Issue #3578
ipsec connection to FortiClient VPN
Description
Hi, I’m trying to set up an IPsec connection on an EC2 to a FortiClient VPN. It successfully starts and appears to be up, but there is no traffic going through.
Here's some info about the setup.
ipsec.conf
```
config setup
charondebug = "dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 3, knl 2, net 2, enc 1, lib 1"
conn vpngb
keyexchange = ikev1
ike = aes128-sha1-modp1536,aes256-sha256-modp1536!
esp = aes128-sha1-modp1536,aes256-sha256-modp1536!
aggressive = yes
right = 192.XXX.XXX.XX
rightauth = psk
left = %defaultroute
leftid = myID
leftauth = psk
leftauth2 = xauth
xauth_identity = myuser
auto = start
```
ipsec start logs
```
11[IKE] XAuth authentication of myuser (myself) successful [70/452]
11[IKE] IKE_SA vpngb8 established between 192.YYY.YYY.YY[myID]...192.XXX.XXX.XX[192.XXX.XXX.XX]
11[IKE] IKE_SA vpngb8 state change: CONNECTING => ESTABLISHED
11[ENC] generating QUICK_MODE request 4001027197 [ HASH SA No KE ID ID ]
11[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500 (412 bytes)
04[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500
01[IKE] sending retransmit 1 of request message ID 4001027197, seq 3
01[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500 (412 bytes)
04[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500
```
ipsec statusall
```
Connections:
vpngb: %any...192.XXX.XXX.XX IKEv1 Aggressive
vpngb: local: [myID] uses pre-shared key authentication
vpngb: local: [myID] uses XAuth authentication: any with XAuth identity ‘user’
vpngb: remote: [192.XXX.XXX.XX] uses pre-shared key authentication
vpngb: child: dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
vpngb8: ESTABLISHED 10 seconds ago, 192.168.255.10[myID]...192.XXX.XXX.XX[192.XXX.XXX.XX]
vpngb8: IKEv1 SPIs: 4b2855f8926505d8_i* 86d95856724bc07d_r, pre-shared key+XAuth reauthentication in 2 hours
vpngb8: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
vpngb8: Tasks active: QUICK_MODE
```
I’ve tried routing with `ip ro ad` but it only causes my start process to not receive packets. Any hints to what may be happening here are very appreciated.
History
#1 Updated by Jose Morales over 1 year ago
Reposting with correctly formatted info:
Hi, I’m trying to set up an IPsec connection on an EC2 to a FortiClient VPN. It successfully starts and appears to be up, but there is no traffic going through.
Here's some info about the setup.
ipsec.conf
config setup
charondebug = "dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 3, knl 2, net 2, enc 1, lib 1"
conn vpngb
keyexchange = ikev1
ike = aes128-sha1-modp1536,aes256-sha256-modp1536!
esp = aes128-sha1-modp1536,aes256-sha256-modp1536!
aggressive = yes
right = 192.XXX.XXX.XX
rightauth = psk
left = %defaultroute
leftid = myID
leftauth = psk
leftauth2 = xauth
xauth_identity = myuser
auto = start
ipsec start logs
11[IKE] XAuth authentication of myuser (myself) successful [70/452]
11[IKE] IKE_SA vpngb8 established between
192.YYY.YYY.YY[myID]...192.XXX.XXX.XX[192.XXX.XXX.XX]
11[IKE] IKE_SA vpngb8 state change: CONNECTING => ESTABLISHED
11[ENC] generating QUICK_MODE request 4001027197 [ HASH SA No KE ID ID ]
11[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500 (412 bytes)
04[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500
01[IKE] sending retransmit 1 of request message ID 4001027197, seq 3
01[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500 (412 bytes)
04[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500
ipsec statusall
Connections:
vpngb: %any...192.XXX.XXX.XX IKEv1 Aggressive
vpngb: local: [myID] uses pre-shared key authentication
vpngb: local: [myID] uses XAuth authentication: any with XAuth identity ‘user’
vpngb: remote: [192.XXX.XXX.XX] uses pre-shared key authentication
vpngb: child: dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
vpngb8: ESTABLISHED 10 seconds ago,
192.168.255.10[myID]...192.XXX.XXX.XX[192.XXX.XXX.XX]
vpngb8: IKEv1 SPIs: 4b2855f8926505d8_i* 86d95856724bc07d_r, pre-shared key+XAuth
reauthentication in 2 hours
vpngb8: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
vpngb8: Tasks active: QUICK_MODE
I’ve tried routing with ip ro ad
but it only causes my start process to not receive packets. Any hints to what may be happening here are very appreciated.
#2 Updated by Tobias Brunner over 1 year ago
- Category set to ikev1
- Status changed from New to Feedback
It's not up, there is no Quick Mode SA. Apparently, the peer does not respond to the QM requests. Check the log there (perhaps it is in an error state). Also, please don't use IKEv1 anymore if possible.