[Swan] Trying to connect using libreswan to a Fortigate IPsec VPN
Dan Stromberg
dstromberg at keepersecurity.com
Thu Jul 8 17:42:08 UTC 2021
On Thu, Jul 8, 2021 at 9:55 AM Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 8 Jul 2021, Dan Stromberg wrote:
>
> > I'm trying to connect to a Fortigate server from a Debian 10.10 host.
> I'm seeing no response from the Fortigate server.
> >
> > Lots of specifics about the situation are at:
> >
> https://superuser.com/questions/1661309/libreswan-fortigate-ipsec-only-no-ssl-gives-60-second-timeout-exceeded-af
>
> No answer to your first packet is almost always a firewall issue.
>
> If you want, feel free to fire it up against vpn.nohats.ca, which has no
> firewall and will always respond to strange IKE messages with an error.
>
> If that shows you the same symptoms, it IS a firewall on or near your end.
>
I've assumed the "it" I'm firing something up against is ike-scan.
I'm getting:
$ ike-scan vpn.nohats.ca
Starting ike-scan 1.9.4 with 1 hosts (
http://www.nta-monitor.com/tools/ike-scan/)
Ending ike-scan 1.9.4: 1 hosts scanned in 2.529 seconds (0.40 hosts/sec).
0 returned handshake; 0 returned notify
Could someone not firewalled please run "ike-scan vpn.nohats.ca" and send
output to the list, for the sake of comparison?
On Debian 10 (and presumably derived distributions like Ubuntu), you can
install ike-scan with:
apt install ike-scan
...or you can get it from https://github.com/royhills/ike-scan
You'll probably have to shut down *swan first, if you have it running on
the system in question.
Thanks!
PS: I'm not sure if I'm happy or daunted by the possibility of this being
because of a firewall, as I haven't set one up and fear it may be out of my
control.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210708/f32ed8b5/attachment.html>
More information about the Swan
mailing list