[Swan] Trying to connect using libreswan to a Fortigate IPsec VPN
Paul Wouters
paul at nohats.ca
Thu Jul 8 18:04:18 UTC 2021
On Thu, 8 Jul 2021, Dan Stromberg wrote:
> $ ike-scan vpn.nohats.ca
> Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
>
> Ending ike-scan 1.9.4: 1 hosts scanned in 2.529 seconds (0.40 hosts/sec). 0 returned handshake; 0 returned notify
>
> Could someone not firewalled please run "ike-scan vpn.nohats.ca" and send output to the list, for the sake of comparison?
paul at bofh:~$ sudo ike-scan vpn.nohats.ca
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
Ending ike-scan 1.9.4: 1 hosts scanned in 2.616 seconds (0.38 hosts/sec). 0 returned handshake; 0 returned notify
I guess we increased our security :)
Jul 8 13:58:50.834070: packet from 193.110.157.194:500: initial Main Mode message received but no connection has been authorized with policy PSK
I added a bogus IKEv1 connection to it. So now scanning it shows:
paul at bofh:~$ sudo ike-scan vpn.nohats.ca
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
193.110.157.148 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=d87781dc8be5eff1)
Ending ike-scan 1.9.4: 1 hosts scanned in 0.274 seconds (3.65 hosts/sec). 0 returned handshake; 1 returned notify
Note the "1 returned notify"
> PS: I'm not sure if I'm happy or daunted by the possibility of this being because of a firewall, as I haven't set one up and fear it may be out of my
> control.
if you have firewalld running, you might just want to either remove it,
or run:
sudo firewall-cmd --zone=trusted --add-port=500/udp --permanent
sudo firewall-cmd --zone=trusted --add-port=4500/udp --permanent
sudo firewall-cmd --zone=trusted --add-protocol=50 --permanent
sudo systemctl restart firewalld
Paul
More information about the Swan
mailing list