Issue #3578: ipsec connection to FortiClient VPN - strongSwan

Issue #3578

ipsec connection to FortiClient VPN

Added by Jose Morales 5 months ago. Updated 5 months ago.

Status:

Feedback

Priority:

Normal

Assignee:

Category:

ikev1

Affected version:

5.9.0

Resolution:

Description

Hi, I’m trying to set up an IPsec connection on an EC2 to a FortiClient VPN. It successfully starts and appears to be up, but there is no traffic going through.

Here's some info about the setup.

ipsec.conf
```
config setup
charondebug = "dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 3, knl 2, net 2, enc 1, lib 1"

conn vpngb
keyexchange = ikev1
ike = aes128-sha1-modp1536,aes256-sha256-modp1536!
esp = aes128-sha1-modp1536,aes256-sha256-modp1536!
aggressive = yes

right = 192.XXX.XXX.XX
  rightauth = psk

left = %defaultroute
  leftid = myID
  leftauth = psk
  leftauth2 = xauth
  xauth_identity = myuser

auto = start
```

ipsec start logs
```
11[IKE] XAuth authentication of myuser (myself) successful [70/452]
11[IKE] IKE_SA vpngb⁸ established between 192.YYY.YYY.YY[myID]...192.XXX.XXX.XX[192.XXX.XXX.XX]
11[IKE] IKE_SA vpngb⁸ state change: CONNECTING => ESTABLISHED

11[ENC] generating QUICK_MODE request 4001027197 [ HASH SA No KE ID ID ]
11[NET] sending packet: from 192.YYY.YYY.YY⁴⁵⁰⁰ to 192.XXX.XXX.XX⁴⁵⁰⁰ (412 bytes)
04[NET] sending packet: from 192.YYY.YYY.YY⁴⁵⁰⁰ to 192.XXX.XXX.XX⁴⁵⁰⁰
01[IKE] sending retransmit 1 of request message ID 4001027197, seq 3
01[NET] sending packet: from 192.YYY.YYY.YY⁴⁵⁰⁰ to 192.XXX.XXX.XX⁴⁵⁰⁰ (412 bytes)
04[NET] sending packet: from 192.YYY.YYY.YY⁴⁵⁰⁰ to 192.XXX.XXX.XX⁴⁵⁰⁰
```

ipsec statusall
```
Connections:
vpngb: %any...192.XXX.XXX.XX IKEv1 Aggressive
vpngb: local: [myID] uses pre-shared key authentication
vpngb: local: [myID] uses XAuth authentication: any with XAuth identity ‘user’
vpngb: remote: [192.XXX.XXX.XX] uses pre-shared key authentication
vpngb: child: dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
vpngb⁸: ESTABLISHED 10 seconds ago, 192.168.255.10[myID]...192.XXX.XXX.XX[192.XXX.XXX.XX]
vpngb⁸: IKEv1 SPIs: 4b2855f8926505d8_i* 86d95856724bc07d_r, pre-shared key+XAuth reauthentication in 2 hours
vpngb⁸: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
vpngb⁸: Tasks active: QUICK_MODE
```

I’ve tried routing with `ip ro ad` but it only causes my start process to not receive packets. Any hints to what may be happening here are very appreciated.

History

#1 Updated by Jose Morales 5 months ago

Reposting with correctly formatted info:

Hi, I’m trying to set up an IPsec connection on an EC2 to a FortiClient VPN. It successfully starts and appears to be up, but there is no traffic going through.

Here's some info about the setup.

ipsec.conf

config setup
    charondebug = "dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 3, knl 2, net 2, enc 1, lib 1" 
conn vpngb
    keyexchange = ikev1
    ike = aes128-sha1-modp1536,aes256-sha256-modp1536!
    esp = aes128-sha1-modp1536,aes256-sha256-modp1536!
    aggressive = yes
    right = 192.XXX.XXX.XX
    rightauth = psk
    left = %defaultroute
    leftid = myID
    leftauth = psk
    leftauth2 = xauth
    xauth_identity = myuser
    auto = start

ipsec start logs

11[IKE] XAuth authentication of myuser (myself) successful [70/452]
11[IKE] IKE_SA vpngb8 established between 
192.YYY.YYY.YY[myID]...192.XXX.XXX.XX[192.XXX.XXX.XX]
11[IKE] IKE_SA vpngb8 state change: CONNECTING => ESTABLISHED
11[ENC] generating QUICK_MODE request 4001027197 [ HASH SA No KE ID ID ]
11[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500 (412 bytes)
04[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500
01[IKE] sending retransmit 1 of request message ID 4001027197, seq 3
01[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500 (412 bytes)
04[NET] sending packet: from 192.YYY.YYY.YY4500 to 192.XXX.XXX.XX4500

ipsec statusall

Connections:
  vpngb: %any...192.XXX.XXX.XX IKEv1 Aggressive
  vpngb: local: [myID] uses pre-shared key authentication
  vpngb: local: [myID] uses XAuth authentication: any with XAuth identity ‘user’
  vpngb: remote: [192.XXX.XXX.XX] uses pre-shared key authentication
  vpngb: child: dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
  vpngb8: ESTABLISHED 10 seconds ago, 
  192.168.255.10[myID]...192.XXX.XXX.XX[192.XXX.XXX.XX]
  vpngb8: IKEv1 SPIs: 4b2855f8926505d8_i* 86d95856724bc07d_r, pre-shared key+XAuth 
  reauthentication in 2 hours
  vpngb8: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
  vpngb8: Tasks active: QUICK_MODE

I’ve tried routing with ip ro ad but it only causes my start process to not receive packets. Any hints to what may be happening here are very appreciated.

#2 Updated by Tobias Brunner 5 months ago

Category set to ikev1
Status changed from New to Feedback

It's not up, there is no Quick Mode SA. Apparently, the peer does not respond to the QM requests. Check the log there (perhaps it is in an error state). Also, please don't use IKEv1 anymore if possible.

Also available in: Atom PDF

Project

General

Profile

strongSwan

Issues

Issue #3578

ipsec connection to FortiClient VPN

History

#1 Updated by Jose Morales 5 months ago

#2 Updated by Tobias Brunner 5 months ago