Hi.
I'm (still) trying to configure a tunnel between a StrongSwan 5.6.2 (Ubuntu
18.04) host and a Fortigate device. I finally came up with a working
configuration, but now I'm unable to have srongswan authenticate, I get the
infamous
May 26 16:05:19 vpn01 charon: 13[IKE] no peer config found
I tried different formats of selectors but they all fail. I checked the config
several times but I cannot find what's wrong.
My ipsec.secrets:
95.1.8.6 %any : PSK "abcde"
95.1.8.6 2.3.8.1 : PSK "abcde"
95.1.8.6 : PSK "abcde"
Stelle : PSK "abcde"
My ipsec.conf:
conn sts-base
keyexchange=ikev1
fragmentation=yes
dpdaction=restart
ike=aes256-sha256-modp3072
esp=aes256-sha256
keyingtries=%forever
leftsubnet=172.32.1.0/24
lifetime=86400
leftauth=psk
rightauth=psk
righid=Stelle
auto=start
right=2.3.8.1
conn site-3-1
also=sts-base
leftsubnet=172.32.1.0/24
rightsubnet=192.168.8.0/24
conn site-3-2
also=sts-base
leftsubnet=172.32.1.0/24
rightsubnet=192.168.9.0/24
Log:
May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] remote host is behind NAT
May 26 16:05:19 vpn01 ipsec[1367]: 15[CFG] peer config match local: 1 (ID_ANY)
May 26 16:05:19 vpn01 ipsec[1367]: 15[CFG] peer config match remote: 1 (ID_ANY)
May 26 16:05:19 vpn01 ipsec[1367]: 15[CFG] ike config match: 2076 (95.1.8.6
2.3.8.1 IKEv1)
May 26 16:05:19 vpn01 ipsec[1367]: 15[CFG] candidate "sts-base", match:
1/1/2076 (me/other/ike)
May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] natd_chunk => 22 bytes @
0x7ff92cef4ac0
May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 0: D6 50 6B F7 85 FD B6 F3 B1 F8 20
48 71 AD 06 01 .Pk....... Hq...
May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 16: D9 85 12 64 01 F4 ...d..
May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] natd_hash => 32 bytes @
0x7ff91000c150
May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 0: D1 DB AE ED 2E B2 94 77 32 7E 51
CE 9B 0A 49 D5 .......w2~Q...I.
May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 16: 11 8F CC 18 33 70 47 FE D0 04 3B
8E EA DF 9E 3D ....3pG...;....=
May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] natd_chunk => 22 bytes @
0x7ff92cef4ac0
May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 0: D6 50 6B F7 85 FD B6 F3 B1 F8 20
48 71 AD 06 01 .Pk....... Hq...
May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 16: 5F 6E 80 BA 01 F4 _n....
May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] natd_hash => 32 bytes @
0x7ff91000c150
May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 0: 27 C0 28 F3 4D E2 DD 93 03 04 E6
98 8A 20 02 3B '.(.M........ .;
May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 16: BA AC FF 7F C6 23 EC 1E 9F 77 1A
9E D7 DD EB 11 .....#...w......
May 26 16:05:19 vpn01 ipsec[1367]: 15[ENC] generating ID_PROT response 0 [ KE
No NAT-D NAT-D ]
May 26 16:05:19 vpn01 ipsec[1367]: 15[NET] sending packet: from 95.1.8.6[500]
to 2.3.8.1[500] (524 bytes)
May 26 16:05:19 vpn01 ipsec[1367]: 04[NET] sending packet: from 95.1.8.6[500]
to 2.3.8.1[500]
May 26 16:05:19 vpn01 ipsec[1367]: 15[MGR] checkin IKE_SA (unnamed)[102]
May 26 16:05:19 vpn01 ipsec[1367]: 15[MGR] checkin of IKE_SA successful
May 26 16:05:19 vpn01 ipsec[1367]: 03[NET] received packet => 112 bytes @
0x7ff9326fd440
May 26 16:05:19 vpn01 ipsec[1367]: 03[NET] 0: 00 00 00 00 D6 50 6B F7 85 FD B6
F3 B1 F8 20 48 .....Pk....... H
May 26 16:05:19 vpn01 ipsec[1367]: 03[NET] 16: 71 AD 06 01 05 10 02 01 00 00 00
00 00 00 00 6C q..............l
May 26 16:05:19 vpn01 charon: 03[NET] 0: 00 00 00 00 D6 50 6B F7 85 FD B6 F3 B1
F8 20 48 .....Pk....... H
May 26 16:05:19 vpn01 ipsec[1367]: 03[NET] 32: DF 47 5C 43 7A CD 60 FF DB 15 51
27 EA 7B 39 1A .G\Cz.`...Q'.{9.
May 26 16:05:19 vpn01 charon: 03[NET] 16: 71 AD 06 01 05 10 02 01 00 00 00 00
00 00 00 6C q..............l
May 26 16:05:19 vpn01 charon: 03[NET] 32: DF 47 5C 43 7A CD 60 FF DB 15 51 27
EA 7B 39 1A .G\Cz.`...Q'.{9.
May 26 16:05:19 vpn01 charon: 03[NET] 48: D2 4E D8 56 36 6B 3C B6 4D 48 4A 65
B1 8B 90 B9 .N.V6k<.MHJe....
May 26 16:05:19 vpn01 charon: 03[NET] 64: E9 67 7F E3 0F 5B 38 43 41 6B DA 67
FD 2C 69 4F .g...[8CAk.g.,iO
May 26 16:05:19 vpn01 charon: 03[NET] 80: 0D 36 D5 65 67 E5 CE D7 6C D4 44 D3
94 EF 55 CC .6.eg...l.D...U.
May 26 16:05:19 vpn01 charon: 03[NET] 96: 4F 84 82 E2 05 A0 DD E9 9F FB F2 B5
DE 54 E1 77 O............T.w
May 26 16:05:19 vpn01 charon: 03[NET] received packet: from 2.3.8.1[4500] to
95.1.8.6[4500]
May 26 16:05:19 vpn01 charon: 03[NET] waiting for data on sockets
May 26 16:05:19 vpn01 charon: 13[MGR] checkout IKEv1 SA by message with SPIs
d6506bf785fdb6f3_i b1f8204871ad0601_r
May 26 16:05:19 vpn01 charon: 13[MGR] IKE_SA (unnamed)[102] successfully
checked out
May 26 16:05:19 vpn01 charon: 13[NET] received packet: from 2.3.8.1[4500] to
95.1.8.6[4500] (108 bytes)
May 26 16:05:19 vpn01 charon: 13[ENC] parsed ID_PROT request 0 [ ID HASH
N(INITIAL_CONTACT) ]
May 26 16:05:19 vpn01 charon: 13[CFG] looking for pre-shared key peer configs
matching 95.1.8.6...2.3.8.1[Stelle]
May 26 16:05:19 vpn01 charon: 13[CFG] peer config match local: 1 (ID_ANY)
May 26 16:05:19 vpn01 charon: 13[CFG] peer config match remote: 0 (ID_FQDN ->
53:74:65:6c:6c:65)
May 26 16:05:19 vpn01 charon: 13[CFG] ike config match: 2076 (95.1.8.6 2.3.8.1
IKEv1)
May 26 16:05:19 vpn01 charon: 13[IKE] no peer config found
May 26 16:05:19 vpn01 charon: 13[IKE] queueing INFORMATIONAL task
May 26 16:05:19 vpn01 charon: 13[IKE] activating new tasks
May 26 16:05:19 vpn01 charon: 13[IKE] activating INFORMATIONAL task
May 26 16:05:19 vpn01 charon: 13[IKE] Hash => 32 bytes @ 0x7ff910017940
May 26 16:05:19 vpn01 charon: 13[IKE] 0: D0 BD F8 53 09 8C 69 43 BF 35 35 59 D3
72 08 B7 ...S..iC.55Y.r..
May 26 16:05:19 vpn01 charon: 13[IKE] 16: BF 25 1F 4A 79 65 78 55 F5 07 30 F5
E4 8F 7A 7D .%.JyexU..0...z}
May 26 16:05:19 vpn01 charon: 13[ENC] generating INFORMATIONAL_V1 request
3029794389 [ HASH N(AUTH_FAILED) ]
May 26 16:05:19 vpn01 charon: 13[NET] sending packet: from 95.1.8.6[4500] to
2.3.8.1[4500] (108 bytes)
May 26 16:05:19 vpn01 charon: 13[MGR] checkin and destroy IKE_SA (unnamed)[102]
May 26 16:05:19 vpn01 charon: 13[IKE] IKE_SA (unnamed)[102] state change:
CONNECTING => DESTROYING
May 26 16:05:19 vpn01 charon: 13[MGR] checkin and destroy of IKE_SA successful
May 26 16:05:19 vpn01 charon: 04[NET] sending packet: from 95.1.8.6[4500] to
2.3.8.1[4500]
May 26 16:05:22 vpn01 charon: 03[NET] received packet => 112 bytes @
0x7ff9326fd440
May 26 16:05:22 vpn01 charon: 03[NET] 0: 00 00 00 00 D6 50 6B F7 85 FD B6 F3 B1
F8 20 48 .....Pk....... H
May 26 16:05:22 vpn01 charon: 03[NET] 16: 71 AD 06 01 05 10 02 01 00 00 00 00
00 00 00 6C q..............l
May 26 16:05:22 vpn01 charon: 03[NET] 32: DF 47 5C 43 7A CD 60 FF DB 15 51 27
EA 7B 39 1A .G\Cz.`...Q'.{9.
May 26 16:05:22 vpn01 charon: 03[NET] 48: D2 4E D8 56 36 6B 3C B6 4D 48 4A 65
B1 8B 90 B9 .N.V6k<.MHJe....
May 26 16:05:22 vpn01 charon: 03[NET] 64: E9 67 7F E3 0F 5B 38 43 41 6B DA 67
FD 2C 69 4F .g...[8CAk.g.,iO
May 26 16:05:22 vpn01 charon: 03[NET] 80: 0D 36 D5 65 67 E5 CE D7 6C D4 44 D3
94 EF 55 CC .6.eg...l.D...U.
May 26 16:05:22 vpn01 charon: 03[NET] 96: 4F 84 82 E2 05 A0 DD E9 9F FB F2 B5
DE 54 E1 77 O............T.w
May 26 16:05:22 vpn01 charon: 03[NET] received packet: from 2.3.8.1[4500] to
95.1.8.6[4500]
May 26 16:05:22 vpn01 charon: 03[NET] waiting for data on sockets
May 26 16:05:22 vpn01 charon: 12[MGR] checkout IKEv1 SA by message with SPIs
d6506bf785fdb6f3_i b1f8204871ad0601_r
May 26 16:05:22 vpn01 charon: 12[MGR] IKE_SA checkout not successful
May 26 16:05:28 vpn01 charon: 03[NET] received packet => 112 bytes @
0x7ff9326fd440
May 26 16:05:28 vpn01 charon: 03[NET] 0: 00 00 00 00 D6 50 6B F7 85 FD B6 F3 B1
F8 20 48 .....Pk....... H
May 26 16:05:28 vpn01 charon: 03[NET] 16: 71 AD 06 01 05 10 02 01 00 00 00 00
00 00 00 6C q..............l
May 26 16:05:28 vpn01 charon: 03[NET] 32: DF 47 5C 43 7A CD 60 FF DB 15 51 27
EA 7B 39 1A .G\Cz.`...Q'.{9.
May 26 16:05:28 vpn01 charon: 03[NET] 48: D2 4E D8 56 36 6B 3C B6 4D 48 4A 65
B1 8B 90 B9 .N.V6k<.MHJe....
May 26 16:05:28 vpn01 charon: 03[NET] 64: E9 67 7F E3 0F 5B 38 43 41 6B DA 67
FD 2C 69 4F .g...[8CAk.g.,iO
May 26 16:05:28 vpn01 charon: 03[NET] 80: 0D 36 D5 65 67 E5 CE D7 6C D4 44 D3
94 EF 55 CC .6.eg...l.D...U.
May 26 16:05:28 vpn01 charon: 03[NET] 96: 4F 84 82 E2 05 A0 DD E9 9F FB F2 B5
DE 54 E1 77 O............T.w
May 26 16:05:28 vpn01 charon: 03[NET] received packet: from 2.3.8.1[4500] to
95.1.8.6[4500]
May 26 16:05:28 vpn01 charon: 03[NET] waiting for data on sockets
May 26 16:05:28 vpn01 charon: 12[MGR] checkout IKEv1 SA by message with SPIs
d6506bf785fdb6f3_i b1f8204871ad0601_r
May 26 16:05:28 vpn01 charon: 12[MGR] IKE_SA checkout not successful
thanks
--
Lorenzo Milesi - lorenzo.mil...@yetopen.com
CTO @ YetOpen Srl
YetOpen - https://www.yetopen.com/
Via Salerno 18 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200
- Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info...@yetopen.com | Phone +1 919-817-8106 -
info...@yetopen.com
Think green - Non stampare questa e-mail se non necessario / Don't print this
email unless necessary
-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso
esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da
ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo
679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non
autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad
eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci
non appena possibile.
Grazie.
Confidentiality notice: this email message including any attachment is for the
sole use of the intended recipient and may contain confidential and privileged
information;
pursuant to Legislative Decree 196/2003 and the European General Data
Protection Regulation 679/2016 - GDPR - any unauthorized review, use,
disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message
without copying, printing or forwarding it to others, and alert us as soon as
possible.
Thank you.
