
ike 0:to VpnTunnelName:384: initiator: main mode is sending 1st message...
ike 0:to VpnTunnelName:384: cookie c10b9be64dc0d904/0000000000000000
ike 0:to VpnTunnelName:384: out
C10B9BE64DC0D90400000000000000000110020000000000000001240D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E010080030001800200048004000F0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:to VpnTunnelName:384: sent IKE msg (ident_i1send):
192.168.1.2:500->95.x.x.x:500, len=292, id=c10b9be64dc0d904/0000000000000000
ike 0: comes 95.x.x.x:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=c10b9be64dc0d904/589d6282b4f462c9
len=164
ike 0: in
C10B9BE64DC0D904589D6282B4F462C90110020000000000000000A40D00003C00000001000000010000003001010001000000280101000080010007800E0100800200048004000F80030001800B0001000C0004000151800D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F
ike 0:to VpnTunnelName:384: initiator: main mode get 1st response...
ike 0:to VpnTunnelName:384: VID draft-ietf-ipsra-isakmp-xauth-06.txt
09002689DFD6B712
ike 0:to VpnTunnelName:384: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:to VpnTunnelName:384: DPD negotiated
ike 0:to VpnTunnelName:384: VID FRAGMENTATION
4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:to VpnTunnelName:384: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:to VpnTunnelName:384: selected NAT-T version: RFC 3947
ike 0:to VpnTunnelName:384: negotiation result
ike 0:to VpnTunnelName:384: proposal id = 1:
ike 0:to VpnTunnelName:384: protocol id = ISAKMP:
ike 0:to VpnTunnelName:384: trans_id = KEY_IKE.
ike 0:to VpnTunnelName:384: encapsulation = IKE/none
ike 0:to VpnTunnelName:384: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC,
key-len=256
ike 0:to VpnTunnelName:384: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 0:to VpnTunnelName:384: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:to VpnTunnelName:384: type=OAKLEY_GROUP, val=MODP3072.
ike 0:to VpnTunnelName:384: ISAKMP SA lifetime=86400
ike 0:to VpnTunnelName:384: out
C10B9BE64DC0D904589D6282B4F462C90410020000000000000001FC0A000184FD41F812E5C6DE946C198E07D71ED83CA1AB034F7AC7EA9C9DB184B2B0D2C35C8C2BEB7E6B298B87A5736D8344DDA782E3D813DE08FA8FD8423892B18F10E9DD24C23C81AB9C0BF5A56DEE1D0577CB4B0161A7CB88832FB484C4433B3FB20386EEFABCFCF0B862C61EA21EB6783EAE9A2C11156BC929113D2A5A9FB9D4DF7D8B09B26EC447FAA35219E95CF5D6436F68379BA3CA42E10C06B9924EF3CAF6EEACB95EFC2781FBBD4AC29C4C11426BCB28AFCF87D0B448A2B265322612526B56AED5192548CD958565FB5DC7036E6A953B7A99BDC5DB3DEE1A1E4008EA20E44BAF8C2BDB4DEC62DFADF29B1587A1C42429711694EA0F6E702DB541C08D3E40A1A7D089EF57A1CCBD6AC286D79927306533A2DB587990C0FCE20010A12A826218CEDA95EEBE08AB4623479C0A699284D4EF602EB8855B88040F117E10AB3F18A065759DBF31C359622F2A52500988D7F9FE1D3569CC49070387B05A289B3DA8443F7DAFFF248064B2687503E81E4DDA38478659A53DD15D35EA326B4F90AC7821DC14000014659CD5B151F1779BA7C8D21003510EB6140000247CA2BC74DD9D1E4D89993957656B637ECB524C9E69117E86ED55949C6C3DB0260000002488B2BA8589F1C3AE72E9E5EEC659F89AE235D2451581D4A6820F1E1FC73EB8BE
ike 0:to VpnTunnelName:384: sent IKE msg (ident_i2send):
192.168.1.2:500->95.x.x.x:500, len=508, id=c10b9be64dc0d904/589d6282b4f462c9
ike 0: comes 95.x.x.x:500->192.168.1.2:500,ifindex=4....
ike 0: IKEv1 exchange=Identity Protection id=c10b9be64dc0d904/589d6282b4f462c9
len=524
ike 0: in
C10B9BE64DC0D904589D6282B4F462C904100200000000000000020C0A00018494E5DE50E190B4D173E52E36616C64FEF471C0F85ACB206E8A76B32B425E35326F27ACF0C57CA5E6F50951E72E67F0798CEFA5525A40D6B4EBBCD7BD028EDF39A72DAA9B0D0D274A9DF0B21D37D72E03B9E188F08FD3C56E33CC1772AEF96B809CA4372FA9D1B3D0815722035722C85DC7B7CCDB96FF7D713A30327FAF173D8934B9D484D4F009A458A48A943D7B1A49F056E25E398A43832474F776339AB55D9298F0E15F79B14619882B8AD3B86094F04507A06FC651256ABEF72F090E5579EE9D138314A7F8C2184EBB68526149F2F375224B825CD78553E2089F00D60460A36F76EC46FE8B5B17EA07E15AC4FB8F79D3221ABD2FA47F0524AF025DB15A32B67EBC1D07996E62FE0FA1379DC320D54AFF6A0DA4EFE2EEAE112529F3103B8F49A524DBB9C9C4D72194E6B4CC002067F79337B46B365F5C95CD537EE18C4F41A947D641516023D7A705159BC61D109710FA6A5B20C99F87CC9CC0BE736EAA178E0D07B3282D669901298B40CD24C7EBBA64A72989441A9CE1E33DAFC57915A414000024965FEDABF0477240EAEA804FF51B9AE8ED87EF3B4C689DC2A192836D98440226140000241DC24402C80C6E7F1EA2A5EFACD8CD9684DDB75D14C9608C931254AF4D6A8E73000000247CA2BC74DD9D1E4D89993957656B637ECB524C9E69117E86ED55949C6C3DB026
ike 0:to VpnTunnelName:384: initiator: main mode get 2nd response...
ike 0:to VpnTunnelName:384: received NAT-D payload type 20
ike 0:to VpnTunnelName:384: received NAT-D payload type 20
ike 0:to VpnTunnelName:384: NAT detected: ME
ike 0:to VpnTunnelName:384: NAT-T float port 4500
ike 0:to VpnTunnelName:384: ISAKMP SA c10b9be64dc0d904/589d6282b4f462c9 key
32:A14C8EA6DCB45DD9A940941BDB0342AFB8D00E8153BC9EEABB117532FE53E6D0
ike 0:to VpnTunnelName:384: add INITIAL-CONTACT
ike 0:to VpnTunnelName:384: enc
C10B9BE64DC0D904589D6282B4F462C905100201000000000000006B0800000F020000004C6F63616E64610B0000240E2C5E431EDC18A1A71432A2D63F3A735CF38FF3B15088600EA1C4DFA8DBAE540000001C0000000101106002C10B9BE64DC0D904589D6282B4F462C9
ike 0:to VpnTunnelName:384: out
C10B9BE64DC0D904589D6282B4F462C905100201000000000000006C0A9523A71AA4D181655F68680E687AAE143646431BCF52A9AAE986F371BD20D0165F406F6525CE7BD4E99E87756AE721C2EA71E8B0D76B6DDAA3BAE63545FE806E4DABC6DBF23D09165665B8EBA17F4B
ike 0:to VpnTunnelName:384: sent IKE msg (ident_i3send):
192.168.1.2:4500->95.x.x.x:4500, len=108, id=c10b9be64dc0d904/589d6282b4f462c9
ike 0: comes 95.x.x.x:4500->192.168.1.2:4500,ifindex=4....
ike 0: IKEv1 exchange=Informational
id=c10b9be64dc0d904/589d6282b4f462c9:3401b0f7 len=108
ike 0: in
C10B9BE64DC0D904589D6282B4F462C9081005013401B0F70000006CCBD929F01609C09C15FB168C6027327324BD1D6560143B39C69FF01070831099C7520EDB88EBF51AC8CF9AFF5A8649CECE18DADC661F7EB7698D90A5ECEC8DB81EC258089F8E48EEBB2313BE63C33FF5
I'm fairly new to strongswan so I might have missed something in the server
configuration. Any hint is welcome.
Thanks
[1] https://wiki.strongswan.org/projects/strongswan/wiki/Fortinet
--
======================================================================
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
