Project

General

Profile

Issue #3578

ipsec connection to FortiClient VPN

Added by Jose Morales about 2 months ago. Updated about 2 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
ikev1
Affected version:
5.9.0
Resolution:

Description

Hi, I’m trying to set up an IPsec connection on an EC2 to a FortiClient VPN. It successfully starts and appears to be up, but there is no traffic going through.

Here's some info about the setup.

ipsec.conf
```
config setup
charondebug = "dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 3, knl 2, net 2, enc 1, lib 1"

conn vpngb
keyexchange = ikev1
ike = aes128-sha1-modp1536,aes256-sha256-modp1536!
esp = aes128-sha1-modp1536,aes256-sha256-modp1536!
aggressive = yes

right = 192.XXX.XXX.XX
rightauth = psk
left = %defaultroute
leftid = myID
leftauth = psk
leftauth2 = xauth
xauth_identity = myuser
auto = start
```

ipsec start logs
```
11[IKE] XAuth authentication of myuser (myself) successful [70/452]
11[IKE] IKE_SA vpngb8 established between 192.YYY.YYY.YY[myID]...192.XXX.XXX.XX[192.XXX.XXX.XX]
11[IKE] IKE_SA vpngb8 state change: CONNECTING => ESTABLISHED

11[ENC] generating QUICK_MODE request 4001027197 [ HASH SA No KE ID ID ]
11[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500 (412 bytes)
04[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500
01[IKE] sending retransmit 1 of request message ID 4001027197, seq 3
01[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500 (412 bytes)
04[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500
```

ipsec statusall
```
Connections:
vpngb: %any...192.XXX.XXX.XX IKEv1 Aggressive
vpngb: local: [myID] uses pre-shared key authentication
vpngb: local: [myID] uses XAuth authentication: any with XAuth identity ‘user’
vpngb: remote: [192.XXX.XXX.XX] uses pre-shared key authentication
vpngb: child: dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
vpngb8: ESTABLISHED 10 seconds ago, 192.168.255.10[myID]...192.XXX.XXX.XX[192.XXX.XXX.XX]
vpngb8: IKEv1 SPIs: 4b2855f8926505d8_i* 86d95856724bc07d_r, pre-shared key+XAuth reauthentication in 2 hours
vpngb8: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
vpngb8: Tasks active: QUICK_MODE
```

I’ve tried routing with `ip ro ad` but it only causes my start process to not receive packets. Any hints to what may be happening here are very appreciated.

History

#1 Updated by Jose Morales about 2 months ago

Reposting with correctly formatted info:

Hi, I’m trying to set up an IPsec connection on an EC2 to a FortiClient VPN. It successfully starts and appears to be up, but there is no traffic going through.

Here's some info about the setup.

ipsec.conf

config setup
charondebug = "dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 3, knl 2, net 2, enc 1, lib 1"
conn vpngb
keyexchange = ikev1
ike = aes128-sha1-modp1536,aes256-sha256-modp1536!
esp = aes128-sha1-modp1536,aes256-sha256-modp1536!
aggressive = yes
right = 192.XXX.XXX.XX
rightauth = psk
left = %defaultroute
leftid = myID
leftauth = psk
leftauth2 = xauth
xauth_identity = myuser
auto = start

ipsec start logs

11[IKE] XAuth authentication of myuser (myself) successful [70/452]
11[IKE] IKE_SA vpngb8 established between
192.YYY.YYY.YY[myID]...192.XXX.XXX.XX[192.XXX.XXX.XX]
11[IKE] IKE_SA vpngb8 state change: CONNECTING => ESTABLISHED
11[ENC] generating QUICK_MODE request 4001027197 [ HASH SA No KE ID ID ]
11[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500 (412 bytes)
04[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500
01[IKE] sending retransmit 1 of request message ID 4001027197, seq 3
01[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500 (412 bytes)
04[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500

ipsec statusall

Connections:
vpngb: %any...192.XXX.XXX.XX IKEv1 Aggressive
vpngb: local: [myID] uses pre-shared key authentication
vpngb: local: [myID] uses XAuth authentication: any with XAuth identity ‘user’
vpngb: remote: [192.XXX.XXX.XX] uses pre-shared key authentication
vpngb: child: dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
vpngb8: ESTABLISHED 10 seconds ago,
192.168.255.10[myID]...192.XXX.XXX.XX[192.XXX.XXX.XX]
vpngb8: IKEv1 SPIs: 4b2855f8926505d8_i* 86d95856724bc07d_r, pre-shared key+XAuth
reauthentication in 2 hours
vpngb8: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
vpngb8: Tasks active: QUICK_MODE

I’ve tried routing with ip ro ad but it only causes my start process to not receive packets. Any hints to what may be happening here are very appreciated.

#2 Updated by Tobias Brunner about 2 months ago

  • Category set to ikev1
  • Status changed from New to Feedback

It's not up, there is no Quick Mode SA. Apparently, the peer does not respond to the QM requests. Check the log there (perhaps it is in an error state). Also, please don't use IKEv1 anymore if possible.

Also available in: Atom PDF