[Swan] Trying to connect using libreswan to a Fortigate IPsec VPN

[Paul Wouters]

On Thu, 8 Jul 2021, Dan Stromberg wrote:

> $ ike-scan vpn.nohats.ca
> Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
> 
> Ending ike-scan 1.9.4: 1 hosts scanned in 2.529 seconds (0.40 hosts/sec).  0 returned handshake; 0 returned notify
> 
> Could someone not firewalled please run "ike-scan vpn.nohats.ca" and send output to the list, for the sake of comparison?

paul at bofh:~$ sudo ike-scan vpn.nohats.ca
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9.4: 1 hosts scanned in 2.616 seconds (0.38 hosts/sec).  0 returned handshake; 0 returned notify

I guess we increased our security :)

Jul  8 13:58:50.834070: packet from 193.110.157.194:500: initial Main Mode message received but no connection has been authorized with policy PSK


I added a bogus IKEv1 connection to it. So now scanning it shows:

paul at bofh:~$ sudo ike-scan vpn.nohats.ca
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
193.110.157.148	Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=d87781dc8be5eff1)

Ending ike-scan 1.9.4: 1 hosts scanned in 0.274 seconds (3.65 hosts/sec).  0 returned handshake; 1 returned notify

Note the "1 returned notify"

> PS: I'm not sure if I'm happy or daunted by the possibility of this being because of a firewall, as I haven't set one up and fear it may be out of my
> control.

if you have firewalld running, you might just want to either remove it,
or run:

sudo firewall-cmd --zone=trusted --add-port=500/udp --permanent
sudo firewall-cmd --zone=trusted --add-port=4500/udp --permanent
sudo firewall-cmd --zone=trusted --add-protocol=50 --permanent
sudo systemctl restart firewalld

Paul